diff --git a/README.md b/README.md index 6e2f59f..51c82c0 100644 --- a/README.md +++ b/README.md @@ -63,7 +63,7 @@ Category: *guidelines* - source: *Open Sources* - total: *71* elements [Backdoor](https://www.misp-galaxy.org/backdoor) - A list of backdoor malware. -Category: *tool* - source: *Open Sources* - total: *28* elements +Category: *tool* - source: *Open Sources* - total: *29* elements [[HTML](https://www.misp-galaxy.org/backdoor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/backdoor.json)] @@ -87,7 +87,7 @@ Category: *mobile* - source: *https://arxiv.org/pdf/2005.05110.pdf* - total: *47 [Botnet](https://www.misp-galaxy.org/botnet) - botnet galaxy -Category: *tool* - source: *MISP Project* - total: *130* elements +Category: *tool* - source: *MISP Project* - total: *132* elements [[HTML](https://www.misp-galaxy.org/botnet)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/botnet.json)] @@ -495,7 +495,7 @@ Category: *measure* - source: *MISP Project* - total: *20* elements [Producer](https://www.misp-galaxy.org/producer) - List of threat intelligence producer from security vendors to CERTs including any producer of intelligence at large. -Category: *actor* - source: *MISP Project* - total: *37* elements +Category: *actor* - source: *MISP Project* - total: *46* elements [[HTML](https://www.misp-galaxy.org/producer)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/producer.json)] @@ -503,7 +503,7 @@ Category: *actor* - source: *MISP Project* - total: *37* elements [Ransomware](https://www.misp-galaxy.org/ransomware) - Ransomware galaxy based on different sources and maintained by the MISP Project. -Category: *tool* - source: *Various* - total: *1804* elements +Category: *tool* - source: *Various* - total: *1809* elements [[HTML](https://www.misp-galaxy.org/ransomware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json)] @@ -543,7 +543,7 @@ Category: *sector* - source: *CERT-EU* - total: *118* elements [Sigma-Rules](https://www.misp-galaxy.org/sigma-rules) - MISP galaxy cluster based on Sigma Rules. -Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2964* elements +Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2970* elements [[HTML](https://www.misp-galaxy.org/sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)] @@ -607,7 +607,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *736* elements +Category: *actor* - source: *MISP Project* - total: *751* elements [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)] @@ -615,7 +615,7 @@ Category: *actor* - source: *MISP Project* - total: *736* elements [Tidal Campaigns](https://www.misp-galaxy.org/tidal-campaigns) - Tidal Campaigns Cluster -Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns/* - total: *78* elements +Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns/* - total: *83* elements [[HTML](https://www.misp-galaxy.org/tidal-campaigns)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-campaigns.json)] @@ -623,7 +623,7 @@ Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns [Tidal Groups](https://www.misp-galaxy.org/tidal-groups) - Tidal Groups Galaxy -Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/groups/* - total: *200* elements +Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/groups/* - total: *206* elements [[HTML](https://www.misp-galaxy.org/tidal-groups)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-groups.json)] @@ -631,7 +631,7 @@ Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/group [Tidal References](https://www.misp-galaxy.org/tidal-references) - Tidal References Cluster -Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/references/* - total: *4309* elements +Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/references/* - total: *4349* elements [[HTML](https://www.misp-galaxy.org/tidal-references)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-references.json)] @@ -639,7 +639,7 @@ Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/referenc [Tidal Software](https://www.misp-galaxy.org/tidal-software) - Tidal Software Cluster -Category: *Software* - source: *https://app-api.tidalcyber.com/api/v1/software/* - total: *1014* elements +Category: *Software* - source: *https://app-api.tidalcyber.com/api/v1/software/* - total: *1053* elements [[HTML](https://www.misp-galaxy.org/tidal-software)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-software.json)] diff --git a/clusters/backdoor.json b/clusters/backdoor.json index d41dede..25cfd99 100644 --- a/clusters/backdoor.json +++ b/clusters/backdoor.json @@ -488,7 +488,17 @@ ], "uuid": "4838b37b-2d1f-4cb8-945d-7185580f0bff", "value": "TERRIBLETEA" + }, + { + "description": "Merdoor is a fully-featured backdoor that appears to have been in existence since 2018.\nThe backdoor contains the following functionality: Installing itself as a service, Keylogging, A variety of methods to communicate with its command-and-control (C&C) server (HTTP, HTTPS, DNS, UDP, TCP), Ability to listen on a local port for commands\nInstances of the Merdoor backdoor are usually identical with the exception of embedded and encrypted configuration, which determines: C&C communication method, Service details, Installation directory\nTypically, the backdoor is injected into the legitimate processes perfhost.exe or svchost.exe.", + "meta": { + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor" + ] + }, + "uuid": "8ebda9f4-f8f2-4d35-ba2b-d6ecb54b23d4", + "value": "Merdoor" } ], - "version": 19 + "version": 20 } diff --git a/clusters/botnet.json b/clusters/botnet.json index c3d9d0a..05e7fbd 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -2031,7 +2031,29 @@ }, "uuid": "40cd57f6-39c9-4a9f-b4cf-de4762642bff", "value": "Ztorg" + }, + { + "meta": { + "refs": [ + "https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromised-router", + "https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd" + ], + "synonyms": [ + "7777" + ] + }, + "uuid": "3e027dad-9c0a-437e-9938-dd3cf13b0c22", + "value": "Quad7" + }, + { + "meta": { + "refs": [ + "https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromised-router" + ] + }, + "uuid": "963d898f-dc48-409e-8069-aaa51ad6664c", + "value": "63256 botnet" } ], - "version": 35 + "version": 36 } diff --git a/clusters/producer.json b/clusters/producer.json index d8161eb..a6f456b 100644 --- a/clusters/producer.json +++ b/clusters/producer.json @@ -448,7 +448,7 @@ "value": "BleepingComputer" }, { - "description": "", + "description": "Cisco Talos, or Cisco Talos Intelligence Group, is a cybersecurity technology and information security company based in Fulton, Maryland. It is a part of Cisco Systems Inc. Talos' threat intelligence powers Cisco Secure products and services, including malware detection and prevention systems. Talos provides Cisco customers and internet users with customizable defensive technologies and techniques through several of their own open-source products, including the Snort intrusion prevention system and ClamAV[3] anti-virus engine", "meta": { "country": "US", "refs": [ @@ -663,7 +663,268 @@ }, "uuid": "e5964f36-7644-4f73-bdfd-f24d9e006656", "value": "Avira" + }, + { + "description": "Cloudflare, Inc. is an American company that provides content delivery network services, cloud cybersecurity, DDoS mitigation, wide area network services, reverse proxies, Domain Name Service, and ICANN-accredited domain registration services. Cloudflare's headquarters are in San Francisco, California.", + "uuid": "a0a87034-b8ff-4991-9ae1-e650a43292ef", + "value": "Cloudflare" + }, + { + "description": "Recorded Future, Inc. is an American privately held cybersecurity company founded in 2009, with headquarters in Somerville, Massachusetts.", + "meta": { + "company-type": "Cyber Security Vendor", + "country": "US", + "official-refs": [ + "https://www.recordedfuture.com/" + ], + "product-type": [ + "Digital Risk Protection", + "Threat Intelligence", + "Exposure Management", + "Threat Intelligence Feeds" + ], + "products": [ + "Threat Intelligence", + "Brand Intelligence", + "SecOps Intelligence", + "Vulnerability Intelligence", + "Third-Party Intelligence", + "Geopolitical Intelligence", + "Attack Surface Intelligence", + "Identity Intelligence", + "Payment Fraud Intelligence", + "Analyst On Demand" + ], + "refs": [ + "https://en.wikipedia.org/wiki/Recorded_Future", + "https://www.recordedfuture.com/resources" + ], + "synonyms": [ + "Recorded Future, Inc", + "Insikt Group" + ] + }, + "uuid": "ad7032df-0e9a-4ea9-b35c-c68ff854be80", + "value": "Recorded Future" + }, + { + "description": "Cyble empowers organizations to take control of their cyber risks with AI-driven, cybersecurity platforms.", + "meta": { + "company-type": "Cyber Security Vendor", + "country": "US", + "official-refs": [ + "https://cyble.com/" + ], + "product-type": [ + "Digital Risk Protection", + "Threat Intelligence", + "Exposure Management" + ], + "products": [ + "Cyble Vision", + "Cyble Hawk", + "AmIBreached", + "Odin", + "The Cyber Express" + ], + "refs": [ + "https://cyble.com/resources/", + "https://thecyberexpress.com/" + ], + "synonyms": [ + "The Cyber Express" + ] + }, + "uuid": "43e3e0a8-a12d-450a-8f2d-94915123549c", + "value": "Cyble" + }, + { + "description": "CYFIRMA is a threat discovery and cyber-intelligence company with the world’s first platform that can deliver predictive cyber-intelligence", + "meta": { + "company-type": "Cyber Intelligence Provider", + "country": "SG", + "official-refs": [ + "https://www.cyfirma.com/" + ], + "product-type": [ + "Threat Intelligence", + "Digital Risk Protection", + "Mobile App" + ], + "products": [ + "DeCYFIR", + "DeTCT", + "DeFNCE" + ], + "refs": [ + "https://www.cyfirma.com/research/", + "https://golden.com/wiki/CYFIRMA-K46ZYP8" + ] + }, + "uuid": "9d804c53-f307-421c-9f4d-41061c7eee62", + "value": "Cyfirma" + }, + { + "description": "SentinelOne, Inc. is an American cybersecurity company listed on NYSE based in Mountain View, California.", + "meta": { + "company-type": "Cyber Security Vendor", + "country": "US", + "official-refs": [ + "https://www.sentinelone.com/" + ], + "product-type": [ + "Endpoint Protection", + "Endpoint Detection Response", + "Deception Technology" + ], + "products": [ + "Singularity Platform", + "Singularity Identity", + "Singularity Hologram" + ], + "refs": [ + "https://www.sentinelone.com/labs/" + ], + "synonyms": [ + "Sentinel One" + ] + }, + "uuid": "996c48de-7bb8-414d-b6fe-ec94abb5f461", + "value": "SentinelOne" + }, + { + "description": "Fortinet, Inc. is a cybersecurity company with headquarters in Sunnyvale, California. The company develops and sells security solutions like firewalls, endpoint security and intrusion detection systems.", + "meta": { + "company-type": "Cyber Security Vendor", + "country": "US", + "official-refs": [ + "https://www.fortinet.com/" + ], + "product-type": [ + "Firewall", + "Application delivery controller", + "SOAR", + "Web application firewall / API security", + "Network security platform" + ], + "products": [ + "FortiADC", + "FortiAnalyzer", + "FortiAuthenticator", + "FortiCASB", + "FortiClient", + "FortiEDR", + "FortiCNP", + "FortiDDos", + "FortiDeceptor", + "FortiExtender", + "FortiGate", + "FortiIsolator", + "FortiMail", + "FortiManager", + "FortiNAC", + "FortiPAM", + "FortiSandbox", + "FortiSIEM", + "FortiSASE", + "FortiSOAR", + "FortiSwitch", + "FortiTester", + "FortiToken", + "FortiVoice", + "FortiWeb" + ], + "refs": [ + "https://en.wikipedia.org/wiki/Fortinet", + "https://www.fortinet.com/blog/threat-research" + ] + }, + "uuid": "bfafdca5-3171-4953-86ab-c74f44822fd3", + "value": "Fortinet" + }, + { + "description": "Zscaler, Inc. (/ˈziːˌskeɪlər/) is an American cloud security company based in San Jose, California. The company offers cloud-based services to protect enterprise networks and data.", + "meta": { + "company-type": "Cyber Security Vendor", + "country": "US", + "official-refs": [ + "https://www.zscaler.com/" + ], + "product-type": [ + "Secure Web Gateway", + "SASE", + "VPN", + "CASB", + "DLP" + ], + "products": [ + "Zscaler Internet Access", + "Zscaler Private Access", + "Zscaler Digital Experience", + "Zscaler Zero Trust Exchange" + ], + "refs": [ + "https://www.zscaler.com/blogs?type=security-research", + "https://en.wikipedia.org/wiki/Zscaler" + ] + }, + "uuid": "1427d7df-a9b8-4809-afe0-1180cfdd930d", + "value": "Zscaler" + }, + { + "description": "Splunk Inc. is an American software company based in San Francisco, California, that produces software for searching, monitoring, and analyzing machine-generated data via a web-style interface.", + "meta": { + "company-type": "Cyber Security Vendor", + "country": "US", + "product-type": [ + "SIEM", + "Observability", + "SOAR", + "UEBA" + ], + "products": [ + "Splunk Enterprise Security", + "Splunk ITSI", + "Splunk SOAR", + "Splunk Observability Cloud", + "Splunk UEBA" + ], + "refs": [ + "https://www.splunk.com/", + "https://www.splunk.com/en_us/blog/security.html", + "https://en.wikipedia.org/wiki/Splunk" + ] + }, + "uuid": "7acb73f9-83c8-4a1d-88e5-873bad8659fa", + "value": "Splunk" + }, + { + "description": "Huntress Labs Incorporated operates as a security software solution provider. The Company provides managed threat detection and response services to uncover, address persistent footholds that prevent defenses. Huntress Labs serves customers in the United States.", + "meta": { + "company-type": "Cyber Security Vendor", + "country": "US", + "official-refs": [ + "https://www.huntress.com/" + ], + "product-type": [ + "Managed Security", + "Endpoint Detection Response", + "Security Awareness Training" + ], + "products": [ + "Managed EDR", + "MDR for Microsoft 365", + "Security Awareness Training", + "Managed SIEM" + ], + "refs": [ + "https://www.huntress.com/", + "https://www.huntress.com/blog" + ] + }, + "uuid": "9bfc59a7-ab20-4ef0-8034-871956d4a9cc", + "value": "Huntress" } ], - "version": 11 + "version": 15 } diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 2a91f5c..8c15a5d 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -1494,6 +1494,15 @@ "HavocCrypt Ransomware" ] }, + "related": [ + { + "dest-uuid": "6f7489f5-7edc-4693-b35a-44e79c969678", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], "uuid": "c6bef9c8-becb-4bee-bd97-c1c655133396", "value": "Havoc" }, @@ -14569,7 +14578,10 @@ ], "links": [ "http://ekbgzchl6x2ias37.onion", - "http://santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion/" + "http://santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion/", + "http://3ws3t4uo7fehnn4qpmadk3zjrxta5xlt3gsc5mx4sztrsy7ficuz5ayd.onion/", + "http://amnwxasjtjc6e42siac6t45mhbkgtycrx5krv7sf5festvqxmnchuayd.onion/", + "http://qahjimrublt35jlv4teesicrw6zhpwhkb6nhtonwxuqafmjhr7hax2id.onion/" ], "refs": [ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", @@ -16067,7 +16079,13 @@ "description": "Ransomware", "meta": { "links": [ - "http://black3gnkizshuynieigw6ejgpblb53mpasftzd6pydqpmq2vn2xf6yd.onion" + "http://black3gnkizshuynieigw6ejgpblb53mpasftzd6pydqpmq2vn2xf6yd.onion", + "http://4qyjonpyksc52bc3fsgfgedssqgo4a6vlfsjknqnkncbyl4layqkqjid.onion/", + "http://eleav2eq3ioyiuevbyvqaz3vruwvpislphszo4cm7n56itbpnupxngyd.onion/", + "http://2cyxmof76rxeqze5snxxooqmhzjtcploqswxoxmenfayphumdhrtrzqd.onion/", + "http://rqqn25k3hgmfkh7ykjbmakjgidwweomr7cbpy6pfecpxs57r5iwzwtyd.onion/", + "http://mu6se7h7qfwuqclr4cc6zy7qevod6gyk37aq5vwnayrtbx3qqycx2fyd.onion/", + "http://urey23jtg6z7xx3tiybmc4sgcim7dawiz2abl6crpup2lfobf7yb5wyd.onion/" ], "refs": [ "https://www.ransomlook.io/group/blackout" @@ -26489,7 +26507,19 @@ "links": [ "https://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion/", "https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion", - "http://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion/" + "http://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion/", + "http://6y2qjrzzt4inluxzygdfxccym5qjy2ltyae7vnxtoyeotfg3ljwqtaid.onion/", + "http://r6qkk55wxvy2ziy47oyhptesucwdqqaip23uxregdgquq5oxxlpeecad.onion/", + "http://weqv4fxkacebqrjd3lmnss6lrmoxoyihtcc6kdc6mblbv62p5q6skgid.onion/", + "http://thesiliconroad1.top/", + "http://stuffstevenpeters4.top/", + "http://greenmotors5.top/", + "http://megatron3.top/", + "http://fmzipzpirdpfelbbvnfhoehqxbqg7s7efmgce6hpr5xdcmeazdmic2id.onion/", + "http://daulpxe3epdysjozaujz4sj7rytanp4suvdnebxkwdfcuzwxlslebvyd.onion/", + "http://databasebb3.top/", + "http://l6zxfn3u2s4bl4vt3nvpve6uibqn3he3tgwdpkeeplhwlfwy3ifbt5id.onion/", + "http://onlylegalstuff6.top/" ], "ransomnotes": [ "Your data are stolen and encrypted\nThe data will be published on TOR website if you do not pay the ransom\nYou can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565y1u2c6Lay6yfiebkcbtvvcytyolt33s77xypi7nypxyd.onion/ \n\nYour company id for log in: [REDACTED]" @@ -26733,7 +26763,8 @@ ], "links": [ "http://omegalock5zxwbhswbisc42o2q2i54vdulyvtqqbudqousisjgc7j7yd.onion/", - "https://0mega.cc/" + "https://0mega.cc/", + "https://0mega.ws/" ], "ransomnotes-filenames": [ "DECRYPT-FILES.txt" @@ -27640,7 +27671,8 @@ "http://lbbjmbkvw3yurmnazwkbj5muyvw5dd6y7hyxrus23y33qiqczclrnbyd.onion/", "http://lbbpoq6d2jglpw7dxarr6oaakgnlxt5nmrza5ojlufsuffuzexajsuyd.onion/", "http://lbbp2rsfcmg5durpwgs22wxrdngsa4wiwmc4xk6hgmuluy6bvbvvtlid.onion/", - "http://lbbov7weoojwnqytnjqygmglkwtim5dvyw3xvoluk5ostz75ofd6enqd.onion/" + "http://lbbov7weoojwnqytnjqygmglkwtim5dvyw3xvoluk5ostz75ofd6enqd.onion/", + "http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion/ec_page3.php" ], "refs": [ "https://threatpost.com/lockbit-ransomware-proliferates-globally/168746", @@ -28417,7 +28449,8 @@ "links": [ "https://hunters55rdxciehoqzwv7vgyv6nt37tbwax2reroyzxhou7my5ejyid.onion", "https://hunters33mmcwww7ek7q5ndahul6nmzmrsumfs6aenicbqon6mxfiqyd.onion/login", - "https://huntersinternational.net" + "https://huntersinternational.net", + "http://huntersinternational.su" ], "refs": [ "https://www.ransomlook.io/group/hunters" @@ -28524,7 +28557,8 @@ "meta": { "links": [ "http://basemmnnqwxevlymli5bs36o5ynti55xojzvn246spahniugwkff2pad.onion/", - "http://xb6q2aggycmlcrjtbjendcnnwpmmwbosqaugxsqb4nx6cmod3emy7sad.onion" + "http://xb6q2aggycmlcrjtbjendcnnwpmmwbosqaugxsqb4nx6cmod3emy7sad.onion", + "http://92.118.36.204/" ], "refs": [ "https://www.ransomlook.io/group/8base" @@ -28551,7 +28585,19 @@ "description": "", "meta": { "links": [ - "http://weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd.onion" + "http://weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd.onion", + "http://c7jpc6h2ccrdwmhofuij7kz6sr2fg2ndtbvvqy4fse23cf7m2e5hvqid.onion", + "http://nz2ihtemh2zli2wc3bovzps55clanspsqx5htu2plolby45a7pk4d3qd.onion/", + "http://qjdremetxo2zpli32exwb5uct6cjljyj7v52d5thn7usmj5mlyxdojqd.onion/", + "http://yef4xoqj2jq554rqetf2ikmpdtewdlbnx5xrtjtjqaotvfw77ipb6pad.onion/", + "http://ptsfbwx5j7kyk5r6n6uz4faic43jtb55sbls7py5wztwbxkyvsikguid.onion/", + "http://ro4h37fieb6oyfrwoi5u5wpvaalnegsxzxnwzwzw43anxqmv6hjcsfyd.onion/", + "http://cyfafnmijhiqxxfhtofmn5lgk3w5ana6xzpc6gk5uvdfadqflvznpjyd.onion/", + "http://betrvom4agzebo27bt7o3hk35tvr7ppw3hrx5xx4ecvijwfsb4iufoyd.onion/", + "http://ybo3xr25btxs47nmwykoudoe23nyv6ftkcpjdo4gilfzww4djpurtgid.onion/", + "http://k6wtpxwq72gpeil5hqofae7yhbtxphbkyoe2g7rwmpx5sadc4sgsfvid.onion/", + "http://vm2rbvfkcqsx2xusltbxziwbsrunjegk6qeywf3bxpjlznq622s3iead.onion/", + "http://ng2gzceugc2df6hp6s7wtg7hpupw37vqkvamaydhagv2qbrswdqlq6ad.onion/" ], "refs": [ "https://www.ransomlook.io/group/black suit" @@ -28616,7 +28662,34 @@ { "meta": { "links": [ - "http://3ev4metjirohtdpshsqlkrqcmxq6zu3d7obrdhglpy5jpbr7whmlfgqd.onion" + "http://3ev4metjirohtdpshsqlkrqcmxq6zu3d7obrdhglpy5jpbr7whmlfgqd.onion", + "http://ufvi7hpcawesdklmommeeq4iokhq2km4hay3dwh4rirth5xaomle35id.onion/", + "http://t7ogwvu74a6flssns55yv7zw2xvssqbhrdbxqrwbahumyzwklnvqayid.onion/", + "http://gmxnejtsg3uiwopmnsooxbi3p2nukwemkvm7bg44tgbbnuuuyofqjfyd.onion/", + "http://jtjz6utbmabwcatyomwxaeum7ey7nxs7yooqflxhctnksjqsnammonqd.onion/", + "http://2mhkqjcw4auxop7auchz2iijcbj63qccwodtokofbb2ul5oejkkt6xyd.onion/", + "http://wka7ma7rzgmzmtn65dhv5zp5p6e3uv5sydnns7xsf6kpf7noukhchhqd.onion/", + "http://l3yeoyhnphtymqua5env7qitedmqv5ahe7waxgndwa64z2c2h3cjjhqd.onion/", + "http://2j45tydxcvm44jbyr6krhx77rzey3jtif5qdjak2gik4usoljvvhqaid.onion/", + "http://cuft7z2xlfogrtx4ddqnjqyerye2qtagksow2fip4xbb5iw7dsgtvhqd.onion/", + "http://wyz32kscr2ythqpyjwqfxcaxn5576fdurr7jag44gggnmi4cvhykhvid.onion/", + "http://3pb6cefz6hubgyb2ph7ua7yjzjpxwapbbp5zomz7xmvrjhjfykjwu6id.onion/", + "http://kn4spxunete4ddz7375i2wpnj4vvkir7wdmcg2pc5yod56lmb54nbayd.onion/", + "http://2ikvareyuw2wjnc4vb5yteq7d2tkg6k3gevnixzqtkn3cpvej6ajj4yd.onion/", + "http://wflff64dxxqvfhd7poarkvkphmibdjyyhv7h4zqo5m52ggsgncmbrbqd.onion/", + "http://frheu6drsqpehmuyrdxdrfu5bzqwxps4zlmnuxlcnxskwxcwqsyhwxyd.onion/", + "http://kceqbaoxmx2czutxty3mq35m5mv46dq66hpszrhbhduj7uwhu6ax3qad.onion/", + "http://4nsmlpz4qceow7bfrmarxdqaj7chcqobin3mzb27uhscb2yvjs6j4xqd.onion/", + "http://nka6xgyyu77ksb5xmmovp4en2hrkg53mfq2osql526oe7nybnlggfgid.onion/", + "http://mflnjnwfinorxxsgkyfel3fqanbtbbrl5k5mqqjwmrf7o3jc6a4hy3id.onion/", + "http://jtt4lqatjtrj5hxxi33dczkluouf5wivzdmy4v62dnhipk6ixk5mktad.onion/", + "http://udugclljnfcx34amtpddkjggmkfqci5xnlfef2hqtxstufulo3pvauid.onion/", + "http://vmmefm7ktazj2bwtmy46o3wxhk42tctasyyqv6ymuzlivszteyhkkyad.onion/", + "http://cfev2mvlqooohl3af2upkgu3ju4qcgqrrgh6sprfxkgh3qldh2ykxzyd.onion/", + "http://2fzahjlleflpcyecd245xe3q6tczjkwzcm4fbhd4q4bsun45y2csyayd.onion/", + "http://wpefgvpyuszr4vg444qed734big233itylqclte7usszbdbfyqvb2lqd.onion/", + "http://gvzbeu532wwxqze3v3xcxpsbhpvwusnajzahi55dqklbunzgjp5wchad.onion/", + "http://ieelfdk3qr6as2u5cx3kfo57pdu6s77lis3lafg5lx5ljqf2izial6ad.onion/" ], "refs": [ "https://www.ransomlook.io/group/abyss-data" @@ -28851,7 +28924,8 @@ { "meta": { "links": [ - "http://threeamkelxicjsaf2czjyz2lc4q3ngqkxhhlexyfcp2o6raw4rphyad.onion" + "http://threeamkelxicjsaf2czjyz2lc4q3ngqkxhhlexyfcp2o6raw4rphyad.onion", + "http://ulkvlj5sirgrbnvb4hvbjo2ex2c2ceqe2j4my57fcdozpbq5h5pyu7id.onion" ], "refs": [ "https://www.ransomlook.io/group/3am" @@ -28888,7 +28962,21 @@ "meta": { "links": [ "http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion/blog", - "http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion/login" + "http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion/login", + "http://dragonforxxbp3awc7mzs5dkswrua3znqyx5roefmi4smjrsdi22xwqd.onion", + "http://zsglo7t7osxyk3vcl7zxzup7hs4ir52sntteymmw63zvoxzcqytlw7qd.onion/", + "http://6dgi54prfmpuuolutr4hl3akasxbx4o34g5y2bj4blrvzzkjemhxenad.onion/", + "http://eogeko3sdn66gb7vjpwpmlmmmzfx7umtwaugpf5l6tb5jveolfydnuad.onion/", + "http://ewrxgpvv7wsrqq7itfwg5jr7lkc6zzknndmru5su2ugrowxo3wwy5yad.onion/", + "http://3ro23rujyigqrlrwk3e4keh3a3i6ntgrm3f42tbiqtf7vke47c6a6ayd.onion/", + "http://jziu7k7uee467r2wt66ndrwymmw7tsmqgcqi7aemcaxraqmaf2hdm3yd.onion/", + "http://2yczff6zyiey3gkgl5anwejktdp73abxbzbnvwobmrwkwgf3hudpyvyd.onion/", + "http://bpoowhokr3vi32l3t4mjdtdxfrfpigwachopk5ojwmgxihnojhsawuyd.onion/", + "http://dbvczza7nhwdb5kdvkzjtkrcvwnrt5viw7mihutueprvajy7rxhwq6id.onion/", + "http://xtcwd3xmxpggtizn7kmwwqeizexflkkyqsytg2kauccau6ddsfa4gfyd.onion/", + "http://4wcrfql53ljekid3sn66z6swjot725muveddq77utxltaelw64eikfid.onion/", + "http://73h3lxn24kuayyfkn4t6ij7e67jklo24vqzqdhpts3ygmim7hu6u6aid.onion/", + "http://nwtetzmrqhxieetg5lvth7szzvg35gfrqt23ly46vku56oo7pkueswyd.onion/" ], "refs": [ "https://www.ransomlook.io/group/dragonforce" @@ -28905,7 +28993,8 @@ "http://mjmru3yz65o5szsp4rmkmh4adlezcpy5tqjjc4y5z6lozk3nnz2da2ad.onion/", "http:// http://an2ce4pqpf2ipvba2djurxi5pnxxhu3uo7ackul6eafcundqtly7bhid.onion", "http://fpwwt67hm3mkt6hdavkfyqi42oo3vkaggvjj4kxdr2ivsbzyka5yr2qd.onion", - "http://an2ce4pqpf2ipvba2djurxi5pnxxhu3uo7ackul6eafcundqtly7bhid.onion" + "http://an2ce4pqpf2ipvba2djurxi5pnxxhu3uo7ackul6eafcundqtly7bhid.onion", + "http://xeuvs5poflczn5i5kbynb5rupmidb5zjuza6gaq22uqsdp3jvkjkciqd.onion/" ], "refs": [ "https://www.ransomlook.io/group/ransomhub" @@ -28946,7 +29035,33 @@ "links": [ "http://mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onion", "http://k7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd.onion", - "http://k7kg3jqzffsxe2z53jjx4goybvxu3a557kpsqakpwi6mrvfgcdo55tid.onion" + "http://k7kg3jqzffsxe2z53jjx4goybvxu3a557kpsqakpwi6mrvfgcdo55tid.onion", + "http://ipi4tiumgzjsym6pyuzrfqrtwskokxokqannmd6sa24shvr7x5kxdvqd.onion", + "http://j75o7xvvsm4lpsjhkjvb4wl2q6ajegvabe6oswthuaubbykk4xkzgpid.onion", + "http://zi34ocznt242jallttwvvhihrezjdzfgflf3uhdv6t3z23hhcn54efid.onion", + "http://37wb3ygyb3r2vf2dt5o3ca62zlduuowvkkwjrtbcgc5iri4t6rnzr7yd.onion", + "http://eppsldmcnv3ylabsx5srvf36wnk6jrowg6x4unxclv55rnu4kf5436yd.onion", + "http://slg7tnjb65swwyaebnyymyvo73xm36hxwugdsps7cwcxicizyzyt2byd.onion", + "http://x6zdxw6vt3gtpv35yqloydttvfvwyrju3opkmp4xejmlfxto7ahgnpyd.onion", + "http://jnbiz5lp44ddg4u5rsr4yebbpxa3iytcsshgbqa4m6r6po5y57h6yxid.onion", + "http://sm2gah7bjg6u2dfl3voiex6njh2kcuqqquvv7za37xokmbcivsgqcnad.onion", + "http://z7u6dkys7b2aeibvklxga7mldzrepoauiuniqwfhdadkkwwgmv6bqhad.onion", + "http://kri3lez34pbqra3xs5wxo55djldtsekol6tuqdjqecqzga6dpnjqruyd.onion", + "http://iejj6bywviuecjwi3kxanzojqroe3j3phzgplvrdzcicimtcw6xgk3yd.onion", + "http://xixkhm6inbg6t5642t2pjafsjsh3eaonpjysdcfvr3zvadlqb6nhryad.onion", + "http://giix5r763sbxmu442tmwfb4thqbz4i5ppxcqsmnnlqnm2yiezv6epxqd.onion", + "http://mokcrzbitq2gc5qcpxcbce43pawuthyaoazl6iz2xknj53ebyb4r4eid.onion", + "http://gpph6awu7hqsmzmr5sihusjoscp3itwtk3b4i2chwspmka2ikuqcwaqd.onion", + "http://v3r6g4q3b2jpqusznecxexr5aqi42vy5ts6jy6fu3strecvb5c2woead.onion", + "http://4xo3cicwo2rhpwr6vkgwt7mqg4oiqihsmoxwlmklf4sjoatkdqjtmcyd.onion", + "http://a4gbdvoorwn3tcqijoedvdeukqaqwc6t2kx4gh3gm37gv4p37evvzqad.onion", + "http://6jb5avmh6rvcb7vcux7kaivnzpqcrfg4ui4xv2co5vmspgrwll7lkkyd.onion", + "http://doz7omlqqanryonvil4iuj65shzcv3efupqwubkza6553wnekrrd4uid.onion", + "http://hbwsxlq3uzknabg2blt7d4mcbu24oriklji36zdqsz3ou3mf2d7bvoid.onion", + "http://ysknyr5m5n3pwg4jnaqsytxea2thwsbca3qipi64vlep42flywx7dgqd.onion", + "http://b3pzp6qwelgeygmzn6awkduym6s4gxh6htwxuxeydrziwzlx63zergyd.onion", + "http://p2qzf3rfvg4f74v2ambcnr6vniueucitbw6lyupkagsqejtuyak6qrid.onion", + "http://whfsjr35whjtrmmqqeqfxscfq564htdm427mjekic63737xscuayvkad.onion" ], "refs": [ "https://www.ransomlook.io/group/play", @@ -29002,10 +29117,15 @@ "value": "qiulong" }, { + "description": "", "meta": { "links": [ "https://cactusbloguuodvqjmnzlwetjlpj6aggc6iocwhuupb47laukux7ckid.onion", - "https://cactus5dqnqkppa5ayckiyk6dttpqwczdqphv5mxh4dkk5ct544q5aad.onion/" + "https://cactus5dqnqkppa5ayckiyk6dttpqwczdqphv5mxh4dkk5ct544q5aad.onion/", + "https://vhfd5qagh6j7qbisjqvly7eejqbv6z5bv77v6yuhctn77wmd3hjkyvad.onion", + "https://acfckf3l6l7v2tsnedfx222a4og63zt6dmvheqbvsd72hkhaqadrrsad.onion", + "https://6wuivqgrv2g7brcwhjw5co3vligiqowpumzkcyebku7i2busrvlxnzid.onion", + "https://truysrv2txxvobngtlssbgqs3e3ekd53zl6zoxbotajyvmslp5rdxgid.onion" ], "refs": [ "https://www.ransomlook.io/group/cactus" @@ -29083,7 +29203,8 @@ "meta": { "links": [ "http://p66slxmtum2ox4jpayco6ai3qfehd5urgrs4oximjzklxcol264driqd.onion/index.html", - "http://nsalewdnfclsowcal6kn5csm4ryqmfpijznxwictukhrgvz2vbmjjjyd.onion/" + "http://nsalewdnfclsowcal6kn5csm4ryqmfpijznxwictukhrgvz2vbmjjjyd.onion/", + "https://5kvv27efetbcqgem4tl7jsolvr3jxkrbmn23rcjzl7kvqycxuao3t4ad.onion/" ], "refs": [ "https://www.ransomlook.io/group/dunghill" @@ -29240,7 +29361,20 @@ "meta": { "links": [ "http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion", - "http://5ntlvn7lmkezscee2vhatjaigkcu2rzj3bwhqaz32snmqc4jha3gcjad.onion" + "http://5ntlvn7lmkezscee2vhatjaigkcu2rzj3bwhqaz32snmqc4jha3gcjad.onion", + "http://76yl7gfmz2kkjglcevxps4tleyeqnqhfcxh6rnstxj27oxhoxird3hyd.onion", + "http://yj3eozlkkxkcsprc2fug7tolgtnllruyavuyyar3yzsccjdgvu2bl2yd.onion/", + "http://ufjoe7fdwvml52oin7flwlqksvp3fcvfyh2kwsngt7j2yf7xou52w2qd.onion/", + "http://i2okedfryhllg6ka6aur3wnxcxdaufbuuysp4drr5xoc6gvqpcogejid.onion/", + "http://s37weqmxusvfcxkoorgkut5v7frn27zftdb6pdjsyjl5djg6oxjqjbid.onion/", + "http://oftm4u5cfl6wyadj27h3csdxfvyd7favssxcr7l7wnswdsrfedxswxqd.onion/", + "http://wg55rcy2chmbpeh6pl5pftnveac2lqfxbletrtzanfjhhmvcjnn5tcqd.onion/", + "http://sbjthwyoxfuxq75b77e2hsj7ie67m3qicfnuikhuabwo3sikvrzyaxad.onion/", + "http://zo5xog4vpvdae473doneepetidh36m5czdq2vyeiq3lvqhuel56p6nid.onion/", + "http://66ohzao6afsv2opk22r2kv6fbnf2fthe7v4ykzzc5vjezvvyf3gocwyd.onion/", + "https://2nn4b6gihz5bttzabjegune3blwktad2zmy77fwutvvrxxodbufo6qid.onion/", + "http://y6kyfs2unbfcyodzjrxadn4w5vyulhyotdi5dtiqulxbduujehupunqd.onion/", + "http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/api/blog/get" ], "refs": [ "https://www.ransomlook.io/group/embargo" @@ -29279,7 +29413,9 @@ { "meta": { "links": [ - "https://apos.blog" + "https://apos.blog", + "http://yrz6bayqwhleymbeviter7ejccxm64sv2ppgqgderzgdhutozcbbhpqd.onion/rules", + "http://yrz6bayqwhleymbeviter7ejccxm64sv2ppgqgderzgdhutozcbbhpqd.onion/" ], "refs": [ "https://www.ransomlook.io/group/apos" @@ -29289,6 +29425,7 @@ "value": "apos" }, { + "description": "This group is believed to be connected to Lost Trust. El Dorado rebranded to BlackLock in September 2024.", "meta": { "links": [ "http://dataleakypypu7uwblm5kttv726l3iripago6p336xjnbstkjwrlnlid.onion/", @@ -29409,7 +29546,8 @@ { "meta": { "links": [ - "http://cicadabv7vicyvgz5khl7v2x5yygcgow7ryy6yppwmxii4eoobdaztqd.onion/" + "http://cicadabv7vicyvgz5khl7v2x5yygcgow7ryy6yppwmxii4eoobdaztqd.onion/", + "http://cicadacnft7gcgnveb7wjm6pjpjcjcsugogmlrat7u7pcel3iwb7bhyd.onion/" ], "refs": [ "https://www.ransomlook.io/group/cicada3301" @@ -29534,6 +29672,7 @@ "value": "chilelocker" }, { + "description": "Group is also currently known as MADDLL32 and Metatron.", "meta": { "links": [ "http://k67ivvik3dikqi4gy4ua7xa6idijl4si7k5ad5lotbaeirfcsx4sgbid.onion" @@ -29682,7 +29821,90 @@ }, "uuid": "2a1e103b-da5f-56d6-a0c8-5daff4c4fd87", "value": "orca" + }, + { + "meta": { + "links": [ + "http://hackerosyolorz77y7vwj57zobwdeuzydhctz3kuuzr52ylzayvxuqyd.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/osyolorz collective" + ] + }, + "uuid": "99ddf1b6-7d75-58f6-b340-47545fec5e55", + "value": "osyolorz collective" + }, + { + "meta": { + "links": [ + "http://3o5ewrzhqoyodfs5kll4cjxagdfrpuu474panwobm4im7ejfpaux5jyd.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/embrago" + ] + }, + "uuid": "f054ec08-9058-52ba-a90d-922a9cc1a412", + "value": "embrago" + }, + { + "meta": { + "links": [ + "http://nitrogenczslprh3xyw6lh5xyjvmsz7ciljoqxxknd7uymkfetfhgvqd.onion", + "http://2u6njk55okdxvrup5feu3wbhyxvlqla7yuj2oz3xkzz27yzc66vcirqd.onion/", + "http://jzl4bylm4bng2zgmeqw3lx6bcbxzb2hulicxneuosq26sshnitrcvcad.onion/", + "http://6a5ib4udgwlkyl3zzeyenedcb7d33j2vq7egpqykr5457uiskeu6zjad.onion/", + "http://hzyp7n436ecwo73xvrgnf5wmbjewszwut4h6vz4fu6f2oqd5zfcd7sad.onion/", + "http://67hvtslok5a4cwjxfmidbgbunsvckypf2dwkpxg3y2sabar5b4jidmyd.onion/", + "http://sqnnhgqr4iiwnkaih6vspyxmebz2vvjv3uybmjdynw6sne5plilunhyd.onion/", + "http://z4tonbkjybcllsvd45smpkqkk5uaspmlnvmysrkxt37wuudijvp7k2id.onion", + "http://awrfq7pjydfp3hwbsun6ltxrrzths5ztgxj7i7ybx7twjrdvzvxkgwad.onion" + ], + "refs": [ + "https://www.ransomlook.io/group/nitrogen" + ] + }, + "uuid": "9d7ca9df-c219-59fc-93fb-86f4606942ba", + "value": "nitrogen" + }, + { + "meta": { + "links": [ + "http://sarcomawmawlhov7o5mdhz4eszxxlkyaoiyiy2b5iwxnds2dmb4jakad.onion", + "http://bi32pq7y3gqq3qacgvamnk2s2elnppvevqp325wtk2wo7vh2zavjcfid.onion/", + "http://54yjkjwjqbm74nchm6o6b4l775ws2hgesdopus5jvo3jx6ftj7zn7mid.onion/", + "http://ngvvafvhfgwknj63ivqjqdxc7b5fyedo67zshblipo5a2zuair5t4nid.onion/", + "http://icmghe66zl4twvbv5g4h532mogcea44hrkxtotrlx6aia5jslnnbnxad.onion/", + "http://lyz3i74psw6vkuxdjhkyxzy3226775qpzs6oage4zw6qj66ppdxma2qd.onion/", + "http://55lfxollcks2pvxbtg73vrpl3i7x4jnnrxfl6al6viamwngqlu4cxgyd.onion/", + "http://modre6n4hqm4seip2thhbjcfkcdcljhec7ekvd5qt7m7fhimpc2446qd.onion/", + "http://r3yes535gjsi2puoz2bvssl3ewygcfgwoji6wdk3grj3baexn2hha2id.onion/", + "http://pauppf2nuoqxwwqqshaehbkj54debl7bppacfm5h6z6zjoiejifezhad.onion/", + "http://iiobxrljnmjwb6l66bfvhin5zxbghbgiv6yamqpb4bezlrxd2vhetgyd.onion/", + "http://nf5b6a4b4s623wfxkveibjmwwpqjm536t5tyrbtrw7vsdqepsdoejoad.onion/", + "http://rs3icoalw6bdgedspnmt6vp2dzzuyqxtccezmta2g5mlyao64len7dyd.onion/", + "http://lpp4aze237qkkursbtesd54ofag6te5i5lzpee5a3buhq4v3uwtxnlqd.onion/", + "http://6nwhpuwtf4onxvr7el5ycc4xwefhk4w6q6rbn23oe2ghax2x7nns3iad.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/sarcoma" + ] + }, + "uuid": "dfe512ec-19ef-50c4-9ddf-56daf8c9b8d7", + "value": "sarcoma" + }, + { + "meta": { + "links": [ + "http://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid.onion/", + "http://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid.onion/leaks.php" + ], + "refs": [ + "https://www.ransomlook.io/group/interlock" + ] + }, + "uuid": "6a20c736-d83c-502f-8a9f-379a556fb4ac", + "value": "interlock" } ], - "version": 133 + "version": 137 } diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index 222a4df..af929ed 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -23,10 +23,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", + "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" ], "tags": [ @@ -93,8 +93,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/last-byte/PersistenceSniper", "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", + "https://github.com/last-byte/PersistenceSniper", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml" ], "tags": [ @@ -127,8 +127,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", + "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml" ], "tags": [ @@ -149,10 +149,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/jamieantisocial/status/1304520651248668673", - "https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling", "https://www.sans.org/cyber-security-summit/archives", "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", + "https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling", + "https://twitter.com/jamieantisocial/status/1304520651248668673", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" ], "tags": [ @@ -188,9 +188,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" ], "tags": [ @@ -223,8 +223,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", + "https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml" ], "tags": [ @@ -258,10 +258,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", + "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" ], "tags": [ @@ -294,9 +294,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", "https://twitter.com/Hexacorn/status/991447379864932352", - "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml" ], "tags": [ @@ -420,11 +420,11 @@ "logsource.product": "windows", "refs": [ "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/", - "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior", - "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper", "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", "https://www.attackiq.com/2023/09/20/emulating-rhysida/", + "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior", + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml" ], "tags": [ @@ -466,10 +466,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN", "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/", "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN", - "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6", "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml" ], @@ -540,8 +540,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", + "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml" ], "tags": [ @@ -564,8 +564,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_special_accounts.yml" ], "tags": [ @@ -716,9 +716,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml" ], "tags": [ @@ -751,8 +751,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf", "https://twitter.com/standa_t/status/1808868985678803222", + "https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml" ], "tags": [ @@ -786,8 +786,8 @@ "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html", - "https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials", "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", + "https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml" ], "tags": [ @@ -821,8 +821,8 @@ "logsource.product": "windows", "refs": [ "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" ], "tags": [ @@ -1100,9 +1100,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" ], "tags": [ @@ -1202,10 +1202,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection", - "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html", "https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine", + "https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection", "https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html", + "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml" ], "tags": [ @@ -1305,8 +1305,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/naturallanguage6.html", "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", + "https://persistence-info.github.io/Data/naturallanguage6.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml" ], "tags": [ @@ -1329,8 +1329,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://labs.f-secure.com/blog/scheduled-task-tampering/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://labs.f-secure.com/blog/scheduled-task-tampering/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml" ], "tags": [ @@ -1371,8 +1371,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml" ], @@ -1507,6 +1507,7 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/", "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml" ], @@ -1540,9 +1541,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml" ], "tags": [ @@ -1575,8 +1576,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", + "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml" ], "tags": [ @@ -1627,8 +1628,8 @@ "logsource.product": "windows", "refs": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", - "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password", + "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml" ], "tags": [ @@ -1661,9 +1662,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://twitter.com/inversecos/status/1494174785621819397", "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml" ], "tags": [ @@ -1773,8 +1774,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml" ], "tags": [ @@ -1891,9 +1892,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", - "https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise", "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", + "https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise", + "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml" ], "tags": [ @@ -1939,10 +1940,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", "https://github.com/gtworek/PSBits/tree/master/IFilter", - "https://twitter.com/0gtweet/status/1468548924600459267", "https://persistence-info.github.io/Data/ifilters.html", + "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", + "https://twitter.com/0gtweet/status/1468548924600459267", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml" ], "tags": [ @@ -1965,9 +1966,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://twitter.com/M_haggis/status/1699056847154725107", "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", - "https://twitter.com/M_haggis/status/1699056847154725107", "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml" ], @@ -2057,10 +2058,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1626648985824788480", "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks", "https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/", "https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md", + "https://twitter.com/nas_bench/status/1626648985824788480", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml" ], "tags": [ @@ -2286,16 +2287,16 @@ "logsource.product": "windows", "refs": [ "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://twitter.com/_xpn_/status/1268712093928378368", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" ], "tags": [ @@ -2336,8 +2337,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", + "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_xll.yml" ], "tags": [ @@ -2427,8 +2428,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", "https://persistence-info.github.io/Data/htmlhelpauthor.html", + "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_chm.yml" ], "tags": [ @@ -2485,8 +2486,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index", + "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml" ], "tags": [ @@ -2610,16 +2611,16 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blog.sekoia.io/darkgate-internals/", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry", - "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://blog.sekoia.io/darkgate-internals/", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry", + "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" ], "tags": [ @@ -2787,9 +2788,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" ], "tags": [ @@ -2857,13 +2858,14 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", - "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", + "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", + "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", + "https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" ], "tags": [ @@ -2897,8 +2899,8 @@ "logsource.product": "windows", "refs": [ "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", - "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", + "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml" ], "tags": [ @@ -2933,9 +2935,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" ], "tags": [ @@ -3016,9 +3018,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/ransomware-families/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", + "https://unit42.paloaltonetworks.com/ransomware-families/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml" ], "tags": [ @@ -3077,9 +3079,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" ], "tags": [ @@ -3112,8 +3114,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml" ], @@ -3184,9 +3186,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" ], "tags": [ @@ -3276,10 +3278,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", - "https://github.com/elastic/detection-rules/issues/1371", - "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", + "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", + "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", + "https://github.com/elastic/detection-rules/issues/1371", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" ], "tags": [ @@ -3386,8 +3388,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", "https://persistence-info.github.io/Data/hhctrl.html", + "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml" ], "tags": [ @@ -3444,9 +3446,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" ], "tags": [ @@ -3552,9 +3554,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://twitter.com/inversecos/status/1494174785621819397", "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml" ], "tags": [ @@ -3620,8 +3622,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/shell/app-registration", "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", + "https://learn.microsoft.com/en-us/windows/win32/shell/app-registration", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml" ], "tags": [ @@ -3654,13 +3656,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" ], "tags": [ @@ -3694,8 +3696,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/inversecos/status/1494174785621819397", "Internal Research", + "https://twitter.com/inversecos/status/1494174785621819397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml" ], "tags": [ @@ -3762,8 +3764,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/mpnotify.html", "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", + "https://persistence-info.github.io/Data/mpnotify.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml" ], "tags": [ @@ -3877,8 +3879,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "Internal Research", "https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml" ], "tags": [ @@ -3978,10 +3980,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/", - "https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1", - "https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware", "https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps", + "https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware", + "https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1", + "https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml" ], "tags": [ @@ -4038,9 +4040,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" ], "tags": [ @@ -4106,9 +4108,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://persistence-info.github.io/Data/codesigning.html", "https://github.com/gtworek/PSBits/tree/master/SIP", - "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" ], "tags": [ @@ -4199,8 +4201,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior", "https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5", + "https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml" ], "tags": [ @@ -4233,8 +4235,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/client-management/manage-recall", "https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis", + "https://learn.microsoft.com/en-us/windows/client-management/manage-recall", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enable_windows_recall.yml" ], "tags": [ @@ -4399,8 +4401,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", "https://github.com/hfiref0x/UACME", + "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml" ], "tags": [ @@ -4468,8 +4470,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass", "https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/", + "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml" ], "tags": [ @@ -4645,8 +4647,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/rootm0s/WinPwnage", "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/", + "https://github.com/rootm0s/WinPwnage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml" ], "tags": [ @@ -4804,8 +4806,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", + "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" ], @@ -5053,8 +5055,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", "https://twitter.com/WhichbufferArda/status/1543900539280293889", + "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml" ], "tags": [ @@ -5189,8 +5191,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://twitter.com/pabraeken/status/998627081360695297", + "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://twitter.com/VakninHai/status/1517027824984547329", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" ], @@ -5289,10 +5291,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", "https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage", - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" ], @@ -5527,9 +5529,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" ], "tags": [ @@ -5597,10 +5599,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://persistence-info.github.io/Data/userinitmprlogonscript.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" ], "tags": [ @@ -5634,9 +5636,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" ], "tags": [ @@ -5745,9 +5747,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml" ], @@ -6086,8 +6088,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html", "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", + "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml" ], "tags": [ @@ -6161,8 +6163,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ie.yml" ], "tags": [ @@ -6328,8 +6330,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", - "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "http://woshub.com/how-to-clear-rdp-connections-history/", + "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml" ], "tags": [ @@ -6370,11 +6372,11 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/shell/launch", "https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://github.com/OTRF/detection-hackathon-apt29/issues/7", - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md", "https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", - "https://learn.microsoft.com/en-us/windows/win32/shell/launch", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" ], "tags": [ @@ -6407,8 +6409,8 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://seclists.org/fulldisclosure/2020/Mar/45", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml" ], "tags": [ @@ -6441,8 +6443,8 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/client-management/manage-recall", "https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis", + "https://learn.microsoft.com/en-us/windows/client-management/manage-recall", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_enable_windows_recall.yml" ], "tags": [ @@ -6552,9 +6554,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.dfirnotes.net/portproxy_detection/", - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://adepts.of0x.cc/netsh-portproxy-code/", + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://www.dfirnotes.net/portproxy_detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" ], "tags": [ @@ -6589,8 +6591,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html", + "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml" ], "tags": [ @@ -6623,8 +6625,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/inversecos/status/1494174785621819397", "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", + "https://twitter.com/inversecos/status/1494174785621819397", "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml" ], @@ -6658,11 +6660,11 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", - "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", - "https://nvd.nist.gov/vuln/detail/cve-2021-34527", - "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", "https://nvd.nist.gov/vuln/detail/cve-2021-1675", + "https://nvd.nist.gov/vuln/detail/cve-2021-34527", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", + "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", + "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" ], "tags": [ @@ -6698,8 +6700,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", - "https://persistence-info.github.io/Data/recyclebin.html", "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", + "https://persistence-info.github.io/Data/recyclebin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml" ], "tags": [ @@ -6732,9 +6734,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", "https://github.com/hfiref0x/UACME", "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", + "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" ], @@ -7253,8 +7255,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Install-SSP.ps1#L157", + "https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml" ], "tags": [ @@ -7287,8 +7289,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", + "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml" ], "tags": [ @@ -7428,8 +7430,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/MalwareJake/status/870349480356454401", "https://wikileaks.org/vault7/#Pandemic", + "https://twitter.com/MalwareJake/status/870349480356454401", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml" ], "tags": [ @@ -7495,8 +7497,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml" ], "tags": [ @@ -7532,8 +7534,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://blog.xpnsec.com/exploring-mimikatz-part-1/", "https://twitter.com/SBousseaden/status/1183745981189427200", + "https://blog.xpnsec.com/exploring-mimikatz-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml" ], "tags": [ @@ -7743,11 +7745,11 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", - "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", - "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", + "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", + "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", + "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_netwire.yml" ], "tags": [ @@ -7847,8 +7849,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/amsi.html", "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", + "https://persistence-info.github.io/Data/amsi.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml" ], "tags": [ @@ -8307,8 +8309,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml" ], "tags": [ @@ -8375,10 +8377,10 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/", - "https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/", + "https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia", + "https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_domain_azurewebsites.yml" ], "tags": [ @@ -8411,8 +8413,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", "https://twitter.com/notwhickey/status/1333900137232523264", + "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_appinstaller.yml" ], "tags": [ @@ -8445,8 +8447,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://twitter.com/neonprimetime/status/1436376497980428318", + "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml" ], @@ -8514,8 +8516,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04", + "https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml" ], "tags": [ @@ -8548,8 +8550,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security", + "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", "https://cydefops.com/devtunnels-unleashed", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml" ], @@ -8748,9 +8750,9 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://cydefops.com/vscode-data-exfiltration", - "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://ipfyx.fr/post/visual-studio-code-tunnel/", + "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://cydefops.com/vscode-data-exfiltration", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml" ], "tags": [ @@ -8783,9 +8785,9 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ + "https://malware.guide/browser-hijacker/remove-onelaunch-virus/", "https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/", "https://www.malwarebytes.com/blog/detections/pup-optional-onelaunch-silentcf", - "https://malware.guide/browser-hijacker/remove-onelaunch-virus/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml" ], "tags": [ @@ -8818,8 +8820,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", + "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_regsvr32_dns_query.yml" ], "tags": [ @@ -8861,14 +8863,14 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a", - "https://redcanary.com/blog/misbehaving-rats/", + "https://blog.sekoia.io/scattered-spider-laying-new-eggs/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", - "https://blog.sekoia.io/scattered-spider-laying-new-eggs/", - "https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a", + "https://redcanary.com/blog/misbehaving-rats/", "https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization", + "https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml" ], "tags": [ @@ -8901,18 +8903,18 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ + "https://www.us-cert.gov/ncas/alerts/TA17-117A", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://securelist.com/faq-the-projectsauron-apt/75533/", + "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", + "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://thedfirreport.com/2020/06/21/snatch-ransomware/", "https://github.com/RiccardoAncarani/LiquidSnake", - "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://securelist.com/faq-the-projectsauron-apt/75533/", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", - "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", - "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", - "https://www.us-cert.gov/ncas/alerts/TA17-117A", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml" ], "tags": [ @@ -8947,8 +8949,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", + "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml" ], "tags": [ @@ -9026,9 +9028,9 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ + "https://github.com/Azure/SimuLand", "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", "https://o365blog.com/post/adfs/", - "https://github.com/Azure/SimuLand", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_adfs_namedpipe_connection_uncommon_tool.yml" ], "tags": [ @@ -9061,8 +9063,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", + "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml" ], "tags": [ @@ -9130,8 +9132,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://github.com/malcomvetter/CSExec", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_pua_csexec_default_pipe.yml" ], "tags": [ @@ -9173,8 +9175,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/hackvens/CoercedPotato", "https://blog.hackvens.fr/articles/CoercedPotato.html", + "https://github.com/hackvens/CoercedPotato", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml" ], "tags": [ @@ -9309,10 +9311,10 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/d4rksystem/status/1357010969264873472", - "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", + "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", "https://github.com/SigmaHQ/sigma/issues/253", - "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", + "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml" ], "tags": [ @@ -9346,8 +9348,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html", + "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml" ], "tags": [ @@ -9448,8 +9450,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml" ], "tags": [ @@ -9506,8 +9508,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html", + "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml" ], "tags": [ @@ -9540,8 +9542,8 @@ "logsource.category": "sysmon_status", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml" ], "tags": [ @@ -9620,8 +9622,8 @@ "logsource.category": "sysmon_error", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_error.yml" ], "tags": [ @@ -9654,8 +9656,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon", "https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36", + "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_file_executable_detected.yml" ], "tags": [ @@ -9701,8 +9703,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io", "Personal research, statistical analysis", + "https://lolbas-project.github.io", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml" ], "tags": [ @@ -9736,9 +9738,9 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/KeeThief", "https://github.com/denandz/KeeFarce", "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", + "https://github.com/GhostPack/KeeThief", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml" ], "tags": [ @@ -9847,8 +9849,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1090588499517079552", "https://github.com/mdsecactivebreach/CACTUSTORCH", + "https://twitter.com/SBousseaden/status/1090588499517079552", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml" ], "tags": [ @@ -9906,8 +9908,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", + "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml" ], "tags": [ @@ -10097,8 +10099,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io", "Personal research, statistical analysis", + "https://lolbas-project.github.io", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml" ], "tags": [ @@ -10456,8 +10458,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://twitter.com/SBousseaden/status/1278977301745741825", + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml" ], "tags": [ @@ -10523,8 +10525,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/SafetyKatz", "https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63", + "https://github.com/GhostPack/SafetyKatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml" ], "tags": [ @@ -10740,9 +10742,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", + "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" ], "tags": [ @@ -10959,10 +10961,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" ], @@ -10996,9 +10998,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", - "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml" ], "tags": [ @@ -11303,8 +11305,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders", "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies", + "https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml" ], "tags": [ @@ -11337,10 +11339,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer", "https://github.com/Yaxser/Backstab", - "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/", + "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer", "https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks", + "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml" ], "tags": [ @@ -11474,8 +11476,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/12", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml" ], "tags": [ @@ -11543,9 +11545,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", - "Internal Research", "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", + "Internal Research", + "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml" ], "tags": [ @@ -11603,9 +11605,9 @@ "logsource.product": "windows", "refs": [ "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", + "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", - "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" ], "tags": [ @@ -11727,8 +11729,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/wpbbin.html", "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", + "https://persistence-info.github.io/Data/wpbbin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml" ], "tags": [ @@ -11882,8 +11884,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_adwind.yml" ], "tags": [ @@ -12398,10 +12400,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", - "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", - "http://addbalance.com/word/startup.htm", "https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions", + "https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", + "http://addbalance.com/word/startup.htm", + "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml" ], "tags": [ @@ -12475,8 +12477,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://cobalt.io/blog/kerberoast-attack-techniques", "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/", + "https://cobalt.io/blog/kerberoast-attack-techniques", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml" ], "tags": [ @@ -12533,26 +12535,26 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/besimorhino/powercat", - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/adrecon/ADRecon", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/samratashok/nishang", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/NetSPI/PowerUpSQL", - "https://github.com/adrecon/AzureADRecon", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/nettitude/Invoke-PowerThIEf", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu", - "https://github.com/PowerShellMafia/PowerSploit", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/besimorhino/powercat", + "https://github.com/adrecon/ADRecon", "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/CsEnox/EventViewer-UACBypass", + "https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/samratashok/nishang", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/adrecon/AzureADRecon", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/CsEnox/EventViewer-UACBypass", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" ], "tags": [ @@ -12651,8 +12653,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/davisrichardg/status/1616518800584704028", "https://aboutdfir.com/the-key-to-identify-psexec/", + "https://twitter.com/davisrichardg/status/1616518800584704028", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml" ], "tags": [ @@ -12705,12 +12707,14 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/helpsystems/nanodump", - "https://www.google.com/search?q=procdump+lsass", "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", - "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", "https://github.com/CCob/MirrorDump", + "https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258", + "https://github.com/helpsystems/nanodump", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35", + "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", + "https://www.google.com/search?q=procdump+lsass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml" ], "tags": [ @@ -12812,8 +12816,8 @@ "logsource.product": "windows", "refs": [ "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" ], @@ -12880,8 +12884,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1550836225652686848", "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1547.015/T1547.015.md#atomic-test-1---persistence-by-modifying-windows-terminal-profile", + "https://twitter.com/nas_bench/status/1550836225652686848", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml" ], "tags": [ @@ -13069,8 +13073,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md", "PT ESC rule and personal experience", + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml" ], "tags": [ @@ -13103,9 +13107,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", - "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", + "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", + "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -13196,8 +13200,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://persistence-info.github.io/Data/powershellprofile.html", + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml" ], "tags": [ @@ -13231,10 +13235,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79", - "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76", + "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form", + "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml" ], "tags": [ @@ -13367,8 +13371,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/14", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/14", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml" ], "tags": [ @@ -13541,8 +13545,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://ipfyx.fr/post/visual-studio-code-tunnel/", + "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml" ], "tags": [ @@ -13598,10 +13602,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory", - "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence", + "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://liberty-shell.com/sec/2020/02/25/shim-persistence/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml" ], "tags": [ @@ -13767,9 +13771,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml" ], "tags": [ @@ -13835,8 +13839,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/", "https://github.com/last-byte/PersistenceSniper", + "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_errorhandler_persistence.yml" ], "tags": [ @@ -13859,11 +13863,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://twitter.com/luc4m/status/1073181154126254080", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", - "https://twitter.com/luc4m/status/1073181154126254080", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], "tags": [ @@ -13896,10 +13900,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://pentestlab.blog/tag/ntds-dit/", - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml" ], "tags": [ @@ -14041,8 +14045,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/", "https://asec.ahnlab.com/en/58878/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml" ], "tags": [ @@ -14065,10 +14069,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/cube0x0/status/1418920190759378944", - "https://github.com/WiredPulse/Invoke-HiveNightmare", - "https://github.com/GossiTheDog/HiveNightmare", "https://github.com/FireFart/hivenightmare/", + "https://github.com/GossiTheDog/HiveNightmare", + "https://github.com/WiredPulse/Invoke-HiveNightmare", + "https://twitter.com/cube0x0/status/1418920190759378944", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml" ], "tags": [ @@ -14102,9 +14106,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", - "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", + "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", + "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml" ], "tags": [ @@ -14213,8 +14217,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml" ], "tags": [ @@ -14282,8 +14286,8 @@ "logsource.product": "windows", "refs": [ "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://twitter.com/Sam0x90/status/1552011547974696960", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml" ], "tags": [ @@ -14339,9 +14343,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", + "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" ], "tags": [ @@ -14407,8 +14411,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/outflanknl/Dumpert", "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", + "https://github.com/outflanknl/Dumpert", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_dumpert.yml" ], "tags": [ @@ -14441,9 +14445,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", - "https://github.com/fox-it/LDAPFragger", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", + "https://github.com/fox-it/LDAPFragger", + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml" ], "tags": [ @@ -14510,8 +14514,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/binderlabs/DirCreate2System", + "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml" ], "tags": [ @@ -14536,11 +14540,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", "https://twitter.com/pfiatde/status/1681977680688738305", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", - "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", + "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml" ], "tags": [ @@ -14573,8 +14577,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.joesandbox.com/analysis/465533/0/html", "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", + "https://www.joesandbox.com/analysis/465533/0/html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_get_variable.yml" ], "tags": [ @@ -14657,11 +14661,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://twitter.com/luc4m/status/1073181154126254080", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", - "https://twitter.com/luc4m/status/1073181154126254080", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], "tags": [ @@ -14694,8 +14698,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc", "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml" ], "tags": [ @@ -14754,12 +14758,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/MaD_c4t/status/1623414582382567424", - "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/", - "https://labs.withsecure.com/publications/detecting-onenote-abuse", "https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/", - "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", + "https://labs.withsecure.com/publications/detecting-onenote-abuse", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", + "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/", + "https://twitter.com/MaD_c4t/status/1623414582382567424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml" ], "tags": [ @@ -15107,12 +15111,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "https://github.com/Wh04m1001/SysmonEoP", - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc", "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", + "https://github.com/Wh04m1001/SysmonEoP", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" ], "tags": [ @@ -15223,8 +15227,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" ], "tags": [ @@ -15257,11 +15261,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/search?q=CVE-2021-36934", - "https://github.com/HuskyHacks/ShadowSteal", "https://github.com/FireFart/hivenightmare", - "https://www.google.com/search?q=%22reg.exe+save%22+sam", "https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934", + "https://www.google.com/search?q=%22reg.exe+save%22+sam", + "https://github.com/HuskyHacks/ShadowSteal", + "https://github.com/search?q=CVE-2021-36934", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], "tags": [ @@ -15294,8 +15298,8 @@ "logsource.category": "file_rename", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", + "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml" ], "tags": [ @@ -15328,8 +15332,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords", + "http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_dpapi_master_key_access.yml" ], "tags": [ @@ -15362,8 +15366,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_credential_manager_access.yml" ], "tags": [ @@ -15465,8 +15469,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens", "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", + "https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml" ], "tags": [ @@ -15499,8 +15503,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.passcape.com/windows_password_recovery_dpapi_credhist", "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist", + "https://www.passcape.com/windows_password_recovery_dpapi_credhist", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_credhist.yml" ], "tags": [ @@ -15599,8 +15603,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/", "Internal Research", + "https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml" ], "tags": [ @@ -15756,8 +15760,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/", "Internal Research", + "https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml" ], "tags": [ @@ -16188,8 +16192,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", + "https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" ], @@ -16223,8 +16227,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" ], @@ -16475,8 +16479,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/threat-detection-report/threats/qbot/", "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", + "https://redcanary.com/threat-detection-report/threats/qbot/", "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" ], @@ -16510,10 +16514,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://twitter.com/splinter_code/status/1483815103279603714", "https://www.elastic.co/security-labs/operation-bleeding-bear", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", + "https://twitter.com/splinter_code/status/1483815103279603714", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml" ], "tags": [ @@ -16657,8 +16661,8 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", - "https://twitter.com/nao_sec/status/1530196847679401984", "https://twitter.com/_JohnHammond/status/1531672601067675648", + "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml" ], "tags": [ @@ -16778,10 +16782,10 @@ "refs": [ "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/", - "https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior", - "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic", - "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar", "https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/", + "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar", + "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic", + "https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml" ], "tags": [ @@ -16814,13 +16818,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml" ], "tags": [ @@ -16853,9 +16857,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/", "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", - "https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_rdp_redirect.yml" ], "tags": [ @@ -16897,8 +16901,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml" ], "tags": [ @@ -16933,8 +16937,8 @@ "logsource.product": "windows", "refs": [ "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", - "https://ss64.com/bash/rar.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://ss64.com/bash/rar.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml" ], "tags": [ @@ -17159,8 +17163,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml" ], "tags": [ @@ -17295,10 +17299,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml" ], "tags": [ @@ -17413,9 +17417,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -17485,8 +17489,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://mobile.twitter.com/0gtweet/status/1564131230941122561", + "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml" ], "tags": [ @@ -17519,9 +17523,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://badoption.eu/blog/2023/01/31/code_c2.html", - "https://code.visualstudio.com/docs/remote/tunnels", "https://ipfyx.fr/post/visual-studio-code-tunnel/", + "https://code.visualstudio.com/docs/remote/tunnels", + "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml" ], "tags": [ @@ -17554,8 +17558,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.pingcastle.com/documentation/scanner/", "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", + "https://www.pingcastle.com/documentation/scanner/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml" ], "tags": [ @@ -17597,8 +17601,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml", "Turla has used fsutil fsinfo drives to list connected drives.", + "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml" ], "tags": [ @@ -17706,8 +17710,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/Seatbelt", "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", + "https://github.com/GhostPack/Seatbelt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml" ], "tags": [ @@ -17756,9 +17760,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf", "https://lolbas-project.github.io/lolbas/Binaries/Psr/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml" ], "tags": [ @@ -17923,8 +17927,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/mandiant/SharPersist", "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", + "https://github.com/mandiant/SharPersist", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml" ], "tags": [ @@ -17980,13 +17984,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", - "https://github.com/zcgonvh/NTDSDumpEx", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", + "https://github.com/zcgonvh/NTDSDumpEx", "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", - "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" ], "tags": [ @@ -18052,8 +18056,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", + "https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml" ], "tags": [ @@ -18086,8 +18090,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/network-tunneling-with-qemu/111803/", "https://www.qemu.org/docs/master/system/invocation.html#hxtool-5", + "https://securelist.com/network-tunneling-with-qemu/111803/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_qemu_suspicious_execution.yml" ], "tags": [ @@ -18164,8 +18168,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/", "https://dtm.uk/wuauclt/", + "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml" ], "tags": [ @@ -18497,9 +18501,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.dfirnotes.net/portproxy_detection/", - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://adepts.of0x.cc/netsh-portproxy-code/", + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://www.dfirnotes.net/portproxy_detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml" ], "tags": [ @@ -18608,10 +18612,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml" ], "tags": [ @@ -18675,9 +18679,9 @@ "value": "Terminal Service Process Spawn" }, { - "description": "Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.", + "description": "Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.\n", "meta": { - "author": "pH-T (Nextron Systems)", + "author": "pH-T (Nextron Systems), Sittikorn Sangrattanapitak", "creation_date": "2023-04-17", "falsepositive": [ "Unlikely" @@ -18688,6 +18692,7 @@ "logsource.product": "windows", "refs": [ "https://github.com/ly4k/Certipy", + "https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml" ], "tags": [ @@ -18721,10 +18726,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", - "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", "https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html", + "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", + "https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml" ], "tags": [ @@ -18792,8 +18797,8 @@ "logsource.product": "windows", "refs": [ "https://blog.reconinfosec.com/emergence-of-akira-ransomware-group", - "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://github.com/cloudflare/cloudflared", + "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml" ], "tags": [ @@ -19020,8 +19025,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36", "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", + "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml" ], "tags": [ @@ -19300,8 +19305,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" ], @@ -19360,11 +19365,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vysecurity/status/885545634958385153", - "https://twitter.com/Hexacorn/status/885570278637678592", "https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques", - "https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", "https://twitter.com/Hexacorn/status/885553465417756673", + "https://twitter.com/vysecurity/status/885545634958385153", + "https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", + "https://twitter.com/Hexacorn/status/885570278637678592", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml" ], "tags": [ @@ -19453,8 +19458,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml" ], "tags": [ @@ -19686,8 +19691,8 @@ "logsource.product": "windows", "refs": [ "https://blog.viettelcybersecurity.com/saml-show-stopper/", - "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", + "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml" ], "tags": [ @@ -19753,8 +19758,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/decoder-it/LocalPotato", "https://www.localpotato.com/localpotato_html/LocalPotato.html", + "https://github.com/decoder-it/LocalPotato", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml" ], "tags": [ @@ -19779,8 +19784,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml" ], "tags": [ @@ -19813,8 +19818,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradle_obfuscated.yml" ], "tags": [ @@ -20030,8 +20035,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/wpbbin.html", "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", + "https://persistence-info.github.io/Data/wpbbin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml" ], "tags": [ @@ -20172,9 +20177,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://emkc.org/s/RJjuLa", "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://redcanary.com/blog/chromeloader/", + "https://emkc.org/s/RJjuLa", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml" ], "tags": [ @@ -20308,8 +20313,8 @@ "logsource.product": "windows", "refs": [ "https://linux.die.net/man/1/bash", - "https://lolbas-project.github.io/lolbas/Binaries/Bash/", "Internal Research", + "https://lolbas-project.github.io/lolbas/Binaries/Bash/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml" ], "tags": [ @@ -20512,9 +20517,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://twitter.com/gN3mes1s/status/1222095963789111296", - "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml" ], "tags": [ @@ -20570,10 +20575,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsi_fsharp_code_execution.yml" ], "tags": [ @@ -20732,11 +20737,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/aceresponder/status/1636116096506818562", - "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/", - "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/", - "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/", "https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png", + "https://twitter.com/aceresponder/status/1636116096506818562", + "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/", + "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/", + "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml" ], "tags": [ @@ -20770,9 +20775,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/netero1010/TrustedPath-UACBypass-BOF", "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", - "https://github.com/netero1010/TrustedPath-UACBypass-BOF", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml" ], "tags": [ @@ -20882,8 +20887,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2023/03/06/2022-year-in-review/", - "https://www.yeahhub.com/list-installed-programs-version-path-windows/", "https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product", + "https://www.yeahhub.com/list-installed-programs-version-path-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml" ], "tags": [ @@ -20917,10 +20922,10 @@ "logsource.product": "windows", "refs": [ "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://twitter.com/egre55/status/1087685529016193025", - "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://twitter.com/egre55/status/1087685529016193025", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml" ], "tags": [ @@ -20987,10 +20992,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup", + "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml" ], "tags": [ @@ -21024,8 +21029,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", - "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/", + "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml" ], "tags": [ @@ -21092,9 +21097,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", - "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml" ], "tags": [ @@ -21260,6 +21265,39 @@ "uuid": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", "value": "Security Privileges Enumeration Via Whoami.EXE" }, + { + "description": "Detects possible search for JWT tokens via CLI by looking for the string \"eyJ0eX\" or \"eyJhbG\".\nThis string is used as an anchor to look for the start of the JWT token used by microsoft office and similar apps.\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022-10-25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_jwt_token_search.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://mrd0x.com/stealing-tokens-from-office-applications/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_jwt_token_search.yml" + ], + "tags": [ + "attack.credential-access", + "attack.t1528" + ] + }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "6d3a3952-6530-44a3-8554-cf17c116c615", + "value": "Potentially Suspicious JWT Token Search Via CLI" + }, { "description": "Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.", "meta": { @@ -21309,9 +21347,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml" ], @@ -21527,8 +21565,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1550836225652686848", "https://persistence-info.github.io/Data/windowsterminalprofile.html", + "https://twitter.com/nas_bench/status/1550836225652686848", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml" ], "tags": [ @@ -21586,8 +21624,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml" ], "tags": [ @@ -21620,8 +21658,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", "https://twitter.com/mrd0x/status/1475085452784844803?s=12", + "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml" ], "tags": [ @@ -21662,10 +21700,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml" ], "tags": [ @@ -21823,9 +21861,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", - "https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html", "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml" ], @@ -21859,8 +21897,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1", + "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml" ], "tags": [ @@ -22110,10 +22148,10 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Ssh/", - "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files", - "https://man.openbsd.org/ssh_config#LocalCommand", "https://gtfobins.github.io/gtfobins/ssh/", + "https://man.openbsd.org/ssh_config#LocalCommand", "https://man.openbsd.org/ssh_config#ProxyCommand", + "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssh_proxy_execution.yml" ], "tags": [ @@ -22146,8 +22184,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" @@ -22192,9 +22230,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://www.intrinsec.com/apt27-analysis/", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.intrinsec.com/apt27-analysis/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" ], "tags": [ @@ -22435,8 +22473,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/MichalKoczwara/status/1553634816016498688", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml" ], "tags": [ @@ -22537,8 +22575,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", "https://twitter.com/med0x2e/status/1520402518685200384", + "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml" ], "tags": [ @@ -22648,8 +22686,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", "https://twitter.com/kmkz_security/status/1220694202301976576", + "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml" ], "tags": [ @@ -22749,8 +22787,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", "https://twitter.com/pabraeken/status/993298228840992768", + "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml" ], "tags": [ @@ -22793,8 +22831,8 @@ "logsource.product": "windows", "refs": [ "https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms", - "https://redcanary.com/blog/msix-installers/", "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", + "https://redcanary.com/blog/msix-installers/", "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csvde_export.yml" ], @@ -22965,8 +23003,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml" ], "tags": [ @@ -23012,9 +23050,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", - "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml" ], @@ -23222,9 +23260,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", - "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", + "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml" ], "tags": [ @@ -23291,13 +23329,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", - "https://positive.security/blog/ms-officecmd-rce", - "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", + "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", "https://lolbas-project.github.io/lolbas/Binaries/Teams/", - "https://taggart-tech.com/quasar-electron/", "https://github.com/mttaggart/quasar", + "https://taggart-tech.com/quasar-electron/", + "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", + "https://positive.security/blog/ms-officecmd-rce", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml" ], "tags": [ @@ -23421,8 +23459,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://tria.ge/240731-jh4crsycnb/behavioral2", "https://redcanary.com/blog/threat-detection/process-masquerading/", + "https://tria.ge/240731-jh4crsycnb/behavioral2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml" ], "tags": [ @@ -23455,8 +23493,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup", "https://twitter.com/Oddvarmoe/status/1641712700605513729", + "https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml" ], "tags": [ @@ -23479,11 +23517,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", - "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", + "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml" ], "tags": [ @@ -23516,13 +23554,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sql/tools/bcp-utility", - "https://asec.ahnlab.com/en/61000/", - "https://www.huntress.com/blog/attacking-mssql-servers", "https://asec.ahnlab.com/en/78944/", + "https://www.huntress.com/blog/attacking-mssql-servers", + "https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/", "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", "https://www.huntress.com/blog/attacking-mssql-servers-pt-ii", - "https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/", + "https://docs.microsoft.com/en-us/sql/tools/bcp-utility", + "https://asec.ahnlab.com/en/61000/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcp_export_data.yml" ], "tags": [ @@ -23555,9 +23593,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/binderlabs/DirCreate2System", "https://www.echotrail.io/insights/search/wermgr.exe", "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", - "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml" ], "tags": [ @@ -23600,9 +23638,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", "https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" ], "tags": [ @@ -23726,8 +23764,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml" ], "tags": [ @@ -23828,8 +23866,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml" ], "tags": [ @@ -23903,8 +23941,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml" ], @@ -23973,8 +24011,8 @@ "refs": [ "https://tria.ge/240521-ynezpagf56/behavioral1", "https://bazaar.abuse.ch/sample/64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3/", - "https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091", "https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/", + "https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml" ], "tags": [ @@ -24007,8 +24045,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", "https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/", + "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml" ], "tags": [ @@ -24044,9 +24082,9 @@ "refs": [ "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://twitter.com/cglyer/status/1355171195654709249", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://twitter.com/cglyer/status/1355171195654709249", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml" ], "tags": [ @@ -24079,8 +24117,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", + "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_secedit_execution.yml" ], "tags": [ @@ -24221,9 +24259,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", - "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", + "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_download.yml" ], "tags": [ @@ -24403,8 +24441,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/", + "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml" ], "tags": [ @@ -24470,8 +24508,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", + "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml" ], "tags": [ @@ -24504,8 +24542,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", "https://blog.talosintelligence.com/modernloader-delivers-multiple-stealers-cryptominers-and-rats/", + "https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml" ], "tags": [ @@ -24572,12 +24610,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680", + "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", "https://github.com/vletoux/pingcastle", "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8", - "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1", - "https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680", "https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml" ], @@ -24611,9 +24649,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41", - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a", + "https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml" ], "tags": [ @@ -24646,9 +24684,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://emkc.org/s/RJjuLa", "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://redcanary.com/blog/chromeloader/", + "https://emkc.org/s/RJjuLa", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml" ], "tags": [ @@ -24681,11 +24719,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml" ], "tags": [ @@ -24761,12 +24799,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/helpsystems/nanodump", "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://github.com/CCob/MirrorDump", + "https://github.com/helpsystems/nanodump", "https://github.com/Hackndo/lsassy", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", - "https://github.com/CCob/MirrorDump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml" ], "tags": [ @@ -24976,8 +25014,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml" ], "tags": [ @@ -25043,9 +25081,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml" ], "tags": [ @@ -25122,8 +25160,8 @@ "logsource.product": "windows", "refs": [ "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml" ], "tags": [ @@ -25189,10 +25227,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_JohnHammond/status/1588155401752788994", + "https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465", "https://twitter.com/Max_Mal_/status/1633863678909874176", "Internal Research", - "https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465", + "https://twitter.com/_JohnHammond/status/1588155401752788994", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml" ], "tags": [ @@ -25258,8 +25296,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml" ], "tags": [ @@ -25383,9 +25421,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", - "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", + "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml" ], "tags": [ @@ -25452,10 +25490,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", + "https://github.com/defaultnamehere/cookie_crimes/", "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", - "https://github.com/defaultnamehere/cookie_crimes/", - "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml" ], "tags": [ @@ -25554,9 +25592,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_execution.yml" ], "tags": [ @@ -25657,9 +25695,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml" ], "tags": [ @@ -25921,8 +25959,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml" ], "tags": [ @@ -26006,8 +26044,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/ShadowChasing1/status/1552595370961944576", "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", + "https://twitter.com/ShadowChasing1/status/1552595370961944576", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml" ], "tags": [ @@ -26140,10 +26178,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/SBousseaden/status/1211636381086339073", "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", - "https://twitter.com/SBousseaden/status/1211636381086339073", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" ], "tags": [ @@ -26228,12 +26266,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://redcanary.com/blog/raspberry-robin/", - "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml" ], "tags": [ @@ -26358,10 +26396,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery", "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup", + "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml" ], "tags": [ @@ -26394,8 +26432,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml" ], "tags": [ @@ -26461,9 +26499,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/nettitude/SharpWSUS", "https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1", "https://labs.nettitude.com/blog/introducing-sharpwsus/", - "https://github.com/nettitude/SharpWSUS", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.yml" ], "tags": [ @@ -26757,8 +26795,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/hexacorn/status/1448037865435320323", "https://twitter.com/Gal_B1t/status/1062971006078345217", + "https://twitter.com/hexacorn/status/1448037865435320323", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml" ], "tags": [ @@ -26791,8 +26829,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml" ], "tags": [ @@ -26935,8 +26973,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", "https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon", + "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml" ], "tags": [ @@ -27026,8 +27064,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml" ], "tags": [ @@ -27061,11 +27099,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", - "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", "https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841", + "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml" ], "tags": [ @@ -27159,9 +27197,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", - "https://github.com/antonioCoco/RogueWinRM", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "https://github.com/antonioCoco/RogueWinRM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" ], "tags": [ @@ -27432,8 +27470,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", "https://twitter.com/mrd0x/status/1478116126005641220", + "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml" ], "tags": [ @@ -27575,12 +27613,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/05/08/adfind-recon/", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://www.joeware.net/freetools/tools/adfind/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml" ], "tags": [ @@ -27711,8 +27749,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", + "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml" ], "tags": [ @@ -27778,11 +27816,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cloudflare/cloudflared/releases", "https://github.com/cloudflare/cloudflared", "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", "https://www.intrinsec.com/akira_ransomware/", "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", + "https://github.com/cloudflare/cloudflared/releases", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml" ], "tags": [ @@ -28054,9 +28092,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", "https://learn.microsoft.com/en-us/azure/dns/dns-zones-records", + "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" ], "tags": [ @@ -28374,8 +28412,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_felamos/status/1179811992841797632", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/", + "https://twitter.com/_felamos/status/1179811992841797632", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml" ], "tags": [ @@ -28441,8 +28479,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://anydesk.com/en/changelog/windows", "https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/", + "https://anydesk.com/en/changelog/windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml" ], "tags": [ @@ -28467,8 +28505,8 @@ "logsource.product": "windows", "refs": [ "https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing", - "https://reaqta.com/2017/11/short-journey-darkvnc/", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html", + "https://reaqta.com/2017/11/short-journey-darkvnc/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml" ], "tags": [ @@ -28526,8 +28564,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/0xthirteen/SharpMove/", "https://pentestlab.blog/tag/sharpmove/", + "https://github.com/0xthirteen/SharpMove/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml" ], "tags": [ @@ -28561,11 +28599,11 @@ "logsource.product": "windows", "refs": [ "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/", - "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior", - "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper", "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", "https://www.attackiq.com/2023/09/20/emulating-rhysida/", + "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior", + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml" ], "tags": [ @@ -28608,9 +28646,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" ], "tags": [ @@ -28700,8 +28738,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/", "https://github.com/sensepost/impersonate", + "https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml" ], "tags": [ @@ -28869,13 +28907,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml" ], "tags": [ @@ -28908,8 +28946,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/", "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", + "https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml" ], "tags": [ @@ -28975,8 +29013,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm", "https://github.com/Hackplayers/evil-winrm", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml" ], "tags": [ @@ -29009,8 +29047,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat", "https://hashcat.net/wiki/doku.php?id=hashcat", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml" ], "tags": [ @@ -29109,8 +29147,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1460815932402679809", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/", + "https://twitter.com/mrd0x/status/1460815932402679809", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml" ], "tags": [ @@ -29144,8 +29182,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md", "https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml" ], "tags": [ @@ -29178,8 +29216,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/dsacls.html", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", + "https://ss64.com/nt/dsacls.html", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" ], @@ -29213,8 +29251,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2020/07/06/indirect-command-execution/", "https://lolbas-project.github.io/lolbas/Binaries/Pcalua/", + "https://pentestlab.blog/2020/07/06/indirect-command-execution/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml" ], "tags": [ @@ -29247,8 +29285,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml" ], "tags": [ @@ -29282,10 +29320,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", - "https://twitter.com/EricaZelic/status/1614075109827874817", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", + "https://twitter.com/EricaZelic/status/1614075109827874817", + "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml" ], "tags": [ @@ -29334,9 +29372,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", - "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml" ], "tags": [ @@ -29369,8 +29407,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", + "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml" ], "tags": [ @@ -29438,14 +29476,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/941315826107510784", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://github.com/SigmaHQ/sigma/issues/3742", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://twitter.com/Hexacorn/status/776122138063409152", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://github.com/SigmaHQ/sigma/issues/3742", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" ], "tags": [ @@ -29520,8 +29558,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bopin2020/status/1366400799199272960", "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://twitter.com/bopin2020/status/1366400799199272960", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml" ], "tags": [ @@ -29562,9 +29600,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", - "https://twitter.com/Hexacorn/status/1420053502554951689", "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", + "https://twitter.com/Hexacorn/status/1420053502554951689", + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml" ], "tags": [ @@ -29676,10 +29714,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], "tags": [ @@ -29778,8 +29816,8 @@ "logsource.product": "windows", "refs": [ "https://www.nirsoft.net/utils/nircmd.html", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd2.html#using", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml" ], "tags": [ @@ -29871,8 +29909,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" ], @@ -29975,9 +30013,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf", "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://redcanary.com/blog/child-processes/", - "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml" ], "tags": [ @@ -30010,9 +30048,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/RedDrip7/status/1506480588827467785", "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", "https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/", - "https://twitter.com/RedDrip7/status/1506480588827467785", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml" ], "tags": [ @@ -30045,9 +30083,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/995837734379032576", - "https://twitter.com/pabraeken/status/999090532839313408", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", + "https://twitter.com/pabraeken/status/999090532839313408", + "https://twitter.com/pabraeken/status/995837734379032576", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml" ], "tags": [ @@ -30080,9 +30118,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist", - "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", "https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html", + "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml" ], "tags": [ @@ -30156,9 +30194,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", "https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml" ], "tags": [ @@ -30259,17 +30297,17 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html", - "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", - "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/", - "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml" ], "tags": [ @@ -30319,8 +30357,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://github.com/cloudflare/cloudflared", + "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml" ], "tags": [ @@ -30369,8 +30407,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", + "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml" ], "tags": [ @@ -30584,9 +30622,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.cobaltstrike.com/help-windows-executable", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://redcanary.com/threat-detection-report/", - "https://www.cobaltstrike.com/help-windows-executable", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" ], "tags": [ @@ -30619,9 +30657,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml" ], @@ -30665,8 +30703,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml" ], "tags": [ @@ -30699,9 +30737,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://unicode-explorer.com/c/202E", "https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method", "https://redcanary.com/blog/right-to-left-override/", - "https://unicode-explorer.com/c/202E", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml" ], "tags": [ @@ -30801,8 +30839,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md", "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", + "https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml" ], "tags": [ @@ -30937,8 +30975,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/mrd0x/status/1461041276514623491", - "https://twitter.com/tccontre18/status/1480950986650832903", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", + "https://twitter.com/tccontre18/status/1480950986650832903", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml" ], "tags": [ @@ -30972,11 +31010,11 @@ "logsource.product": "windows", "refs": [ "https://www.protect.airbus.com/blog/uncovering-cyber-intruders-netscan/", - "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf", - "https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/", + "https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/", "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue", - "https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/", + "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf", + "https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/", "https://www.softperfect.com/products/networkscanner/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netscan.yml" ], @@ -31119,8 +31157,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" ], @@ -31197,8 +31235,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-", + "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml" ], "tags": [ @@ -31274,8 +31312,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml" ], "tags": [ @@ -31308,8 +31346,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md", "https://twitter.com/Oddvarmoe/status/993383596244258816", + "https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml" ], "tags": [ @@ -31485,9 +31523,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://twitter.com/ForensicITGuy/status/1334734244120309760", "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://twitter.com/ForensicITGuy/status/1334734244120309760", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml" ], "tags": [ @@ -31537,9 +31575,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey", "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", - "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" ], "tags": [ @@ -31607,8 +31645,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml" ], "tags": [ @@ -31641,9 +31679,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", - "https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" ], @@ -31709,8 +31747,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md", + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml" ], "tags": [ @@ -31842,8 +31880,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66", "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml" ], "tags": [ @@ -31885,8 +31923,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml" ], "tags": [ @@ -31936,8 +31974,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml" ], @@ -32013,9 +32051,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml" ], "tags": [ @@ -32091,10 +32129,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://youtu.be/5mqid-7zp8k?t=2481", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml" ], "tags": [ @@ -32152,8 +32190,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Desk/", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl", + "https://lolbas-project.github.io/lolbas/Libraries/Desk/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml" ], "tags": [ @@ -32219,8 +32257,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml" @@ -32322,12 +32360,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://isc.sans.edu/diary/22264", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", + "https://isc.sans.edu/diary/22264", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml" ], "tags": [ @@ -32440,8 +32478,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_view_share_and_sessions_enum.yml" ], "tags": [ @@ -32660,9 +32698,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication", "https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922", "https://github.com/grayhatkiller/SharpExShell", + "https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml" ], "tags": [ @@ -32695,9 +32733,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", - "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml" ], "tags": [ @@ -32805,8 +32843,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap", "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ditsnap.yml" ], "tags": [ @@ -32930,10 +32968,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1535322450858233858", "https://twitter.com/bohops/status/1276357235954909188?s=12", - "https://twitter.com/CyberRaiju/status/1273597319322058752", + "https://twitter.com/nas_bench/status/1535322450858233858", "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", + "https://twitter.com/CyberRaiju/status/1273597319322058752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml" ], "tags": [ @@ -32966,9 +33004,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/chromeloader-malware/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", "https://lolbas-project.github.io/lolbas/Binaries/Tar/", + "https://unit42.paloaltonetworks.com/chromeloader-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tar_extraction.yml" ], "tags": [ @@ -33010,9 +33048,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", - "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml" ], @@ -33104,9 +33142,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml" ], "tags": [ @@ -33140,14 +33178,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/941315826107510784", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://github.com/SigmaHQ/sigma/issues/3742", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://twitter.com/Hexacorn/status/776122138063409152", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://github.com/SigmaHQ/sigma/issues/3742", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" ], "tags": [ @@ -33212,9 +33250,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" ], "tags": [ @@ -33328,9 +33366,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.scythe.io/library/threat-emulation-qakbot", "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/", + "https://www.scythe.io/library/threat-emulation-qakbot", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml" ], "tags": [ @@ -33386,9 +33424,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf", - "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", "https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png", + "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", + "https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" ], "tags": [ @@ -33423,9 +33461,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac", - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml" ], "tags": [ @@ -33492,9 +33530,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://twitter.com/pabraeken/status/990717080805789697", "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", - "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_runonce_execution.yml" ], "tags": [ @@ -33571,8 +33609,8 @@ "logsource.product": "windows", "refs": [ "https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo", - "https://www.echotrail.io/insights/search/regsvr32.exe", "https://redcanary.com/blog/intelligence-insights-april-2022/", + "https://www.echotrail.io/insights/search/regsvr32.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml" ], "tags": [ @@ -33728,9 +33766,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", "https://twitter.com/jseerden/status/1247985304667066373/photo/1", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", + "https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://twitter.com/lefterispan/status/1286259016436514816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml" ], @@ -33832,10 +33870,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511489821247684615", "https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", "https://twitter.com/mrd0x/status/1511415432888131586", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", + "https://twitter.com/mrd0x/status/1511489821247684615", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml" ], "tags": [ @@ -33877,8 +33915,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://www.uptycs.com/blog/lolbins-are-no-laughing-matter", + "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml" ], "tags": [ @@ -33912,8 +33950,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml" ], "tags": [ @@ -33946,10 +33984,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", + "https://twitter.com/nao_sec/status/1530196847679401984", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" ], @@ -33991,8 +34029,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml", "https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-", + "https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml" ], "tags": [ @@ -34034,9 +34072,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", - "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml" ], "tags": [ @@ -34092,9 +34130,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", "https://www.exploit-db.com/exploits/37525", "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", + "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" ], "tags": [ @@ -34195,10 +34233,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf", - "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/", - "https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/", - "https://github.com/AlessandroZ/LaZagne/tree/master", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/", + "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/", + "https://github.com/AlessandroZ/LaZagne/tree/master", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml" ], "tags": [ @@ -34221,8 +34259,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/child-processes/", "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", + "https://redcanary.com/blog/child-processes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_scrcons_susp_child_process.yml" ], "tags": [ @@ -34355,8 +34393,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive", "https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool", + "https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml" ], "tags": [ @@ -34389,8 +34427,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md", + "https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml" ], "tags": [ @@ -34457,10 +34495,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", - "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml" ], "tags": [ @@ -34493,10 +34531,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/", "https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/", - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user.yml" ], "tags": [ @@ -34528,8 +34566,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml" ], "tags": [ @@ -34562,8 +34600,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", "https://ss64.com/nt/mklink.html", + "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml" ], "tags": [ @@ -34642,9 +34680,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", - "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", + "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml" ], @@ -34788,12 +34826,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", + "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml" ], "tags": [ @@ -34902,10 +34940,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", "https://github.com/wunderwuzzi23/firefox-cookiemonster", - "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", "https://github.com/defaultnamehere/cookie_crimes/", + "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", + "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml" ], "tags": [ @@ -35141,9 +35179,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.revshells.com/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://nmap.org/ncat/", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netcat.yml" ], "tags": [ @@ -35243,8 +35281,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml" ], "tags": [ @@ -35326,8 +35364,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows", "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml" ], "tags": [ @@ -35402,9 +35440,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://twitter.com/gN3mes1s/status/1222095963789111296", - "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml" ], "tags": [ @@ -35461,11 +35499,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", - "https://twitter.com/cyberwar_15/status/1187287262054076416", - "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", "https://en.wikipedia.org/wiki/Hangul_(word_processor)", + "https://twitter.com/cyberwar_15/status/1187287262054076416", "https://blog.alyac.co.kr/1901", + "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", + "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" ], "tags": [ @@ -35517,10 +35555,10 @@ "logsource.product": "windows", "refs": [ "https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive", - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/", - "https://twitter.com/0gtweet/status/1299071304805560321?s=21", "https://www.pureid.io/dumping-abusing-windows-credentials-part-1/", + "https://twitter.com/0gtweet/status/1299071304805560321?s=21", + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml" ], "tags": [ @@ -35586,8 +35624,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", + "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml" ], "tags": [ @@ -35620,8 +35658,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_export.yml" ], @@ -35712,9 +35750,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt", "http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt", "https://twitter.com/n1nj4sec/status/1421190238081277959", - "https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml" ], "tags": [ @@ -35738,8 +35776,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", "https://twitter.com/vysecurity/status/977198418354491392", + "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml" ], "tags": [ @@ -35780,9 +35818,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml" ], "tags": [ @@ -35964,8 +36002,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/", "https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys", + "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml" ], "tags": [ @@ -36033,12 +36071,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/eral4m/status/1479080793003671557", - "https://twitter.com/Hexacorn/status/885258886428725250", - "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", - "https://twitter.com/nas_bench/status/1433344116071583746", "https://twitter.com/eral4m/status/1479106975967240209", "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", + "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://twitter.com/Hexacorn/status/885258886428725250", + "https://twitter.com/nas_bench/status/1433344116071583746", + "https://twitter.com/eral4m/status/1479080793003671557", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml" ], "tags": [ @@ -36138,8 +36176,8 @@ "logsource.product": "windows", "refs": [ "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", - "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", "https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors", + "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml" ], "tags": [ @@ -36229,8 +36267,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", + "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml" ], "tags": [ @@ -36266,11 +36304,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", - "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" ], "tags": [ @@ -36378,8 +36416,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/1224848930795552769", "http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/", + "https://twitter.com/Hexacorn/status/1224848930795552769", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml" ], "tags": [ @@ -36478,9 +36516,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", - "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", + "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml" ], "tags": [ @@ -36570,8 +36608,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", + "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_finger_execution.yml" ], @@ -36638,8 +36676,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://github.com/malcomvetter/CSExec", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_csexec.yml" ], "tags": [ @@ -36921,8 +36959,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/ber_m1ng/status/1397948048135778309", "https://www.cobaltstrike.com/help-opsec", + "https://twitter.com/ber_m1ng/status/1397948048135778309", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml" ], "tags": [ @@ -37021,10 +37059,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://twitter.com/0gtweet/status/1628720819537936386", - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml" ], @@ -37061,8 +37099,8 @@ "logsource.product": "windows", "refs": [ "https://www.revshells.com/", - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://docs.python.org/3/using/cmdline.html#cmdoption-c", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml" ], "tags": [ @@ -37219,9 +37257,9 @@ "logsource.product": "windows", "refs": [ "https://www.intrinsec.com/akira_ransomware/", + "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "https://github.com/cloudflare/cloudflared", "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", - "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml" ], "tags": [ @@ -37336,9 +37374,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hatching.io/blog/powershell-analysis/", - "https://lab52.io/blog/winter-vivern-all-summer/", "https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html", + "https://lab52.io/blog/winter-vivern-all-summer/", + "https://hatching.io/blog/powershell-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml" ], "tags": [ @@ -37438,10 +37476,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", - "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", "https://twitter.com/Z3Jpa29z/status/1317545798981324801", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csi_execution.yml" ], "tags": [ @@ -37525,9 +37563,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml" ], "tags": [ @@ -37644,8 +37682,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", "https://twitter.com/nas_bench/status/1534957360032120833", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cdb_arbitrary_command_execution.yml" ], @@ -37796,8 +37834,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/x86matthew/status/1505476263464607744?s=12", "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", + "https://twitter.com/x86matthew/status/1505476263464607744?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml" ], "tags": [ @@ -37898,8 +37936,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml" ], "tags": [ @@ -37932,8 +37970,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", + "https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml" ], "tags": [ @@ -38009,8 +38047,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/byt3bl33d3r/CrackMapExec", "https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242", + "https://github.com/byt3bl33d3r/CrackMapExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml" ], "tags": [ @@ -38275,8 +38313,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", + "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml" ], "tags": [ @@ -38410,10 +38448,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", "https://nodejs.org/api/cli.html", + "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" ], "tags": [ @@ -38446,9 +38484,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml" ], "tags": [ @@ -38471,8 +38509,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", + "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml" ], @@ -38507,9 +38545,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://badoption.eu/blog/2023/01/31/code_c2.html", - "https://code.visualstudio.com/docs/remote/tunnels", "https://ipfyx.fr/post/visual-studio-code-tunnel/", + "https://code.visualstudio.com/docs/remote/tunnels", + "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml" ], "tags": [ @@ -38542,8 +38580,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=ro2QuZTIMBM", "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.youtube.com/watch?v=ro2QuZTIMBM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml" ], "tags": [ @@ -38599,24 +38637,24 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/besimorhino/powercat", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/adrecon/ADRecon", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/adrecon/AzureADRecon", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/samratashok/nishang", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/Kevin-Robertson/Powermad", - "https://adsecurity.org/?p=2921", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://adsecurity.org/?p=2921", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/besimorhino/powercat", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/adrecon/ADRecon", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/samratashok/nishang", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml" ], "tags": [ @@ -38706,8 +38744,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html", "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", + "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml" ], "tags": [ @@ -38764,8 +38802,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/", "https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/", + "https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml" ], "tags": [ @@ -38798,8 +38836,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", + "https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", "https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml" ], @@ -38867,8 +38905,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://twitter.com/SBousseaden/status/1278977301745741825", + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml" ], "tags": [ @@ -38901,8 +38939,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", + "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml" ], "tags": [ @@ -39043,9 +39081,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", "https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml" ], "tags": [ @@ -39187,11 +39225,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cloudflare/cloudflared/releases", "https://github.com/cloudflare/cloudflared", "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", "https://www.intrinsec.com/akira_ransomware/", "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", + "https://github.com/cloudflare/cloudflared/releases", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml" ], "tags": [ @@ -39409,8 +39447,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", + "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_soundrecorder_audio_capture.yml" ], "tags": [ @@ -39466,9 +39504,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", "https://twitter.com/jseerden/status/1247985304667066373/photo/1", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", + "https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://twitter.com/lefterispan/status/1286259016436514816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml" ], @@ -39535,8 +39573,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/blackorbird/status/1140519090961825792", "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", + "https://twitter.com/blackorbird/status/1140519090961825792", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml" ], "tags": [ @@ -39604,9 +39642,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", - "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml" ], @@ -39640,9 +39678,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_output.yml" ], "tags": [ @@ -39733,12 +39771,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/ohpe/juicy-potato", - "https://pentestlab.blog/2017/04/13/hot-potato/", "https://www.localpotato.com/", "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", - "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", + "https://github.com/ohpe/juicy-potato", "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", + "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", + "https://pentestlab.blog/2017/04/13/hot-potato/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml" ], "tags": [ @@ -39839,12 +39877,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml" ], "tags": [ @@ -40099,9 +40137,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/samratashok/ADModule", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml" ], "tags": [ @@ -40195,13 +40233,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", - "https://twitter.com/xorJosh/status/1598646907802451969", - "https://www.softwaretestinghelp.com/how-to-use-ngrok/", - "https://ngrok.com/docs", - "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", - "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", + "https://ngrok.com/docs", + "https://www.softwaretestinghelp.com/how-to-use-ngrok/", + "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", + "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://twitter.com/xorJosh/status/1598646907802451969", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml" ], "tags": [ @@ -40267,8 +40305,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml" ], @@ -40337,8 +40375,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md", "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml" ], @@ -40372,8 +40410,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/03/30/weak-service-permissions/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://pentestlab.blog/2017/03/30/weak-service-permissions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" ], "tags": [ @@ -40443,8 +40481,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", + "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml" ], "tags": [ @@ -40520,8 +40558,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military", "https://learn.microsoft.com/en-us/windows/win32/shell/csidl", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military", "https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml" ], @@ -40621,8 +40659,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml" ], "tags": [ @@ -40688,8 +40726,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml" ], "tags": [ @@ -40758,8 +40796,8 @@ "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode.yml" ], "tags": [ @@ -40793,10 +40831,10 @@ "logsource.product": "windows", "refs": [ "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://twitter.com/egre55/status/1087685529016193025", - "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://twitter.com/egre55/status/1087685529016193025", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml" ], @@ -40956,15 +40994,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", - "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", - "https://github.com/Neo23x0/Raccine#the-process", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", - "https://blog.talosintelligence.com/2017/05/wannacry.html", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", + "https://github.com/Neo23x0/Raccine#the-process", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://blog.talosintelligence.com/2017/05/wannacry.html", + "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", + "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml" ], "tags": [ @@ -41039,9 +41077,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://badoption.eu/blog/2023/01/31/code_c2.html", - "https://code.visualstudio.com/docs/remote/tunnels", "https://ipfyx.fr/post/visual-studio-code-tunnel/", + "https://code.visualstudio.com/docs/remote/tunnels", + "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml" ], "tags": [ @@ -41191,8 +41229,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md", "https://www.radmin.fr/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_radmin.yml" ], "tags": [ @@ -41227,8 +41265,8 @@ "logsource.product": "windows", "refs": [ "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", - "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", + "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" ], "tags": [ @@ -41261,10 +41299,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", - "https://adsecurity.org/?p=2604", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4", + "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4", + "https://adsecurity.org/?p=2604", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -41297,9 +41335,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/jonasLyk/status/1555914501802921984", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://twitter.com/jonasLyk/status/1555914501802921984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml" ], "tags": [ @@ -41405,8 +41443,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", + "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml" ], "tags": [ @@ -41496,8 +41534,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1474899714290208777?s=12", "https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace", + "https://twitter.com/0gtweet/status/1474899714290208777?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml" ], "tags": [ @@ -41530,12 +41568,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", "https://twitter.com/JohnLaTwC/status/835149808817991680", - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_decode.yml" ], "tags": [ @@ -41568,9 +41606,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml" ], @@ -41639,8 +41677,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool", "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", + "https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml" ], "tags": [ @@ -41663,9 +41701,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/M_haggis/status/1699056847154725107", "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", - "https://twitter.com/M_haggis/status/1699056847154725107", "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml" ], @@ -41690,9 +41728,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://en.wikipedia.org/wiki/HTML_Application", "https://www.echotrail.io/insights/search/mshta.exe", + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml" ], "tags": [ @@ -41726,8 +41764,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", - "https://github.com/fireeye/DueDLLigence", "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", + "https://github.com/fireeye/DueDLLigence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" ], "tags": [ @@ -41845,10 +41883,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", - "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", + "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", + "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml" ], "tags": [ @@ -41915,15 +41953,15 @@ "logsource.product": "windows", "refs": [ "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://twitter.com/_xpn_/status/1268712093928378368", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml" ], "tags": [ @@ -41979,11 +42017,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", - "https://twitter.com/mattifestation/status/1326228491302563846", - "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script", - "http://blog.sevagas.com/?Hacking-around-HTA-files", "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", + "http://blog.sevagas.com/?Hacking-around-HTA-files", + "https://twitter.com/mattifestation/status/1326228491302563846", + "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", + "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml" ], "tags": [ @@ -42034,15 +42072,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", - "https://www.group-ib.com/blog/apt41-world-tour-2021/", - "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a", - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1", "http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/", + "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", + "https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3", + "https://www.group-ib.com/blog/apt41-world-tour-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml" ], "tags": [ @@ -42245,10 +42283,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml" ], "tags": [ @@ -42307,9 +42345,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", - "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", + "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml" ], "tags": [ @@ -42343,8 +42381,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" @@ -42455,13 +42493,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", + "https://www.cobaltstrike.com/help-opsec", "https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", + "https://twitter.com/CyberRaiju/status/1251492025678983169", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", "https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", - "https://twitter.com/CyberRaiju/status/1251492025678983169", - "https://www.cobaltstrike.com/help-opsec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" ], "tags": [ @@ -42550,9 +42588,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", - "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml" ], "tags": [ @@ -42732,9 +42770,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/binderlabs/DirCreate2System", "https://www.echotrail.io/insights/search/wermgr.exe", "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", - "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml" ], "tags": [ @@ -42757,8 +42795,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml" ], "tags": [ @@ -42781,8 +42819,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/outflanknl/Dumpert", "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", + "https://github.com/outflanknl/Dumpert", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml" ], "tags": [ @@ -42856,8 +42894,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/gootloader/", "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", + "https://redcanary.com/blog/gootloader/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml" ], "tags": [ @@ -42991,8 +43029,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml" ], "tags": [ @@ -43116,11 +43154,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", "https://twitter.com/pfiatde/status/1681977680688738305", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", - "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", + "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml" ], "tags": [ @@ -43220,8 +43258,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1478234484881436672?s=12", "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", + "https://twitter.com/mrd0x/status/1478234484881436672?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml" ], "tags": [ @@ -43357,8 +43395,8 @@ "refs": [ "https://www.activecyber.us/activelabs/windows-uac-bypass", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", - "https://twitter.com/ReaQta/status/1222548288731217921", "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", + "https://twitter.com/ReaQta/status/1222548288731217921", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" ], "tags": [ @@ -43549,8 +43587,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://twitter.com/orange_8361/status/1518970259868626944", + "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml" ], "tags": [ @@ -43945,8 +43983,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1", + "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml" ], "tags": [ @@ -43970,8 +44008,8 @@ "logsource.product": "windows", "refs": [ "https://www.nirsoft.net/utils/nircmd.html", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd2.html#using", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml" ], "tags": [ @@ -44197,8 +44235,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/client-management/manage-recall", "https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis", + "https://learn.microsoft.com/en-us/windows/client-management/manage-recall", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_enable_windows_recall.yml" ], "tags": [ @@ -44340,9 +44378,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/", "https://kb.acronis.com/content/60892", "https://learn.microsoft.com/en-us/sysinternals/downloads/livekd", + "https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml" ], "tags": [ @@ -44407,8 +44445,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/threat-detection-report/threats/qbot/", "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", + "https://redcanary.com/threat-detection-report/threats/qbot/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml" ], "tags": [ @@ -44476,9 +44514,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml" ], "tags": [ @@ -44511,8 +44549,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1477925112561209344", "https://twitter.com/wdormann/status/1478011052130459653?s=20", + "https://twitter.com/0gtweet/status/1477925112561209344", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml" ], "tags": [ @@ -44535,8 +44573,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml" ], @@ -44704,8 +44742,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml" ], "tags": [ @@ -44738,8 +44776,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml" ], "tags": [ @@ -44773,10 +44811,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml" ], "tags": [ @@ -44826,10 +44864,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml" ], "tags": [ @@ -45011,13 +45049,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", - "https://twitter.com/Wietze/status/1542107456507203586", - "https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py", + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://twitter.com/shantanukhande/status/1229348874298388484", "https://twitter.com/Hexacorn/status/1224848930795552769", "https://twitter.com/SBousseaden/status/1167417096374050817", - "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", + "https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py", + "https://twitter.com/Wietze/status/1542107456507203586", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml" ], "tags": [ @@ -45060,8 +45098,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml" ], @@ -45095,8 +45133,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml" ], "tags": [ @@ -45165,9 +45203,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/ps/foreach-object.html", "https://ss64.com/nt/for.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://ss64.com/ps/foreach-object.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml" ], "tags": [ @@ -45210,8 +45248,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/mrd0x/status/1461041276514623491", - "https://twitter.com/tccontre18/status/1480950986650832903", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", + "https://twitter.com/tccontre18/status/1480950986650832903", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml" ], "tags": [ @@ -45463,8 +45501,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution.yml" ], "tags": [ @@ -45661,11 +45699,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", - "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", + "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", - "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", + "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", + "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" ], "tags": [ @@ -45809,8 +45847,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/", "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/", + "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml" ], "tags": [ @@ -45843,11 +45881,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", - "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", - "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", + "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml" ], "tags": [ @@ -45880,10 +45918,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", - "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", - "https://twitter.com/mattifestation/status/986280382042595328", "https://atomicredteam.io/defense-evasion/T1220/", + "https://twitter.com/mattifestation/status/986280382042595328", + "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", + "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml" ], "tags": [ @@ -45941,8 +45979,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://abuse.io/lockergoga.txt", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml" ], @@ -45985,8 +46023,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md", + "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml" ], "tags": [ @@ -46106,12 +46144,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680", + "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", "https://github.com/vletoux/pingcastle", "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8", - "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1", - "https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680", "https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml" ], @@ -46255,8 +46293,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md", "https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml" ], "tags": [ @@ -46289,8 +46327,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml" ], "tags": [ @@ -46323,8 +46361,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/skelsec/pypykatz", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz", + "https://github.com/skelsec/pypykatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pypykatz.yml" ], "tags": [ @@ -46467,11 +46505,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/bohops/status/980659399495741441", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", "https://twitter.com/JohnLaTwC/status/1223292479270600706", - "https://twitter.com/bohops/status/980659399495741441", "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml" ], "tags": [ @@ -46504,8 +46542,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml" ], "tags": [ @@ -46639,9 +46677,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" ], "tags": [ @@ -46817,11 +46855,11 @@ "logsource.product": "windows", "refs": [ "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://twitter.com/egre55/status/1087685529016193025", - "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://twitter.com/_JohnHammond/status/1708910264261980634", + "https://twitter.com/egre55/status/1087685529016193025", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml" ], "tags": [ @@ -46896,11 +46934,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", + "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", + "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://twitter.com/christophetd/status/1164506034720952320", - "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", - "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", + "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" ], "tags": [ @@ -47033,9 +47071,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", + "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml" ], "tags": [ @@ -47058,8 +47096,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml" ], @@ -47145,9 +47183,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/jonasLyk/status/1555914501802921984", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://twitter.com/jonasLyk/status/1555914501802921984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml" ], "tags": [ @@ -47271,8 +47309,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://tools.thehacker.recipes/mimikatz/modules", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml" ], "tags": [ @@ -47337,8 +47375,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect", "https://twitter.com/bohops/status/1635288066909966338", + "https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnetdump_memory_dump.yml" ], "tags": [ @@ -47581,12 +47619,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", - "https://positive.security/blog/ms-officecmd-rce", - "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", - "https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc", + "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", "https://lolbas-project.github.io/lolbas/Binaries/Teams/", + "https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc", + "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", + "https://positive.security/blog/ms-officecmd-rce", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml" ], "tags": [ @@ -47694,8 +47732,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/hackvens/CoercedPotato", "https://blog.hackvens.fr/articles/CoercedPotato.html", + "https://github.com/hackvens/CoercedPotato", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml" ], "tags": [ @@ -47763,8 +47801,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/dsacls.html", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", + "https://ss64.com/nt/dsacls.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml" ], "tags": [ @@ -47897,11 +47935,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", - "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", - "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file", "https://twitter.com/max_mal_/status/1542461200797163522", + "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", + "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file", + "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml" ], "tags": [ @@ -47934,8 +47972,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bryon_/status/975835709587075072", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", + "https://twitter.com/bryon_/status/975835709587075072", "https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml" ], @@ -48027,9 +48065,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details", - "https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software", "https://boinc.berkeley.edu/", + "https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software", + "https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_boinc.yml" ], "tags": [ @@ -48104,9 +48142,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", - "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml" ], "tags": [ @@ -48130,8 +48168,8 @@ "logsource.product": "windows", "refs": [ "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml" ], "tags": [ @@ -48164,8 +48202,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/muddywater/88059/", "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection", + "https://securelist.com/muddywater/88059/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml" ], "tags": [ @@ -48198,8 +48236,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml" ], "tags": [ @@ -48296,8 +48334,8 @@ "logsource.product": "windows", "refs": [ "https://securelist.com/locked-out/68960/", - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md", "https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml" ], "tags": [ @@ -48363,9 +48401,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", + "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml" ], @@ -48479,8 +48517,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=ro2QuZTIMBM", "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.youtube.com/watch?v=ro2QuZTIMBM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml" ], "tags": [ @@ -48719,9 +48757,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511489821247684615", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", "https://twitter.com/mrd0x/status/1511415432888131586", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", + "https://twitter.com/mrd0x/status/1511489821247684615", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml" ], "tags": [ @@ -48829,8 +48867,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/180", "https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/", + "https://github.com/LOLBAS-Project/LOLBAS/pull/180", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml" ], "tags": [ @@ -48897,8 +48935,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bopin2020/status/1366400799199272960", "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://twitter.com/bopin2020/status/1366400799199272960", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yml" ], "tags": [ @@ -48939,10 +48977,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1583356502340870144", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", - "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", "https://lolbas-project.github.io/lolbas/Binaries/Setres/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", + "https://twitter.com/0gtweet/status/1583356502340870144", + "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_setres_uncommon_child_process.yml" ], "tags": [ @@ -49019,14 +49057,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", "https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest", "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", - "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" ], "tags": [ @@ -49141,8 +49179,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://asec.ahnlab.com/en/39828/", "https://twitter.com/GelosSnake/status/934900723426439170", + "https://asec.ahnlab.com/en/39828/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml" ], "tags": [ @@ -49245,9 +49283,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", - "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml" ], "tags": [ @@ -49281,11 +49319,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", - "https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", - "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", + "https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml" ], "tags": [ @@ -49327,10 +49365,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://vms.drweb.fr/virus/?i=24144899", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", "https://twitter.com/JohnLaTwC/status/1415295021041979392", - "https://vms.drweb.fr/virus/?i=24144899", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml" ], "tags": [ @@ -49363,8 +49401,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/software/S0404/", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", + "https://attack.mitre.org/software/S0404/", "https://twitter.com/vxunderground/status/1423336151860002816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_params.yml" ], @@ -49448,8 +49486,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml" ], "tags": [ @@ -49546,8 +49584,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://processhacker.sourceforge.io/", "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", + "https://processhacker.sourceforge.io/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml" ], "tags": [ @@ -49599,8 +49637,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", + "https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml" ], "tags": [ @@ -49633,10 +49671,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", - "https://twitter.com/nas_bench/status/1537896324837781506", "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", + "https://twitter.com/nas_bench/status/1537896324837781506", + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml" ], "tags": [ @@ -49669,8 +49707,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://asec.ahnlab.com/en/38156/", "https://github.com/fatedier/frp", + "https://asec.ahnlab.com/en/38156/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_frp.yml" ], "tags": [ @@ -49703,9 +49741,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt", - "Internal Research", "https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt", + "Internal Research", + "https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml" ], "tags": [ @@ -49827,8 +49865,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml" ], "tags": [ @@ -49894,9 +49932,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/", - "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery", + "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", + "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml" ], "tags": [ @@ -49998,8 +50036,8 @@ "logsource.product": "windows", "refs": [ "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44", "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" ], "tags": [ @@ -50159,8 +50197,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", - "https://twitter.com/fr0s7_/status/1712780207105404948", "https://h.43z.one/ipconverter/", + "https://twitter.com/fr0s7_/status/1712780207105404948", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml" ], "tags": [ @@ -50184,9 +50222,9 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/", "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml" ], "tags": [ @@ -50317,8 +50355,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml" ], "tags": [ @@ -50430,8 +50468,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", "https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs", + "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml" ], "tags": [ @@ -50499,8 +50537,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html", "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", + "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml" ], "tags": [ @@ -50575,9 +50613,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" ], "tags": [ @@ -50711,8 +50749,8 @@ "logsource.product": "windows", "refs": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", - "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password", + "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml" ], "tags": [ @@ -50733,37 +50771,39 @@ "value": "Enable LM Hash Storage - ProcCreation" }, { - "description": "Detects possible search for office tokens via CLI by looking for the string \"eyJ0eX\". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.", + "description": "Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly.\nMeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.\n", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022-10-25", + "author": "@Kostastsale", + "creation_date": "2024-09-22", "falsepositive": [ - "Unknown" + "False positives can be found in environments using MessAgent for remote management, analysis should prioritize the grandparent process, MessAgent.exe, and scrutinize the resulting child processes triggered by any suspicious interactive commands directed at the target host." ], - "filename": "proc_creation_win_susp_office_token_search.yml", + "filename": "proc_creation_win_remote_access_tools_meshagent_exec.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mrd0x.com/stealing-tokens-from-office-applications/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml" + "https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173", + "https://github.com/Ylianst/MeshAgent", + "https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_exec.yml" ], "tags": [ - "attack.credential-access", - "attack.t1528" + "attack.command-and-control", + "attack.t1219" ] }, "related": [ { - "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "6d3a3952-6530-44a3-8554-cf17c116c615", - "value": "Suspicious Office Token Search Via CLI" + "uuid": "74a2b202-73e0-4693-9a3a-9d36146d0775", + "value": "Remote Access Tool - MeshAgent Command Execution via MeshCentral" }, { "description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique", @@ -50914,8 +50954,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", + "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml" ], "tags": [ @@ -50948,13 +50988,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/05/08/adfind-recon/", - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://www.joeware.net/freetools/tools/adfind/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml" ], "tags": [ @@ -51012,8 +51052,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", "https://sourceforge.net/projects/mouselock/", + "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml" ], "tags": [ @@ -51047,9 +51087,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", "https://twitter.com/0gtweet/status/1564968845726580736", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", - "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" ], "tags": [ @@ -51166,12 +51206,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup", + "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_delete_backups.yml" ], "tags": [ @@ -51280,8 +51320,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", + "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", "https://github.com/jpillora/chisel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_chisel.yml" ], @@ -51383,9 +51423,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", - "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", + "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_download.yml" ], "tags": [ @@ -51442,10 +51482,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", - "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", + "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", + "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml" ], "tags": [ @@ -51511,9 +51551,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", - "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml" ], "tags": [ @@ -51630,8 +51670,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", + "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml" ], "tags": [ @@ -51699,9 +51739,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", - "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml" ], "tags": [ @@ -51970,8 +52010,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/", "https://www.autohotkey.com/download/", + "https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml" ], "tags": [ @@ -52138,8 +52178,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/outflanknl/NetshHelperBeacon", "https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/", + "https://github.com/outflanknl/NetshHelperBeacon", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml" ], @@ -52454,8 +52494,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vysecurity/status/974806438316072960", "https://twitter.com/vysecurity/status/873181705024266241", + "https://twitter.com/vysecurity/status/974806438316072960", "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml" @@ -52490,8 +52530,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml" ], "tags": [ @@ -52801,8 +52841,8 @@ "logsource.product": "windows", "refs": [ "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", - "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", + "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml" ], @@ -52836,9 +52876,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", - "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml" ], "tags": [ @@ -53133,9 +53173,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/chromeloader-malware/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", "https://lolbas-project.github.io/lolbas/Binaries/Tar/", + "https://unit42.paloaltonetworks.com/chromeloader-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tar_compression.yml" ], "tags": [ @@ -53313,8 +53353,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/frgnca/AudioDeviceCmdlets", - "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", + "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml" ], "tags": [ @@ -53347,8 +53387,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/tevora-threat/SharpView/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", + "https://github.com/tevora-threat/SharpView/", "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml" ], @@ -53414,8 +53454,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml" ], "tags": [ @@ -53490,8 +53530,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml" ], "tags": [ @@ -53525,8 +53565,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/17", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml" ], "tags": [ @@ -53559,8 +53599,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/1270633613449723905", "https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/", + "https://twitter.com/Oddvarmoe/status/1270633613449723905", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_path_traversal.yml" ], "tags": [ @@ -53593,9 +53633,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://badoption.eu/blog/2023/01/31/code_c2.html", - "https://code.visualstudio.com/docs/remote/tunnels", "https://ipfyx.fr/post/visual-studio-code-tunnel/", + "https://code.visualstudio.com/docs/remote/tunnels", + "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml" ], "tags": [ @@ -53629,8 +53669,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", + "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml" ], "tags": [ @@ -53697,8 +53737,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d", "https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/", + "https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_plink_port_forwarding.yml" ], "tags": [ @@ -53740,8 +53780,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hostname_execution.yml" ], "tags": [ @@ -53775,9 +53815,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml" ], "tags": [ @@ -53852,8 +53892,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml" ], @@ -53944,8 +53984,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1478234484881436672?s=12", "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", + "https://twitter.com/mrd0x/status/1478234484881436672?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml" ], "tags": [ @@ -53978,10 +54018,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode", - "https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", "https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior", + "https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode", + "https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml" ], "tags": [ @@ -54049,10 +54089,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://twitter.com/splinter_code/status/1483815103279603714", "https://www.elastic.co/security-labs/operation-bleeding-bear", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", + "https://twitter.com/splinter_code/status/1483815103279603714", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml" ], "tags": [ @@ -54360,8 +54400,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/S3cur3Th1sSh1t/SharpImpersonation", "https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/", + "https://github.com/S3cur3Th1sSh1t/SharpImpersonation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml" ], "tags": [ @@ -54438,8 +54478,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml" ], "tags": [ @@ -54473,8 +54513,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_email_exfil.yml" ], "tags": [ @@ -54497,13 +54537,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml" ], "tags": [ @@ -54538,11 +54578,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", "https://twitter.com/gN3mes1s/status/1206874118282448897", - "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", - "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe", "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", + "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", + "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml" ], "tags": [ @@ -54712,8 +54752,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1359039665232306183?s=21", "https://ss64.com/nt/logman.html", + "https://twitter.com/0gtweet/status/1359039665232306183?s=21", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml" ], "tags": [ @@ -54879,9 +54919,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/pull/151", "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/", - "https://github.com/LOLBAS-Project/LOLBAS/pull/151", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdl32_arbitrary_file_download.yml" ], "tags": [ @@ -54923,8 +54963,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", "https://twitter.com/harr0ey/status/991670870384021504", + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_openwith.yml" ], "tags": [ @@ -54957,8 +54997,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1562072617552678912", "https://ss64.com/nt/cmd.html", + "https://twitter.com/cyb3rops/status/1562072617552678912", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml" ], "tags": [ @@ -54991,8 +55031,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", "https://twitter.com/Moriarty_Meng/status/984380793383370752", + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml" ], "tags": [ @@ -55328,9 +55368,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", + "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml" ], "tags": [ @@ -55363,10 +55403,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://zero2auto.com/2020/05/19/netwalker-re/", "https://mez0.cc/posts/cobaltstrike-powershell-exec/", - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", "https://redcanary.com/blog/yellow-cockatoo/", + "https://zero2auto.com/2020/05/19/netwalker-re/", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml" ], "tags": [ @@ -55493,9 +55533,9 @@ "logsource.category": "wmi_event", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", "https://github.com/RiccardoAncarani/LiquidSnake", "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", + "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" ], "tags": [ @@ -55596,8 +55636,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", + "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml" ], "tags": [ @@ -55639,9 +55679,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://cydefops.com/vscode-data-exfiltration", - "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://ipfyx.fr/post/visual-studio-code-tunnel/", + "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://cydefops.com/vscode-data-exfiltration", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_vscode_tunnel_connection.yml" ], "tags": [ @@ -55674,8 +55714,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security", + "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", "https://cydefops.com/devtunnels-unleashed", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_devtunnels.yml" ], @@ -55709,8 +55749,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://megatools.megous.com/", "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://megatools.megous.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_mega_nz.yml" ], "tags": [ @@ -55930,11 +55970,11 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://youtu.be/n2dFlSaBBKo", - "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/", - "https://github.com/looCiprian/GC2-sheet", - "https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/", "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf", + "https://youtu.be/n2dFlSaBBKo", + "https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/", + "https://github.com/looCiprian/GC2-sheet", + "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_google_api_non_browser_access.yml" ], "tags": [ @@ -56001,8 +56041,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", + "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_imewdbld.yml" ], "tags": [ @@ -56068,9 +56108,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://portmap.io/", "https://github.com/rapid7/metasploit-framework/issues/11337", "https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2", + "https://portmap.io/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_portmap.yml" ], "tags": [ @@ -56215,9 +56255,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/", "Internal Research", "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", - "https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_cloudflared_communication.yml" ], "tags": [ @@ -56418,11 +56458,11 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://twitter.com/M_haggis/status/900741347035889665", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", "https://twitter.com/M_haggis/status/1032799638213066752", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml" ], "tags": [ @@ -56488,8 +56528,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet", "https://web.archive.org/web/20200219102749/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf", + "https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notepad.yml" ], "tags": [ @@ -56524,9 +56564,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://app.any.run/tasks/ec207948-4916-47eb-a0f4-4c6abb2e7668/", - "https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regasm_network_activity.yml" ], "tags": [ @@ -56559,10 +56599,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/", - "https://tria.ge/240301-rk34sagf5x/behavioral2", "https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d", + "https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/", "https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html", + "https://tria.ge/240301-rk34sagf5x/behavioral2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml" ], "tags": [ @@ -56618,10 +56658,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf", - "https://ngrok.com/", - "https://ngrok.com/blog-post/new-ngrok-domains", "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", + "https://ngrok.com/", + "https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf", + "https://ngrok.com/blog-post/new-ngrok-domains", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_ngrok.yml" ], "tags": [ @@ -56688,8 +56728,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files", "https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt", + "https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files", "https://www.poolwatch.io/coin/monero", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_crypto_mining_pools.yml" ], @@ -56799,10 +56839,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/", - "https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/", + "https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia", + "https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml" ], "tags": [ @@ -56843,8 +56883,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb", "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", + "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_dropbox_api.yml" ], "tags": [ @@ -57140,9 +57180,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", "https://twitter.com/forensicitguy/status/1513538712986079238", "https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/", + "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml" ], "tags": [ @@ -57175,10 +57215,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", - "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a", "https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md", + "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml" ], "tags": [ @@ -57313,12 +57353,12 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al", - "https://twitter.com/kleiton0x7e/status/1600567316810551296", - "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", - "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", "https://github.com/kleiton0x00/RedditC2", + "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", "https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/", + "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al", + "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", + "https://twitter.com/kleiton0x7e/status/1600567316810551296", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml" ], "tags": [ @@ -57479,8 +57519,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://ngrok.com/", + "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml" ], "tags": [ @@ -57616,9 +57656,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml" ], @@ -57721,8 +57761,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml" @@ -57758,8 +57798,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker", + "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" ], @@ -57833,8 +57873,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/899646620148539397", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://twitter.com/mattifestation/status/899646620148539397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml" ], "tags": [ @@ -57992,9 +58032,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/", - "https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule", + "https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170", + "https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml" ], "tags": [ @@ -58147,8 +58187,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/899646620148539397", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://twitter.com/mattifestation/status/899646620148539397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml" ], "tags": [ @@ -58182,8 +58222,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx", "https://twitter.com/SBousseaden/status/1096148422984384514", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml" ], "tags": [ @@ -58235,8 +58275,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", "https://twitter.com/duzvik/status/1269671601852813320", + "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_camera_microphone_access.yml" ], "tags": [ @@ -58411,9 +58451,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/_dirkjan/status/1309214379003588608", - "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", + "https://twitter.com/_dirkjan/status/1309214379003588608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -58597,7 +58637,7 @@ } ], "uuid": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", - "value": "Windows Defender Exclusion Reigstry Key - Write Access Requested" + "value": "Windows Defender Exclusion Registry Key - Write Access Requested" }, { "description": "Detects WRITE_DAC access to a domain object", @@ -58612,9 +58652,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", - "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml" ], "tags": [ @@ -58647,8 +58687,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", "https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml" ], "tags": [ @@ -58877,8 +58917,8 @@ "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", - "https://www.x86matthew.com/view_post?id=create_svc_rpc", "https://twitter.com/SBousseaden/status/1490608838701166596", + "https://www.x86matthew.com/view_post?id=create_svc_rpc", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml" ], "tags": [ @@ -58911,8 +58951,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1101431884540710913", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625", + "https://twitter.com/SBousseaden/status/1101431884540710913", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml" ], "tags": [ @@ -59165,8 +59205,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml" @@ -59192,9 +59232,9 @@ "logsource.product": "windows", "refs": [ "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", - "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", - "https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662", + "https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all", + "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" ], "tags": [ @@ -59335,8 +59375,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_replay_attack_detected.yml" ], "tags": [ @@ -59402,9 +59442,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" ], "tags": [ @@ -59538,9 +59578,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/topotam/PetitPotam", - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", + "https://github.com/topotam/PetitPotam", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" ], "tags": [ @@ -59675,15 +59715,15 @@ "logsource.product": "windows", "refs": [ "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://twitter.com/_xpn_/status/1268712093928378368", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" ], "tags": [ @@ -59766,9 +59806,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/menasec1/status/1106899890377052160", "https://www.secureworks.com/blog/ransomware-as-a-distraction", "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html", + "https://twitter.com/menasec1/status/1106899890377052160", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml" ], "tags": [ @@ -59843,9 +59883,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://msdn.microsoft.com/en-us/library/cc220234.aspx", - "https://adsecurity.org/?p=3466", "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", + "https://adsecurity.org/?p=3466", + "https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" ], "tags": [ @@ -59986,9 +60026,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://www.sans.org/webcasts/119395", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" ], "tags": [ @@ -60040,8 +60080,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/gentilkiwi/status/1003236624925413376", - "https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" ], "tags": [ @@ -60074,10 +60114,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", - "https://twitter.com/MsftSecIntel/status/1257324139515269121", + "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", + "https://twitter.com/MsftSecIntel/status/1257324139515269121", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" ], "tags": [ @@ -60253,8 +60293,8 @@ "logsource.product": "windows", "refs": [ "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" ], "tags": [ @@ -60313,9 +60353,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", - "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", "https://twitter.com/SBousseaden/status/1581300963650187264?", + "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", + "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" ], "tags": [ @@ -60382,8 +60422,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2053", "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", + "https://adsecurity.org/?p=2053", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml" ], "tags": [ @@ -60450,9 +60490,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616", "Live environment caused by malware", - "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" ], "tags": [ @@ -60595,8 +60635,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=1714", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794", + "https://adsecurity.org/?p=1714", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml" ], "tags": [ @@ -60679,9 +60719,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml", - "https://twitter.com/deviouspolack/status/832535435960209408", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://twitter.com/deviouspolack/status/832535435960209408", + "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_audit_log_cleared.yml" ], "tags": [ @@ -60715,10 +60755,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/SecurityJosh/status/1283027365770276866", "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", "https://twitter.com/Flangvik/status/1283054508084473861", - "https://twitter.com/SecurityJosh/status/1283027365770276866", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" ], "tags": [ @@ -60826,9 +60866,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", - "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml" ], "tags": [ @@ -60861,8 +60901,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml" ], @@ -61251,9 +61291,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", - "https://github.com/fox-it/LDAPFragger", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", + "https://github.com/fox-it/LDAPFragger", + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" ], "tags": [ @@ -61627,10 +61667,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662", "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" ], "tags": [ @@ -62135,8 +62175,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml" ], "tags": [ @@ -62316,8 +62356,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673", "https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_driver_loaded.yml" ], "tags": [ @@ -62350,11 +62390,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624", - "https://github.com/sensepost/ruler/issues/47", "https://github.com/sensepost/ruler", "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776", + "https://github.com/sensepost/ruler/issues/47", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" ], "tags": [ @@ -62563,8 +62603,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732", + "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml" ], "tags": [ @@ -62674,8 +62714,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md", "https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit", + "https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml" ], "tags": [ @@ -62944,8 +62984,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708", "https://twitter.com/AdamTheAnalyst/status/1134394070045003776", + "https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml" ], "tags": [ @@ -63064,8 +63104,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation", "https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html", + "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml" ], "tags": [ @@ -63158,11 +63198,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml" ], "tags": [ @@ -63246,8 +63286,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38", "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", + "https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml" ], "tags": [ @@ -63315,11 +63355,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml" ], "tags": [ @@ -63352,11 +63392,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml" ], "tags": [ @@ -63389,8 +63429,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983", "https://github.com/amjcyber/EDRNoiseMaker", + "https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983", "https://github.com/netero1010/EDRSilencer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml" ], @@ -63424,9 +63464,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", - "Internal Research", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", + "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml" ], "tags": [ @@ -63449,9 +63489,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", - "Internal Research", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", + "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml" ], "tags": [ @@ -63474,9 +63514,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", - "Internal Research", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", + "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml" ], "tags": [ @@ -63499,9 +63539,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", - "Internal Research", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", + "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml" ], "tags": [ @@ -63524,9 +63564,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", - "Internal Research", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", + "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml" ], "tags": [ @@ -63549,9 +63589,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", - "Internal Research", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", + "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml" ], "tags": [ @@ -63574,9 +63614,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", - "Internal Research", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", + "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml" ], "tags": [ @@ -63609,9 +63649,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", - "Internal Research", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", + "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml" ], "tags": [ @@ -63634,10 +63674,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", - "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", - "https://twitter.com/SBousseaden/status/1483810148602814466", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", + "https://twitter.com/SBousseaden/status/1483810148602814466", + "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml" ], "tags": [ @@ -63660,9 +63700,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", "https://twitter.com/wdormann/status/1590434950335320065", "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml" ], "tags": [ @@ -64258,8 +64298,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/", "https://twitter.com/KevTheHermit/status/1410203844064301056", + "https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/", "https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml" ], @@ -64326,8 +64366,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", + "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml" ], "tags": [ @@ -64348,7 +64388,7 @@ "value": "Microsoft Defender Tamper Protection Trigger" }, { - "description": "Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initaited this action you might want to reduce it to a \"medium\" level if this occurs too many times in your environment\n", + "description": "Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a \"medium\" level if this occurs too many times in your environment\n", "meta": { "author": "Ján Trenčanský, frack113", "creation_date": "2020-07-28", @@ -64361,8 +64401,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml" ], @@ -64506,8 +64546,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml" ], @@ -64699,9 +64739,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml" ], "tags": [ @@ -64734,9 +64774,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346", "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "Internal Research", + "https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml" ], "tags": [ @@ -64837,8 +64877,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies", + "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml" ], "tags": [ @@ -64872,9 +64912,9 @@ "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", - "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", - "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", + "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/Other/win_av_relevant_match.yml" ], "tags": [ @@ -64949,9 +64989,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml" ], "tags": [ @@ -65084,11 +65124,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/DidierStevens/status/1217533958096924676", - "https://twitter.com/FlemmingRiis/status/1217147415482060800", - "https://nullsec.us/windows-event-log-audit-cve/", - "https://www.youtube.com/watch?v=ebmW42YYveI", "https://twitter.com/VM_vivisector/status/1217190929330655232", + "https://twitter.com/DidierStevens/status/1217533958096924676", + "https://nullsec.us/windows-event-log-audit-cve/", + "https://twitter.com/FlemmingRiis/status/1217147415482060800", + "https://www.youtube.com/watch?v=ebmW42YYveI", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml" ], "tags": [ @@ -65238,8 +65278,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", "https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", + "https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml" ], @@ -65287,8 +65327,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html", "https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/", + "https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml" ], "tags": [ @@ -65321,8 +65361,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html", "https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/", + "https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml" ], "tags": [ @@ -65428,8 +65468,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml", "https://learn.microsoft.com/en-us/windows/win32/msi/event-logging", + "https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml" ], "tags": [ @@ -65485,8 +65525,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", "https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml" ], "tags": [ @@ -65519,8 +65559,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/pull/4467", "https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling", + "https://github.com/SigmaHQ/sigma/pull/4467", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml" ], "tags": [ @@ -65553,8 +65593,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/pull/4467", "https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling", + "https://github.com/SigmaHQ/sigma/pull/4467", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml" ], "tags": [ @@ -65585,12 +65625,12 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", - "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", - "https://ipurple.team/2024/07/15/sharphound-detection/", "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", + "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", + "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", + "https://ipurple.team/2024/07/15/sharphound-detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], "tags": [ @@ -65639,8 +65679,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/", + "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml" ], "tags": [ @@ -66436,8 +66476,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml" ], "tags": [ @@ -66610,9 +66650,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://www.sans.org/webcasts/119395", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml" ], "tags": [ @@ -67559,9 +67599,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/wdormann/status/1347958161609809921", "https://twitter.com/jonasLyk/status/1347900440000811010", "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", - "https://twitter.com/wdormann/status/1347958161609809921", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml" ], "tags": [ @@ -67663,8 +67703,8 @@ "logsource.product": "windows", "refs": [ "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml" ], "tags": [ @@ -67698,8 +67738,8 @@ "logsource.product": "windows", "refs": [ "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml" ], "tags": [ @@ -67880,8 +67920,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://twitter.com/deviouspolack/status/832535435960209408", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml" ], "tags": [ @@ -67916,8 +67956,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://twitter.com/deviouspolack/status/832535435960209408", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml" ], "tags": [ @@ -67951,9 +67991,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", "https://twitter.com/gentilkiwi/status/861641945944391680", - "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml" ], "tags": [ @@ -68068,11 +68108,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", + "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", + "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", "https://winaero.com/enable-openssh-server-windows-10/", "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" ], "tags": [ @@ -68092,6 +68132,182 @@ "uuid": "3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781", "value": "OpenSSH Server Listening On Socket" }, + { + "description": "Detects the addition of a new module to an IIS server.", + "meta": { + "author": "frack113", + "creation_date": "2024-10-06", + "falsepositive": [ + "Legitimate administrator activity" + ], + "filename": "win_iis_module_added.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview", + "https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", + "https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis", + "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/iis-configuration/win_iis_module_added.yml" + ], + "tags": [ + "attack.defense-evasion", + "attack.persistence", + "attack.t1562.002", + "attack.t1505.004" + ] + }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "dd857d3e-0c6e-457b-9b48-e82ae7f86bd7", + "value": "New Module Module Added To IIS Server" + }, + { + "description": "Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2024-10-06", + "falsepositive": [ + "Legitimate administrator activity" + ], + "filename": "win_iis_logging_etw_disabled.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/", + "https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis", + "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/iis-configuration/win_iis_logging_etw_disabled.yml" + ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.002", + "attack.t1505.004" + ] + }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a5b40a90-baf5-4bf7-a6f7-373494881d22", + "value": "ETW Logging/Processing Option Disabled On IIS Server" + }, + { + "description": "Detects the removal of a previously installed IIS module.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2024-10-06", + "falsepositive": [ + "Legitimate administrator activity" + ], + "filename": "win_iis_module_removed.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview", + "https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", + "https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis", + "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/iis-configuration/win_iis_module_removed.yml" + ], + "tags": [ + "attack.defense-evasion", + "attack.persistence", + "attack.t1562.002", + "attack.t1505.004" + ] + }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9e1a1fdf-ee58-40ce-8e15-b66ca5a80e1f", + "value": "Previously Installed IIS Module Was Removed" + }, + { + "description": "Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.", + "meta": { + "author": "frack113", + "creation_date": "2024-10-06", + "falsepositive": [ + "Unknown" + ], + "filename": "win_iis_logging_http_disabled.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging", + "https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis", + "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/iis-configuration/win_iis_logging_http_disabled.yml" + ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.002", + "attack.t1505.004" + ] + }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e8ebd53a-30c2-45bd-81bb-74befba07bdb", + "value": "HTTP Logging Disabled On IIS Server" + }, { "description": "Detect standard users login that are part of high privileged groups such as the Administrator group", "meta": { @@ -68105,9 +68321,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml", - "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml" ], "tags": [ @@ -68164,8 +68380,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml" ], "tags": [ @@ -68376,8 +68592,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml" ], "tags": [ @@ -68400,9 +68616,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml" ], "tags": [ @@ -68425,8 +68641,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml" ], "tags": [ @@ -68450,8 +68666,8 @@ "logsource.product": "windows", "refs": [ "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "Internal Research", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml" ], @@ -68476,8 +68692,8 @@ "logsource.product": "windows", "refs": [ "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "Internal Research", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml" ], @@ -68502,8 +68718,8 @@ "logsource.product": "windows", "refs": [ "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "Internal Research", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml" ], @@ -68528,8 +68744,8 @@ "logsource.product": "windows", "refs": [ "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "Internal Research", "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml" ], @@ -68780,8 +68996,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://mobile.twitter.com/0gtweet/status/1564131230941122561", + "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_shell_chrome_api.yml" ], "tags": [ @@ -68824,11 +69040,11 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://hijacklibs.net/", "https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/", - "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", - "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", + "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", + "https://hijacklibs.net/", + "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" ], "tags": [ @@ -68871,8 +69087,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/am0nsec/status/1412232114980982787", "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add", + "https://twitter.com/am0nsec/status/1412232114980982787", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml" ], "tags": [ @@ -69067,6 +69283,41 @@ "uuid": "ec8c4047-fad9-416a-8c81-0f479353d7f6", "value": "Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE" }, + { + "description": "Detects potential DLL sideloading of Python DLL files.", + "meta": { + "author": "Swachchhanda Shrawan Poudel", + "creation_date": "2024-10-06", + "falsepositive": [ + "Legitimate software using Python DLLs" + ], + "filename": "image_load_side_load_python.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/", + "https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python", + "https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_python.yml" + ], + "tags": [ + "attack.defense-evasion", + "attack.t1574.002" + ] + }, + "related": [ + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d36f7c12-14a3-4d48-b6b8-774b9c66f44d", + "value": "Potential Python DLL SideLoading" + }, { "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", "meta": { @@ -69212,9 +69463,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html", "https://twitter.com/dez_/status/986614411711442944", "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", - "https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" ], "tags": [ @@ -69322,12 +69573,12 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "https://github.com/Wh04m1001/SysmonEoP", - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", + "https://github.com/Wh04m1001/SysmonEoP", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" ], "tags": [ @@ -69371,9 +69622,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/", "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html", "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/", + "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/", "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml" ], @@ -69482,8 +69733,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", + "https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://github.com/tyranid/DotNetToJScript", "https://thewover.github.io/Introducing-Donut/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" @@ -69781,8 +70032,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", + "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml" ], "tags": [ @@ -69825,10 +70076,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/DTCERT/status/1712785426895839339", "https://thehackernews.com/2024/03/two-chinese-apt-groups-ramp-up-cyber.html", - "https://twitter.com/Max_Mal_/status/1775222576639291859", "https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/", + "https://twitter.com/DTCERT/status/1712785426895839339", + "https://twitter.com/Max_Mal_/status/1775222576639291859", "https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_keyscrambler.yml" ], @@ -69872,9 +70123,9 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", + "https://github.com/bohops/WSMan-WinRM", "https://twitter.com/chadtilbury/status/1275851297770610688", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", - "https://github.com/bohops/WSMan-WinRM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" ], "tags": [ @@ -69992,9 +70243,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://securelist.com/apt-luminousmoth/103332/", "https://twitter.com/WhichbufferArda/status/1658829954182774784", "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/", - "https://securelist.com/apt-luminousmoth/103332/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_wwlib.yml" ], "tags": [ @@ -70358,9 +70609,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html", "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", "https://twitter.com/HunterPlaybook/status/1301207718355759107", + "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml" ], "tags": [ @@ -70504,8 +70755,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/wdormann/status/1547583317410607110", "https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC", + "https://twitter.com/wdormann/status/1547583317410607110", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml" ], "tags": [ @@ -70540,8 +70791,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2921", "https://github.com/p3nt4/PowerShdll", + "https://adsecurity.org/?p=2921", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml" ], "tags": [ @@ -70656,8 +70907,8 @@ "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true", - "https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion", "https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql", + "https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_unsigned_dll.yml" ], "tags": [ @@ -70784,9 +71035,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://twitter.com/t3ft3lb/status/1656194831830401024", "https://www.roboform.com/", "https://twitter.com/StopMalvertisin/status/1648604148848549888", - "https://twitter.com/t3ft3lb/status/1656194831830401024", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_robform.yml" ], "tags": [ @@ -70872,8 +71123,8 @@ "refs": [ "https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", "https://github.com/S12cybersecurity/RDPCredentialStealer", - "https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", + "https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml" ], "tags": [ @@ -70973,8 +71224,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", "https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", + "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml" ], @@ -71278,8 +71529,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "Internal Research", "https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml" ], "tags": [ @@ -71302,8 +71553,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/binderlabs/DirCreate2System", + "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_comctl32.yml" ], "tags": [ @@ -71381,9 +71632,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/", "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html", "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/", + "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/", "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml" ], @@ -72084,8 +72335,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/gabe-k/themebleed", "Internal Research", + "https://github.com/gabe-k/themebleed", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_rundll32_remote_share_load.yml" ], "tags": [ @@ -72163,9 +72414,9 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://github.com/besimorhino/powercat", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://nmap.org/ncat/", + "https://github.com/besimorhino/powercat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" ], "tags": [ @@ -72298,9 +72549,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/bohops/WSMan-WinRM", "https://twitter.com/chadtilbury/status/1275851297770610688", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", - "https://github.com/bohops/WSMan-WinRM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" ], "tags": [ @@ -72472,7 +72723,7 @@ "value": "Nslookup PowerShell Download Cradle" }, { - "description": "Detects renamed powershell", + "description": "Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.\n", "meta": { "author": "Harish Segar, frack113", "creation_date": "2020-06-29", @@ -72489,7 +72740,8 @@ ], "tags": [ "attack.execution", - "attack.t1059.001" + "attack.t1059.001", + "attack.t1036.003" ] }, "related": [ @@ -72499,6 +72751,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "30a8cb77-8eb3-4cfb-8e79-ad457c5a4592", @@ -72551,8 +72810,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml" ], "tags": [ @@ -72820,8 +73079,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml" ], "tags": [ @@ -72920,9 +73179,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2604", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4", + "https://adsecurity.org/?p=2604", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -72955,11 +73214,11 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", - "https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps", "https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "http://woshub.com/manage-windows-firewall-powershell/", "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", + "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", + "https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" ], "tags": [ @@ -73026,8 +73285,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2", + "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml" ], "tags": [ @@ -73093,8 +73352,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", + "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml" ], "tags": [ @@ -73127,9 +73386,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/samratashok/ADModule", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml" ], "tags": [ @@ -73230,8 +73489,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml" ], "tags": [ @@ -73330,8 +73589,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml" ], @@ -73455,8 +73714,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0", "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0", + "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml" ], "tags": [ @@ -73587,24 +73846,24 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/besimorhino/powercat", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/adrecon/ADRecon", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/adrecon/AzureADRecon", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/samratashok/nishang", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/Kevin-Robertson/Powermad", - "https://adsecurity.org/?p=2921", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://adsecurity.org/?p=2921", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/besimorhino/powercat", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/adrecon/ADRecon", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/samratashok/nishang", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" ], "tags": [ @@ -73938,8 +74197,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml" ], "tags": [ @@ -74160,8 +74419,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_localuser.yml" ], "tags": [ @@ -74227,8 +74486,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml" ], "tags": [ @@ -74412,8 +74671,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", "https://www.powershellgallery.com/packages/DSInternals", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml" ], "tags": [ @@ -74591,8 +74850,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml" ], "tags": [ @@ -74625,8 +74884,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml" ], "tags": [ @@ -74749,8 +75008,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Arno0x/DNSExfiltrator", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", + "https://github.com/Arno0x/DNSExfiltrator", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml" ], "tags": [ @@ -75073,10 +75332,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://youtu.be/5mqid-7zp8k?t=2481", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" ], "tags": [ @@ -75324,8 +75583,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md", "https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing", + "https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md", "https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_packet_capture.yml" ], @@ -75394,9 +75653,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" ], "tags": [ @@ -75552,8 +75811,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1", + "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml" ], "tags": [ @@ -75619,10 +75878,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", - "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" ], "tags": [ @@ -75767,8 +76026,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", + "https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml" ], "tags": [ @@ -75886,9 +76145,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41", - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a", "https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a", + "https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml" ], "tags": [ @@ -75921,10 +76180,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://powersploit.readthedocs.io/en/stable/Recon/README", - "https://thedfirreport.com/2020/10/08/ryuks-return", "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", + "https://thedfirreport.com/2020/10/08/ryuks-return", "https://adsecurity.org/?p=2277", + "https://powersploit.readthedocs.io/en/stable/Recon/README", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" ], "tags": [ @@ -75991,8 +76250,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml" ], "tags": [ @@ -76125,9 +76384,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml" ], "tags": [ @@ -76269,11 +76528,11 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", - "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", "https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841", + "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml" ], "tags": [ @@ -76390,9 +76649,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://www.shellhacks.com/clear-history-powershell/", "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", - "https://www.shellhacks.com/clear-history-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" ], "tags": [ @@ -76433,8 +76692,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml" ], "tags": [ @@ -76467,9 +76726,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -76660,8 +76919,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps", "https://twitter.com/NathanMcNulty/status/1569497348841287681", + "https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml" ], "tags": [ @@ -76829,8 +77088,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", "https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml" ], "tags": [ @@ -77006,8 +77265,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/oroneequalsone/status/1568432028361830402", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", + "https://twitter.com/oroneequalsone/status/1568432028361830402", "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" ], @@ -77075,9 +77334,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", - "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4", + "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml" ], "tags": [ @@ -77110,9 +77369,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", + "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml" ], "tags": [ @@ -77302,8 +77561,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", "https://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml" ], "tags": [ @@ -77706,9 +77965,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", - "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", "https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", + "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" ], "tags": [ @@ -77916,9 +78175,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", + "https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml" ], "tags": [ @@ -77985,9 +78244,9 @@ "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", + "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", "https://twitter.com/ScumBots/status/1610626724257046529", "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", - "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" ], "tags": [ @@ -78523,9 +78782,9 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/samratashok/ADModule", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml" ], "tags": [ @@ -78867,23 +79126,23 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/NetSPI/PowerUpSQL", "https://github.com/PowerShellMafia/PowerSploit", + "https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu", + "https://github.com/HarmJ0y/DAMP", "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/besimorhino/powercat", "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/NetSPI/PowerUpSQL", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/samratashok/nishang", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/CsEnox/EventViewer-UACBypass", - "https://github.com/HarmJ0y/DAMP", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/samratashok/nishang", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml" ], "tags": [ @@ -79026,24 +79285,24 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/besimorhino/powercat", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/adrecon/ADRecon", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/adrecon/AzureADRecon", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/samratashok/nishang", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/Kevin-Robertson/Powermad", - "https://adsecurity.org/?p=2921", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://adsecurity.org/?p=2921", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/besimorhino/powercat", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/adrecon/ADRecon", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/samratashok/nishang", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml" ], "tags": [ @@ -79133,8 +79392,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0", "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0", + "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml" ], "tags": [ @@ -79392,9 +79651,9 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://www.mdeditor.tw/pl/pgRt", "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", + "https://www.mdeditor.tw/pl/pgRt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml" ], "tags": [ @@ -79714,17 +79973,17 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://github.com/ohpe/juicy-potato", - "https://github.com/outflanknl/Dumpert", - "https://github.com/gentilkiwi/mimikatz", - "https://github.com/antonioCoco/RoguePotato", "https://github.com/fortra/nanodump", - "https://github.com/wavestone-cdt/EDRSandblast", - "https://github.com/codewhitesec/HandleKatz", "https://github.com/xuanxuan0/DripLoader", - "https://www.tarasco.org/security/pwdump_7/", + "https://github.com/antonioCoco/RoguePotato", + "https://github.com/ohpe/juicy-potato", + "https://github.com/codewhitesec/HandleKatz", "https://github.com/hfiref0x/UACME", + "https://github.com/outflanknl/Dumpert", "https://github.com/topotam/PetitPotam", + "https://www.tarasco.org/security/pwdump_7/", + "https://github.com/gentilkiwi/mimikatz", + "https://github.com/wavestone-cdt/EDRSandblast", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml" ], "tags": [ @@ -79874,8 +80133,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/", "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml" @@ -79946,8 +80205,8 @@ "logsource.product": "windows", "refs": [ "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", - "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", "https://github.com/codewhitesec/SysmonEnte/", + "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml" ], "tags": [ @@ -80061,9 +80320,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", - "https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", - "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", + "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" ], "tags": [ @@ -80130,8 +80389,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611", "https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/", + "https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml" ], "tags": [ @@ -80234,8 +80493,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158", + "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_generic_access.yml" ], "tags": [ @@ -80269,9 +80528,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", "https://twitter.com/SBousseaden/status/1541920424635912196", "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", + "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml" ], "tags": [ @@ -80304,8 +80563,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://twitter.com/_xpn_/status/1491557187168178176", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_keyword_image.yml" ], "tags": [ @@ -80381,8 +80640,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/timbmsft/status/900724491076214784", "https://github.com/hlldz/Invoke-Phant0m", + "https://twitter.com/timbmsft/status/900724491076214784", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_svchost_susp_access_request.yml" ], "tags": [ @@ -80608,9 +80867,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://twitter.com/mrd0x/status/1460597833917251595", "https://twitter.com/_xpn_/status/1491557187168178176", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_whitelisted_process_names.yml" ], "tags": [ @@ -80644,11 +80903,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml" ], "tags": [ @@ -80997,10 +81256,10 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://threatpost.com/microsoft-petitpotam-poc/168163/", - "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", - "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", + "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", + "https://threatpost.com/microsoft-petitpotam-poc/168163/", + "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" ], "tags": [ @@ -81288,11 +81547,11 @@ "logsource.product": "zeek", "refs": [ "https://github.com/corelight/CVE-2021-1675", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", - "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", + "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" ], "tags": [ @@ -81319,10 +81578,10 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", - "https://twitter.com/neu5ron/status/1346245602502443009", "https://tools.ietf.org/html/rfc2929#section-2.1", + "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", + "https://twitter.com/neu5ron/status/1346245602502443009", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" ], "tags": [ @@ -81479,9 +81738,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://twitter.com/_dirkjan/status/1309214379003588608", - "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", + "https://twitter.com/_dirkjan/status/1309214379003588608", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -81608,8 +81867,8 @@ "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ - "https://blog.router-switch.com/2013/11/show-running-config/", "https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm", + "https://blog.router-switch.com/2013/11/show-running-config/", "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml" ], @@ -81703,8 +81962,8 @@ "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ - "https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html", "https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609", + "https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_clear_logs.yml" ], "tags": [ @@ -82320,8 +82579,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_mal_cobaltstrike.yml" ], "tags": [ @@ -82354,8 +82613,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://twitter.com/stvemillertime/status/1024707932447854592", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", + "https://twitter.com/stvemillertime/status/1024707932447854592", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_txt_exec_strings.yml" ], "tags": [ @@ -82430,9 +82689,9 @@ "logsource.product": "No established product", "refs": [ "https://core.telegram.org/bots/faq", + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" ], "tags": [ @@ -82561,8 +82820,8 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml" ], @@ -82654,11 +82913,11 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", - "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile", "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile", "https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/", + "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_hktl_cobalt_strike_malleable_c2_requests.yml" ], "tags": [ @@ -82692,10 +82951,10 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4", - "https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", - "https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html", "https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462", + "https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html", + "https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", + "https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_webdav_external_execution.yml" ], "tags": [ @@ -82770,10 +83029,10 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", - "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", "https://www.spamhaus.org/statistics/tlds/", + "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", + "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml" ], "tags": [ @@ -82856,8 +83115,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", "https://twitter.com/jhencinski/status/1102695118455349248", + "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml" ], "tags": [ @@ -82934,14 +83193,14 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "http://www.botopedia.org/search?searchword=scan&searchphrase=all", - "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", + "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large", "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", + "http://www.botopedia.org/search?searchword=scan&searchphrase=all", + "https://perishablepress.com/blacklist/ua-2013.txt", "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", "https://twitter.com/crep1x/status/1635034100213112833", - "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large", - "https://perishablepress.com/blacklist/ua-2013.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_malware.yml" ], "tags": [ @@ -82974,8 +83233,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h", "https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65", + "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_cryptominer.yml" ], "tags": [ @@ -83008,8 +83267,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://blogs.jpcert.or.jp/en/2022/07/yamabot.html", "https://deviceatlas.com/blog/list-of-user-agent-strings#desktop", + "https://blogs.jpcert.or.jp/en/2022/07/yamabot.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_susp_base64.yml" ], "tags": [ @@ -83077,8 +83336,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", "https://rclone.org/", + "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_rclone.yml" ], "tags": [ @@ -83111,9 +83370,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://blog.talosintelligence.com/ipfs-abuse/", - "https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638", "https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11", + "https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638", + "https://blog.talosintelligence.com/ipfs-abuse/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml" ], "tags": [ @@ -83196,9 +83455,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516", - "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml" ], "tags": [ @@ -83273,8 +83532,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.advanced-port-scanner.com/", "https://www.advanced-ip-scanner.com/", + "https://www.advanced-port-scanner.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_pua_advanced_ip_scanner_update_check.yml" ], "tags": [ @@ -83468,8 +83727,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_hacktool.yml" ], "tags": [ @@ -83831,10 +84090,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", "https://twitter.com/httpvoid0x2f/status/1532924261035384832", "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", + "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_java_payload_in_access_logs.yml" ], @@ -83904,8 +84163,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/pimps/JNDI-Exploit-Kit", "https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit", + "https://github.com/pimps/JNDI-Exploit-Kit", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_jndi_exploit.yml" ], "tags": [ @@ -83974,9 +84233,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", + "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_susp_useragents.yml" ], "tags": [ @@ -84044,9 +84303,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516", - "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml" ], "tags": [ @@ -84080,8 +84339,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://bad-jubies.github.io/RCE-NOW-WHAT/", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml" ], "tags": [ @@ -84116,8 +84375,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/payloadbox/sql-injection-payload-list", "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", + "https://github.com/payloadbox/sql-injection-payload-list", "https://brightsec.com/blog/sql-injection-payloads/", "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", "https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection", @@ -84222,8 +84481,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.exploit-db.com/exploits/19525", "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", + "https://www.exploit-db.com/exploits/19525", "https://github.com/lijiejie/IIS_shortname_Scanner", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml" ], @@ -84290,8 +84549,8 @@ "logsource.category": "application", "logsource.product": "jvm", "refs": [ - "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0", + "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml" ], "tags": [ @@ -84357,8 +84616,8 @@ "logsource.category": "application", "logsource.product": "jvm", "refs": [ - "https://rules.sonarsource.com/java/RSPEC-2755", "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", + "https://rules.sonarsource.com/java/RSPEC-2755", "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_xxe_exploitation_attempt.yml" ], @@ -84527,10 +84786,10 @@ "logsource.category": "application", "logsource.product": "ruby_on_rails", "refs": [ - "http://guides.rubyonrails.org/action_controller_overview.html", + "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", "http://edgeguides.rubyonrails.org/security.html", - "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", + "http://guides.rubyonrails.org/action_controller_overview.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" ], "tags": [ @@ -84631,8 +84890,8 @@ "logsource.category": "application", "logsource.product": "django", "refs": [ - "https://docs.djangoproject.com/en/1.11/topics/logging/#django-security", "https://docs.djangoproject.com/en/1.11/ref/exceptions/", + "https://docs.djangoproject.com/en/1.11/topics/logging/#django-security", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/django/appframework_django_exceptions.yml" ], "tags": [ @@ -84698,8 +84957,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_smb_file_open.yml" ], "tags": [ @@ -84741,8 +85000,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_vnc_connection_attempt.yml" ], "tags": [ @@ -84775,8 +85034,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_ssh_new_connection.yml" ], "tags": [ @@ -84827,8 +85086,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_tftp_request.yml" ], "tags": [ @@ -84861,8 +85120,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_ftp_login_attempt.yml" ], "tags": [ @@ -84904,8 +85163,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml" ], "tags": [ @@ -84939,8 +85198,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_http_post_login_attempt.yml" ], "tags": [ @@ -84973,8 +85232,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_git_clone_request.yml" ], "tags": [ @@ -85007,8 +85266,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_snmp_cmd.yml" ], "tags": [ @@ -85050,8 +85309,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_sip_request.yml" ], "tags": [ @@ -85084,8 +85343,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_ssh_login_attempt.yml" ], "tags": [ @@ -85136,8 +85395,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_mysql_login_attempt.yml" ], "tags": [ @@ -85179,8 +85438,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_redis_command.yml" ], "tags": [ @@ -85222,8 +85481,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_mssql_login_sqlauth.yml" ], "tags": [ @@ -85265,8 +85524,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_telnet_login_attempt.yml" ], "tags": [ @@ -85308,8 +85567,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_mssql_login_winauth.yml" ], "tags": [ @@ -85351,8 +85610,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_http_get.yml" ], "tags": [ @@ -85385,8 +85644,8 @@ "logsource.category": "application", "logsource.product": "opencanary", "refs": [ - "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52", + "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_ntp_monlist.yml" ], "tags": [ @@ -85509,8 +85768,8 @@ "logsource.category": "No established category", "logsource.product": "kubernetes", "refs": [ - "https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab", "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/", + "https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_rolebinding_modification.yml" ], "tags": [ @@ -85805,10 +86064,10 @@ "logsource.category": "application", "logsource.product": "kubernetes", "refs": [ - "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/", - "https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html", - "https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html", "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer", + "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/", + "https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html", + "https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml" ], "tags": [ @@ -85905,8 +86164,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml" ], "tags": [ @@ -85930,9 +86189,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" ], "tags": [ @@ -85955,10 +86214,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], "tags": [ @@ -85981,9 +86240,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" ], "tags": [ @@ -86025,9 +86284,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" ], "tags": [ @@ -86069,9 +86328,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" ], "tags": [ @@ -86112,10 +86371,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" ], "tags": [ @@ -86148,12 +86407,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", - "https://github.com/zeronetworks/rpcfirewall", - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" ], "tags": [ @@ -86177,9 +86436,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" ], "tags": [ @@ -86220,10 +86479,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" ], "tags": [ @@ -86256,10 +86515,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" ], "tags": [ @@ -86293,9 +86552,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" ], "tags": [ @@ -86318,9 +86577,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" ], @@ -86354,10 +86613,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" ], "tags": [ @@ -86380,9 +86639,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" ], @@ -86406,10 +86665,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" ], "tags": [ @@ -86433,9 +86692,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" ], "tags": [ @@ -86467,8 +86726,8 @@ "logsource.category": "file_event", "logsource.product": "macos", "refs": [ - "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", + "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml" ], "tags": [ @@ -86571,10 +86830,10 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://objective-see.org/blog/blog_0x6D.html", "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior", "https://ss64.com/osx/csrutil.html", "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", - "https://objective-see.org/blog/blog_0x6D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml" ], "tags": [ @@ -86748,9 +87007,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", - "https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior", "https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior", + "https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior", + "https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", "https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml" ], @@ -86784,8 +87043,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" ], @@ -86843,8 +87102,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine", "https://www.loobins.io/binaries/tmutil/", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_tmutil_disable_backup.yml" ], "tags": [ @@ -86877,8 +87136,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://github.com/MythicAgents/typhon/", + "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml" ], @@ -86937,11 +87196,11 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://www.loobins.io/binaries/launchctl/", + "https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/", "https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md", "https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html", - "https://www.loobins.io/binaries/launchctl/", - "https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml" ], "tags": [ @@ -86991,8 +87250,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.loobins.io/binaries/hdiutil/", "https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/", + "https://www.loobins.io/binaries/hdiutil/", "https://ss64.com/mac/hdiutil.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_hdiutil_create.yml" ], @@ -87120,8 +87379,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://github.com/MythicAgents/typhon/", + "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml" ], @@ -87145,8 +87404,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos", "https://ss64.com/osx/dscl.html", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml" ], "tags": [ @@ -87180,9 +87439,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md", "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml", "https://ss64.com/osx/dsenableroot.html", - "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml" ], "tags": [ @@ -87298,8 +87557,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", "https://www.manpagez.com/man/8/firmwarepasswd/", + "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml" ], @@ -87323,8 +87582,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.loobins.io/binaries/hdiutil/", "https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/", + "https://www.loobins.io/binaries/hdiutil/", "https://ss64.com/mac/hdiutil.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_hdiutil_mount.yml" ], @@ -87500,12 +87759,12 @@ "logsource.product": "macos", "refs": [ "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", + "https://www.loobins.io/binaries/sysctl/#", + "https://objective-see.org/blog/blog_0x1E.html", + "https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior", "https://evasions.checkpoint.com/techniques/macos.html", "https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/", - "https://www.loobins.io/binaries/sysctl/#", - "https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior", "https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior", - "https://objective-see.org/blog/blog_0x1E.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml" ], "tags": [ @@ -87580,8 +87839,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://linux.die.net/man/1/dd", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", + "https://linux.die.net/man/1/dd", "https://linux.die.net/man/1/truncate", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml" ], @@ -87808,8 +88067,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md", "https://redcanary.com/blog/applescript/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_applescript.yml" ], "tags": [ @@ -87875,10 +88134,10 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://objective-see.org/blog/blog_0x6D.html", "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior", "https://ss64.com/osx/csrutil.html", "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", - "https://objective-see.org/blog/blog_0x6D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml" ], "tags": [ @@ -87944,8 +88203,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml" ], "tags": [ @@ -88273,8 +88532,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml", "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang", + "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml" ], "tags": [ @@ -88324,9 +88583,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd", "https://www.loobins.io/binaries/nscurl/", "https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl", - "https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_nscurl_usage.yml" ], "tags": [ @@ -88393,8 +88652,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/osx/sysadminctl.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", + "https://ss64.com/osx/sysadminctl.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_create_account.yml" ], "tags": [ @@ -88494,12 +88753,12 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/mac/system_profiler.html", - "https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", + "https://ss64.com/mac/system_profiler.html", "https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af", - "https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf", "https://objective-see.org/blog/blog_0x62.html", + "https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", + "https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml" ], "tags": [ @@ -88574,10 +88833,10 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", - "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf", - "https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/", "https://ss64.com/mac/chflags.html", + "https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf", + "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_chflags_hidden_flag.yml" ], "tags": [ @@ -88667,8 +88926,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine", "https://www.loobins.io/binaries/tmutil/", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_tmutil_delete_backup.yml" ], "tags": [ @@ -88876,8 +89135,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine", "https://www.loobins.io/binaries/tmutil/", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_tmutil_exclude_file_from_backup.yml" ], "tags": [ @@ -88910,8 +89169,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.manpagez.com/man/8/PlistBuddy/", "https://redcanary.com/blog/clipping-silver-sparrows-wings/", + "https://www.manpagez.com/man/8/PlistBuddy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml" ], "tags": [ @@ -88998,8 +89257,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://thehackernews.com/2024/03/github-rolls-out-default-secret.html", "https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "https://thehackernews.com/2024/03/github-rolls-out-default-secret.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_push_protection_disabled.yml" ], "tags": [ @@ -89140,10 +89399,10 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", - "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", - "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise", + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", + "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", + "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disable_high_risk_configuration.yml" ], "tags": [ @@ -89211,10 +89470,10 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration", - "https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository", "https://docs.github.com/en/migrations", "https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership", + "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration", + "https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_repo_or_org_transferred.yml" ], "tags": [ @@ -89360,8 +89619,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://thehackernews.com/2024/03/github-rolls-out-default-secret.html", "https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "https://thehackernews.com/2024/03/github-rolls-out-default-secret.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_push_protection_bypass_detected.yml" ], "tags": [ @@ -89395,8 +89654,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions", + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_outside_collaborator_detected.yml" ], "tags": [ @@ -89448,8 +89707,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation", "https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners", + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_self_hosted_runner_changes_detected.yml" ], "tags": [ @@ -89504,8 +89763,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml" ], "tags": [ @@ -89528,8 +89787,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_identity_provider_created.yml" ], "tags": [ @@ -89562,8 +89821,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml" ], "tags": [ @@ -89596,9 +89855,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://dataconomy.com/2023/10/23/okta-data-breach/", - "https://www.beyondtrust.com/blog/entry/okta-support-unit-breach", "https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/", + "https://www.beyondtrust.com/blog/entry/okta-support-unit-breach", + "https://dataconomy.com/2023/10/23/okta-data-breach/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml" ], "tags": [ @@ -89644,9 +89903,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ + "https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data", - "https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_password_in_alternateid_field.yml" ], "tags": [ @@ -89679,8 +89938,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml" ], "tags": [ @@ -89703,8 +89962,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml" ], "tags": [ @@ -89727,8 +89986,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml" ], "tags": [ @@ -89761,9 +90020,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" ], "tags": [ @@ -89786,8 +90045,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml" ], "tags": [ @@ -89810,8 +90069,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml" ], "tags": [ @@ -89834,8 +90093,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml" ], "tags": [ @@ -89868,8 +90127,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml" ], "tags": [ @@ -89892,8 +90151,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_new_behaviours_admin_console.yml" ], "tags": [ @@ -89926,9 +90185,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://sec.okta.com/fastpassphishingdetection", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_fastpass_phishing_detection.yml" ], "tags": [ @@ -89961,8 +90220,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assignment_created.yml" ], "tags": [ @@ -89985,8 +90244,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml" ], "tags": [ @@ -90011,8 +90270,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml" ], "tags": [ @@ -90035,8 +90294,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml" ], "tags": [ @@ -90071,8 +90330,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml" ], "tags": [ @@ -90263,8 +90522,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/elastic/detection-rules/pull/1213", "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html", + "https://github.com/elastic/detection-rules/pull/1213", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml" ], "tags": [ @@ -90511,8 +90770,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml" ], "tags": [ @@ -90901,9 +91160,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html", "https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html", "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html", + "https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml" ], "tags": [ @@ -91111,9 +91370,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things", "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html", "https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/", + "https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml" ], "tags": [ @@ -91197,9 +91456,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", - "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html", "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", + "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html", + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml" ], "tags": [ @@ -91388,13 +91647,13 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", "https://github.com/elastic/detection-rules/pull/1145/files", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_s3_data_management_tampering.yml" ], "tags": [ @@ -91750,8 +92009,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_firewall_rule_modified_or_deleted.yml" ], "tags": [ @@ -91808,9 +92067,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ + "https://cloud.google.com/access-context-manager/docs/audit-logging", "https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog", "https://cloud.google.com/logging/docs/audit/understanding-audit-logs", - "https://cloud.google.com/access-context-manager/docs/audit-logging", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml" ], "tags": [ @@ -91870,8 +92129,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_full_network_traffic_packet_capture.yml" ], "tags": [ @@ -92037,9 +92296,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", - "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", "https://github.com/elastic/detection-rules/pull/1267", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_rolebinding.yml" @@ -92065,9 +92324,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://cloud.google.com/kubernetes-engine/docs", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_cronjob.yml" ], "tags": [ @@ -92159,9 +92418,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_mfa_disabled.yml" ], "tags": [ @@ -92184,8 +92443,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_privilege_deleted.yml" ], "tags": [ @@ -92208,9 +92467,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_removed.yml" ], "tags": [ @@ -92268,8 +92527,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml" ], "tags": [ @@ -92302,8 +92561,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml" ], "tags": [ @@ -92336,8 +92595,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_modified_or_deleted.yml" ], "tags": [ @@ -92402,8 +92661,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", + "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml" ], "tags": [ @@ -92471,8 +92730,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html", "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", + "https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml" ], "tags": [ @@ -92632,8 +92891,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", + "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml" ], "tags": [ @@ -92700,8 +92959,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", + "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml" ], "tags": [ @@ -92743,8 +93002,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", + "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml" ], "tags": [ @@ -92818,8 +93077,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", + "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml" ], "tags": [ @@ -92852,8 +93111,8 @@ "logsource.category": "No established category", "logsource.product": "bitbucket", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/users-and-groups-776640439.html", "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html", + "https://confluence.atlassian.com/bitbucketserver/users-and-groups-776640439.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml" ], "tags": [ @@ -92902,11 +93161,11 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://o365blog.com/post/aadbackdoor/", - "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", - "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://www.sygnia.co/golden-saml-advisory", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", + "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", + "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", + "https://o365blog.com/post/aadbackdoor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/exchange/microsoft365_new_federated_domain_added_exchange.yml" ], "tags": [ @@ -93006,8 +93265,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", + "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_activity_from_infrequent_country.yml" ], "tags": [ @@ -93040,8 +93299,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", + "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml" ], "tags": [ @@ -93074,8 +93333,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", + "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_activity_from_anonymous_ip_addresses.yml" ], "tags": [ @@ -93108,8 +93367,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", + "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_unusual_volume_of_file_deletion.yml" ], "tags": [ @@ -93142,8 +93401,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", + "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_susp_inbox_forwarding.yml" ], "tags": [ @@ -93176,8 +93435,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", + "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_susp_oauth_app_file_download_activities.yml" ], "tags": [ @@ -93233,8 +93492,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", + "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_user_restricted_from_sending_email.yml" ], "tags": [ @@ -93267,8 +93526,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", + "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_potential_ransomware_activity.yml" ], "tags": [ @@ -93301,8 +93560,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", + "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_activity_by_terminated_user.yml" ], "tags": [ @@ -93325,8 +93584,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", + "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml" ], "tags": [ @@ -93359,8 +93618,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", + "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_data_exfiltration_to_unsanctioned_app.yml" ], "tags": [ @@ -93426,8 +93685,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", + "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_detection/microsoft365_from_susp_ip_addresses.yml" ], "tags": [ @@ -94107,8 +94366,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/", "https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f", + "https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml" ], "tags": [ @@ -94142,9 +94401,9 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://twitter.com/NathanMcNulty/status/1785051227568632263", "https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487", "https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/", + "https://twitter.com/NathanMcNulty/status/1785051227568632263", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml" ], "tags": [ @@ -94715,8 +94974,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/", "https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f", + "https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml" ], "tags": [ @@ -94783,8 +95042,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/", "https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022", + "https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml" ], "tags": [ @@ -95690,8 +95949,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml" ], "tags": [ @@ -95727,8 +95986,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml" ], "tags": [ @@ -95761,8 +96020,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml" ], "tags": [ @@ -95798,8 +96057,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml" ], "tags": [ @@ -95832,8 +96091,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml" ], "tags": [ @@ -95866,8 +96125,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml" ], "tags": [ @@ -95937,8 +96196,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml" ], "tags": [ @@ -96005,8 +96264,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml" ], "tags": [ @@ -96042,8 +96301,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml" ], "tags": [ @@ -96113,9 +96372,9 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml" ], "tags": [ @@ -96151,8 +96410,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#leaked-credentials", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#leaked-credentials", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml" ], "tags": [ @@ -96185,8 +96444,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml" ], "tags": [ @@ -96219,8 +96478,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules", "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml" ], "tags": [ @@ -96359,8 +96618,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml", "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_pods_deleted.yml" ], "tags": [ @@ -96385,10 +96644,10 @@ "logsource.product": "azure", "refs": [ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml" ], "tags": [ @@ -96438,10 +96697,10 @@ "logsource.product": "azure", "refs": [ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml" ], "tags": [ @@ -96465,10 +96724,10 @@ "logsource.product": "azure", "refs": [ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml" ], "tags": [ @@ -97054,10 +97313,10 @@ "logsource.product": "azure", "refs": [ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml" ], "tags": [ @@ -97166,10 +97425,10 @@ "logsource.product": "azure", "refs": [ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml" ], "tags": [ @@ -97318,10 +97577,10 @@ "logsource.product": "azure", "refs": [ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml" ], "tags": [ @@ -97356,10 +97615,10 @@ "logsource.product": "azure", "refs": [ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml" ], "tags": [ @@ -97639,10 +97898,10 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://kubernetes.io/docs/concepts/workloads/controllers/job/", + "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml" ], "tags": [ @@ -97955,8 +98214,8 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" ], @@ -97978,10 +98237,10 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" ], "tags": [ @@ -98004,8 +98263,8 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" ], @@ -98075,8 +98334,8 @@ "logsource.product": "No established product", "refs": [ "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619", - "https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448", "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_password_dumper.yml" ], "tags": [ @@ -98167,11 +98426,11 @@ "logsource.product": "No established product", "refs": [ "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", - "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d", - "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", - "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", + "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", + "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", + "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_ransomware.yml" ], "tags": [ @@ -98203,8 +98462,8 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", "https://www.nextron-systems.com/?s=antivirus", + "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_hacktool.yml" ], "tags": [ @@ -98237,16 +98496,16 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", - "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", - "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", - "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", - "https://github.com/tennc/webshell", + "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", "https://www.nextron-systems.com/?s=antivirus", - "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", + "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", + "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", + "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", + "https://github.com/tennc/webshell", + "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml" ], "tags": [ @@ -98279,10 +98538,10 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", - "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797", - "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466", + "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797", + "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_exploiting.yml" ], "tags": [ @@ -98415,10 +98674,10 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml" ], "tags": [ @@ -98475,10 +98734,10 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml" ], "tags": [ @@ -98677,10 +98936,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", - "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://linux.die.net/man/8/pam_tty_audit", + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", + "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], "tags": [ @@ -98855,10 +99114,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://man7.org/linux/man-pages/man8/getcap.8.html", - "https://mn3m.info/posts/suid-vs-capabilities/", "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", + "https://man7.org/linux/man-pages/man8/getcap.8.html", + "https://mn3m.info/posts/suid-vs-capabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" ], "tags": [ @@ -98999,8 +99258,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md", + "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml" ], "tags": [ @@ -99243,8 +99502,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", "https://linux.die.net/man/1/xclip", + "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml" ], "tags": [ @@ -99277,8 +99536,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/wget/", "https://linux.die.net/man/1/wget", + "https://gtfobins.github.io/gtfobins/wget/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml" ], "tags": [ @@ -99377,8 +99636,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa", "https://linux.die.net/man/1/arecord", + "https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_audio_capture.yml" ], "tags": [ @@ -99412,9 +99671,9 @@ "logsource.product": "linux", "refs": [ "https://man7.org/linux/man-pages/man1/passwd.1.html", + "https://linux.die.net/man/1/chage", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", - "https://linux.die.net/man/1/chage", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" ], "tags": [ @@ -99513,8 +99772,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://blog.aquasec.com/container-security-tnt-container-attack", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html", + "https://blog.aquasec.com/container-security-tnt-container-attack", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml" ], "tags": [ @@ -99547,9 +99806,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://linux.die.net/man/1/import", "https://imagemagick.org/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" ], "tags": [ @@ -99582,8 +99841,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" ], @@ -100081,9 +100340,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/8/insmod", - "https://man7.org/linux/man-pages/man8/kmod.8.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", + "https://man7.org/linux/man-pages/man8/kmod.8.html", + "https://linux.die.net/man/8/insmod", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" ], "tags": [ @@ -100216,10 +100475,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence", - "https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content", - "https://regex101.com/r/RugQYK/1", "https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf", + "https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content", + "https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence", + "https://regex101.com/r/RugQYK/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_pnscan_binary_cli_pattern.yml" ], "tags": [ @@ -100310,9 +100569,9 @@ "logsource.product": "linux", "refs": [ "https://gtfobins.github.io/gtfobins/awk/#shell", + "https://gtfobins.github.io/gtfobins/gawk/#shell", "https://gtfobins.github.io/gtfobins/nawk/#shell", "https://gtfobins.github.io/gtfobins/mawk/#shell", - "https://gtfobins.github.io/gtfobins/gawk/#shell", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_awk_shell_spawn.yml" ], "tags": [ @@ -100345,8 +100604,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml" ], "tags": [ @@ -100459,8 +100718,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml" ], "tags": [ @@ -100600,8 +100859,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", "https://gtfobins.github.io/gtfobins/nice/#shell", + "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nice_shell_execution.yml" ], "tags": [ @@ -100743,10 +101002,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml" ], "tags": [ @@ -100864,9 +101123,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/projectdiscovery/naabu", "https://github.com/Tib3rius/AutoRecon", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", + "https://github.com/projectdiscovery/naabu", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml" ], "tags": [ @@ -100966,8 +101225,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/sleventyeleven/linuxprivchecker/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml" ], "tags": [ @@ -101033,9 +101292,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://linux.die.net/man/1/bash", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml" ], "tags": [ @@ -101124,10 +101383,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml" ], "tags": [ @@ -101185,8 +101444,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://bpftrace.org/", + "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml" ], "tags": [ @@ -101219,8 +101478,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml" ], "tags": [ @@ -101288,8 +101547,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://blogs.blackberry.com/", + "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml" ], "tags": [ @@ -101421,10 +101680,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", - "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", - "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html", + "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", + "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml" ], "tags": [ @@ -101499,8 +101758,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html", + "https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml" ], "tags": [ @@ -101541,10 +101800,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml" ], "tags": [ @@ -101626,10 +101885,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml" ], "tags": [ @@ -101662,8 +101921,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", "https://gtfobins.github.io/gtfobins/ssh/", + "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ssh_shell_execution.yml" ], "tags": [ @@ -101729,10 +101988,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", - "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", - "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html", + "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", + "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml" ], "tags": [ @@ -101791,9 +102050,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://twitter.com/matthieugarin/status/1183970598210412546", - "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://access.redhat.com/security/cve/cve-2019-14287", + "https://www.openwall.com/lists/oss-security/2019/10/14/1", + "https://twitter.com/matthieugarin/status/1183970598210412546", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml" ], "tags": [ @@ -101869,8 +102128,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://blogs.blackberry.com/", + "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml" ], @@ -101937,8 +102196,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", + "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml" ], @@ -102006,8 +102265,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://blogs.blackberry.com/", + "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml" ], "tags": [ @@ -102040,10 +102299,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linuxize.com/post/how-to-delete-group-in-linux/", - "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", - "https://linux.die.net/man/8/groupdel", "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://linux.die.net/man/8/groupdel", + "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", + "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" ], "tags": [ @@ -102099,10 +102358,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://linux.die.net/man/8/userdel", - "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", + "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" ], "tags": [ @@ -102135,10 +102394,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml" ], "tags": [ @@ -102161,8 +102420,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", "https://gtfobins.github.io/gtfobins/find/#shell", + "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_find_shell_execution.yml" ], "tags": [ @@ -102229,8 +102488,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://blogs.blackberry.com/", + "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml" ], "tags": [ @@ -102263,8 +102522,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vsan.html", + "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml" ], @@ -102306,15 +102565,15 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://github.com/Pennyw0rth/NetExec/", + "https://github.com/Ne0nd0g/merlin", + "https://github.com/HavocFramework/Havoc", "https://github.com/pathtofile/bad-bpf", "https://github.com/1N3/Sn1per", - "https://github.com/Pennyw0rth/NetExec/", - "https://github.com/t3l3machus/Villain", - "https://github.com/t3l3machus/hoaxshell", - "https://github.com/HavocFramework/Havoc", - "https://github.com/Ne0nd0g/merlin", "https://github.com/carlospolop/PEASS-ng", + "https://github.com/t3l3machus/Villain", "https://github.com/Gui774ume/ebpfkit", + "https://github.com/t3l3machus/hoaxshell", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml" ], "tags": [ @@ -102448,9 +102707,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml" ], "tags": [ @@ -102483,8 +102742,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml" ], "tags": [ @@ -102507,8 +102766,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", + "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml" ], "tags": [ @@ -102541,8 +102800,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_network.html", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml" ], "tags": [ @@ -102618,8 +102877,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker", "https://blog.skyplabs.net/posts/container-detection/", + "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml" ], "tags": [ @@ -102652,8 +102911,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml" ], "tags": [ @@ -102710,9 +102969,9 @@ "logsource.product": "linux", "refs": [ "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html", - "https://gtfobins.github.io/gtfobins/gcc/#shell", - "https://gtfobins.github.io/gtfobins/c89/#shell", "https://gtfobins.github.io/gtfobins/c99/#shell", + "https://gtfobins.github.io/gtfobins/c89/#shell", + "https://gtfobins.github.io/gtfobins/gcc/#shell", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gcc_shell_execution.yml" ], "tags": [ @@ -102746,8 +103005,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker", "https://blog.skyplabs.net/posts/container-detection/", + "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml" ], "tags": [ @@ -102848,11 +103107,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", "https://curl.se/docs/manpage.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", "https://twitter.com/d1r4c/status/1279042657508081664", + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" ], "tags": [ @@ -102992,8 +103251,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml" ], "tags": [ @@ -103280,11 +103539,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", - "https://www.revshells.com/", "https://man7.org/linux/man-pages/man1/ncat.1.html", "https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/", "https://www.infosecademy.com/netcat-reverse-shells/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml" ], "tags": [ @@ -103416,8 +103675,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://github.com/arget13/DDexec", + "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml" ], "tags": [ @@ -103516,10 +103775,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml" ], "tags": [ @@ -103575,9 +103834,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://bpftrace.org/", "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html", - "https://bpftrace.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml" ], "tags": [ @@ -103634,8 +103893,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", + "https://gtfobins.github.io/gtfobins/apt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_apt_shell_execution.yml" ], "tags": [ @@ -103668,10 +103927,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", - "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", + "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml" ], "tags": [ @@ -103704,8 +103963,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://blogs.blackberry.com/", + "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml" ], @@ -103772,8 +104031,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/sleventyeleven/linuxprivchecker/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml" ], "tags": [ @@ -103806,10 +104065,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://linuxhint.com/uninstall_yum_package/", "https://sysdig.com/blog/mitre-defense-evasion-falco", "https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command", "https://linuxhint.com/uninstall-debian-packages/", - "https://linuxhint.com/uninstall_yum_package/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remove_package.yml" ], "tags": [ @@ -103866,8 +104125,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker", "https://blog.skyplabs.net/posts/container-detection/", + "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml" ], "tags": [ @@ -103967,8 +104226,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh", "https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/", + "https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml" ], "tags": [ @@ -104227,11 +104486,11 @@ "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ - "https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html", "https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections", - "https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html", "https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors", "https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team", + "https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html", + "https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml" ], "tags": [ @@ -104298,9 +104557,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", "https://book.hacktricks.xyz/shells/shells/linux", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", + "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" ], "tags": [ @@ -104323,8 +104582,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://redcanary.com/blog/ebpf-malware/", "https://man7.org/linux/man-pages/man7/bpf-helpers.7.html", + "https://redcanary.com/blog/ebpf-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml" ], "tags": [ @@ -104506,9 +104765,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/8/useradd", - "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid", + "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", + "https://linux.die.net/man/8/useradd", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_privileged_user_creation.yml" ], "tags": [ @@ -104683,9 +104942,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", "https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics", "https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml" ], "tags": [ @@ -104718,8 +104977,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/", "https://github.com/Immersive-Labs-Sec/nimbuspwn", + "https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml" ], "tags": [ @@ -104875,9 +105134,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://twitter.com/matthieugarin/status/1183970598210412546", - "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://access.redhat.com/security/cve/cve-2019-14287", + "https://www.openwall.com/lists/oss-security/2019/10/14/1", + "https://twitter.com/matthieugarin/status/1183970598210412546", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml" ], "tags": [ @@ -105051,8 +105310,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", + "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml" ], "tags": [ @@ -105139,5 +105398,5 @@ "value": "Modifying Crontab" } ], - "version": 20240919 + "version": 20241017 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5dfa613..cc95b8f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5681,7 +5681,8 @@ "https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/", "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html", "https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage" + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage", + "https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/" ], "synonyms": [ "Velvet Chollima", @@ -5692,7 +5693,8 @@ "APT43", "Emerald Sleet", "THALLIUM", - "Springtail" + "Springtail", + "Sparkling Pisces" ], "targeted-sector": [ "Research - Innovation", @@ -6420,7 +6422,8 @@ "https://securelist.com/operation-daybreak/75100/", "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/", "https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/", - "https://unit42.paloaltonetworks.com/atoms/moldypisces/" + "https://unit42.paloaltonetworks.com/atoms/moldypisces/", + "https://asec.ahnlab.com/en/83877/" ], "synonyms": [ "APT 37", @@ -6437,7 +6440,8 @@ "Venus 121", "ATK4", "G0067", - "Moldy Pisces" + "Moldy Pisces", + "TA-RedAnt" ] }, "related": [ @@ -12795,6 +12799,15 @@ "https://www.sentinelone.com/labs/cyber-soft-power-chinas-continental-takeover/" ] }, + "related": [ + { + "dest-uuid": "3c3ca8f3-c6ab-4c5d-9bd0-be6677d6cdeb", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "1f7f4a51-c4a8-4365-ade3-83b222e7cb67", "value": "Earth Estries" }, @@ -15075,7 +15088,9 @@ "https://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/" ], "synonyms": [ - "Akira" + "Akira", + "PUNK SPIDER", + "GOLD SAHARA" ] }, "uuid": "3a912680-6f38-4fe7-9941-744f0e2280b3", @@ -15215,6 +15230,15 @@ "Outrider Tiger" ] }, + "related": [ + { + "dest-uuid": "6f7489f5-7edc-4693-b35a-44e79c969678", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "0df34184-4ccf-4357-8e8e-e990058d2992", "value": "Fishing Elephant" }, @@ -15233,10 +15257,29 @@ "meta": { "country": "CN", "refs": [ - "https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation", - "https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/" + "https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/30094337/GhostEmperor_technical-details_PDF_eng.pdf", + "https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/", + "https://www.ncsc.gov.uk/files/NCSC-MAR-SparrowDoor.pdf", + "https://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation", + "https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/", + "https://www.wsj.com/politics/national-security/china-cyberattack-internet-providers-260bd835" + ], + "synonyms": [ + "FamousSparrow", + "UNC2286", + "Salt Typhoon" ] }, + "related": [ + { + "dest-uuid": "1f7f4a51-c4a8-4365-ade3-83b222e7cb67", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "3c3ca8f3-c6ab-4c5d-9bd0-be6677d6cdeb", "value": "GhostEmperor" }, @@ -16688,7 +16731,263 @@ }, "uuid": "071d271a-313f-442d-9bf0-10e6eeba0a8e", "value": "HikkI-Chan" + }, + { + "description": "Earth Baxia is a threat actor opearting out of China, targeting government organizations in Taiwan and potentially across the APAC region, using spear-phishing emails and exploiting the GeoServer vulnerability CVE-2024-36401 for remote code execution, deploying customized Cobalt Strike components with altered signatures, leveraging GrimResource and AppDomainManager injection techniques to deliver additional payloads, and utilizing a new backdoor named EAGLEDOOR for multi-protocol communication and payload delivery.", + "meta": { + "country": "CN", + "refs": [ + "https://www.tgsoft.it/news/news_archivio.asp?id=1568", + "https://jp.security.ntt/tech_blog/appdomainmanager-injection", + "https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/i/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac/IOCs%20-%20Earth%20Baxia%20Uses%20Spear-Phishing%20and%20GeoServer%20Exploit%20to%20Target%20APAC.txt" + ] + }, + "uuid": "d0c2cd99-64d5-406f-abd7-16b9e27966a7", + "value": "Earth Baxia" + }, + { + "description": "SloppyLemming is an advanced actor that uses multiple cloud service providers to facilitate different aspects of their activities, such as credential harvesting, malware delivery and command and control (C2). This actor conducts extensive operations targeting Pakistani, Sri Lanka, Bangladesh, and China. Industries targeted include government, law enforcement, energy, telecommunications, and technology entitie", + "meta": { + "refs": [ + "https://blog.cloudflare.com/unraveling-sloppylemming-operations/" + ] + }, + "related": [ + { + "dest-uuid": "0df34184-4ccf-4357-8e8e-e990058d2992", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "97f26fab-af0e-4da9-b4c1-aec70cace22d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c6bef9c8-becb-4bee-bd97-c1c655133396", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b09b683-5650-4a6c-a383-d8f3b686ebc2", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "targets" + }, + { + "dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b250414b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "targets" + }, + { + "dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b2424744", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "targets" + }, + { + "dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b249444e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "targets" + }, + { + "dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b24c4b41", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "targets" + }, + { + "dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b243484e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "targets" + }, + { + "dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b24e504c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "targets" + }, + { + "dest-uuid": "6012ecea-dcc8-490c-b368-e2e06b2cb62f", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "targets" + } + ], + "uuid": "6f7489f5-7edc-4693-b35a-44e79c969678", + "value": "SloppyLemming" + }, + { + "description": "Storm-0494 is a threat actor that facilitates Gootloader infections, which are then exploited by groups like Vice Society to deploy tools such as the Supper backdoor, AnyDesk, and MEGA. They utilize RDP for lateral movement and employ the WMI Provider Host to deploy the INC ransomware payload. Microsoft has identified their activities as part of a campaign targeting the U.S. health sector. Their operations are characterized by financially motivated tactics.", + "meta": { + "refs": [ + "https://cisoseries.com/cybersecurity-news-inc-targets-healthcare-providence-schools-cyberattack-apple-ipads-bricked/", + "https://x.com/MsftSecIntel/status/1836456406276342215" + ] + }, + "uuid": "bed7279c-4ae4-459a-a862-8c69e0cfdb93", + "value": "Storm-0494" + }, + { + "description": "DragonRank is a threat actor primarily targeting web application services in Asia and Europe, utilizing TTPs associated with Simplified Chinese-speaking hacking groups. They exploit vulnerabilities in platforms like phpMyAdmin and WordPress to deploy web shells, enabling the installation of PlugX and BadIIS malware for black hat SEO practices. Their operations involve lateral movement within compromised networks to maintain control and elevate privileges, while also engaging in unethical online marketing strategies. DragonRank's activities include manipulating search engine rankings and distributing scam websites through compromised Windows IIS servers.", + "meta": { + "refs": [ + "https://blog.talosintelligence.com/dragon-rank-seo-poisoning/" + ] + }, + "uuid": "28157c93-0b9f-4341-983a-3a521cee12bb", + "value": "DragonRank" + }, + { + "description": "Vice Spider is a Russian-speaking ransomware group that has been active since at least April 2021 and is linked to a significant increase in identity-based attacks, with a reported 583% rise in Kerberoasting incidents. CrowdStrike attributes 27% of these intrusions specifically to Vice Spider, which exploits vulnerabilities in the Kerberos authentication protocol to crack user passwords.", + "meta": { + "country": "RU", + "refs": [ + "https://www.techtarget.com/searchsecurity/news/366547445/CrowdStrike-observes-massive-spike-in-identity-based-attacks" + ] + }, + "uuid": "2be3426b-c216-499f-b111-6694e96918f7", + "value": "VICE SPIDER" + }, + { + "description": "AzzaSec is a hacktivist group that originated in Italy. Known for their pro-Palestine stance, they have been involved in various cyberattacks targeting Israel and pro-Israel countries. Additionally, AzzaSec has engaged in ransomware activities and has been known to collaborate with other cybercriminal groups.\n\n\n\n\n\n\n\n\n", + "meta": { + "country": "IT", + "refs": [ + "https://socradar.io/dark-peep-16-play-ransomware-lockbits-alliance-breachforums-leak-and-cyberniggers-revival/", + "https://thecyberexpress.com/azzasec-noname-join-hands-to-target-ukriane/" + ] + }, + "uuid": "7d067b1a-89df-46ff-a2fc-d688da721236", + "value": "AzzaSec" + }, + { + "description": "Handala is a pro-Palestinian hacktivist group that targets Israeli organizations, employing tactics such as phishing, data theft, extortion, and destructive attacks using custom wiper malware. The group utilizes a multi-stage loading process, including a Delphi-coded second-stage loader and an AutoIT injector, to deliver wiper malware that specifically targets Windows and Linux environments. Their phishing campaigns often exploit major events and critical vulnerabilities, masquerading as legitimate organizations to gain initial access. Handala operates a data leak site to publicize stolen data, although claims of successful attacks are sometimes disputed by targeted organizations.", + "meta": { + "country": "PS", + "refs": [ + "https://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html", + "https://www.trellix.com/blogs/research/handalas-wiper-targets-israel/", + "https://intezer.com/blog/research/stealth-wiper-israeli-infrastructure/" + ] + }, + "uuid": "7b14f285-86e9-47da-be1a-16ce566c428b", + "value": "Handala" + }, + { + "description": "Storm-0501 is a financially motivated cybercriminal group that has been active since 2021, initially targeting US school districts with the Sabbath ransomware and later transitioning to a RaaS model deploying various ransomware strains, including Embargo. The group exploits weak credentials and over-privileged accounts to achieve lateral movement from on-premises environments to cloud infrastructures, establishing persistent backdoor access and deploying ransomware. They have utilized techniques such as credential theft, exploiting vulnerabilities in Zoho ManageEngine and Citrix NetScaler, and employing tools like Cobalt Strike and Rclone for lateral movement and data exfiltration. Storm-0501 has specifically targeted sectors such as government, manufacturing, transportation, and law enforcement in the United States.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/" + ] + }, + "uuid": "f6a60403-4bcc-4fc6-ac07-abb913c1f080", + "value": "Storm-0501" + }, + { + "description": "CosmicBeetle is a threat actor known for deploying the ScRansom ransomware, which has replaced its previous variant, Scarab. The actor utilizes a custom toolset called Spacecolon, consisting of ScHackTool, ScInstaller, and ScService, to gain initial access through RDP brute forcing and exploiting vulnerabilities like CVE-2020-1472 and FortiOS SSL-VPN. CosmicBeetle has been observed impersonating the LockBit ransomware gang to leverage its reputation and has shown a tendency to leave artifacts on compromised systems. The group primarily targets SMBs globally, employing techniques such as credential dumping and data destruction.", + "meta": { + "refs": [ + "https://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/" + ] + }, + "uuid": "9686ff2b-01e0-46eb-9169-9e8d115be345", + "value": "CosmicBeetle" + }, + { + "description": "UNC1860 is a persistent and opportunistic Iranian state-sponsored threat actor that is likely affiliated with Iran’s Ministry of Intelligence and Security (MOIS). A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that Mandiant believes supports several objectives, including its role as a probable initial access provider and its ability to gain persistent access to high-priority networks, such as those in the government and telecommunications space throughout the Middle East.", + "meta": { + "country": "IR", + "refs": [ + "https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks" + ] + }, + "uuid": "80a874d5-0645-4245-aeb6-9b33a8689928", + "value": "UNC1860" + }, + { + "description": "SkidSec is a threat group that has engaged in operations targeting exposed printers in South Korea to disseminate North Korean propaganda, utilizing techniques such as printer exploitation and social engineering for evidence collection. The group has also experienced a leadership change following the loss of their leader, Govadmin, while continuing to mobilize their followers for various missions. They have humorously solicited financial support for their activities, framing it as a means to support their cause. Additionally, they have been noted for their potential to leak sensitive information from compromised devices.", + "meta": { + "refs": [ + "https://socradar.io/dark-peep-7-shadows-of-betrayal-and-leadership-in-flux/", + "https://medium.com/@criminalip/skidsec-hacker-group-announces-plans-to-spread-north-korean-propaganda-through-hacked-printers-in-fdd314178dc4" + ], + "synonyms": [ + "SkidSec Leaks" + ] + }, + "uuid": "afca4b9c-2bdb-47ef-becc-1d5683d3d2fb", + "value": "SkidSec" + }, + { + "description": "Awaken Likho is an APT group that has targeted Russian government agencies and industrial enterprises, employing techniques such as information gathering via search engines and using MeshCentral for remote access. The group has been active since at least December 2021 and has ramped up its activities following the Russo-Ukrainian conflict. Recent reports indicate that they are focusing on espionage against critical infrastructure in the defense and energy sectors. Analysis of their malware reveals a new version that is still in development, suggesting ongoing operational capabilities.", + "meta": { + "refs": [ + "https://securelist.com/awaken-likho-apt-new-implant-campaign/114101/", + "https://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/" + ], + "synonyms": [ + "Core Werewolf" + ] + }, + "uuid": "b3a4c34f-0ad6-4083-938a-958deb34b6c7", + "value": "Awaken Likho" + }, + { + "description": "CeranaKeeper is a China-aligned APT that has been active since at least early 2022, primarily targeting governmental institutions in Asian countries. The group employs custom backdoors like TONESHELL and OneDoor, leveraging cloud services such as Dropbox and OneDrive for data exfiltration. CeranaKeeper utilizes techniques like side-loading, brute-force attacks, and the deployment of BAT scripts to extend its reach within compromised networks. Their operations are characterized by a relentless pursuit of sensitive data, adapting their toolset and methods to evade detection.", + "meta": { + "country": "CN", + "refs": [ + "https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/" + ] + }, + "uuid": "a798eb63-b0b2-4da5-8a9e-d6e821f775eb", + "value": "CeranaKeeper" + }, + { + "description": "SongXY is a Chinese APT group that employs phishing tactics to initiate cyberespionage campaigns. They utilize the Royal Road RTF builder, exploiting the CVE-2018-0798 vulnerability in Microsoft Equation Editor. In one instance, they sent a document containing a link to an attacker-controlled server, which automatically triggered upon opening, allowing them to gather information about the target's system configuration.", + "meta": { + "refs": [ + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/", + "http://www.ptsecurity.com/upload/corporate/ww-en/analytics/APT-Attacks-eng.pdf" + ] + }, + "uuid": "439a65b0-c4b4-4a09-a9c9-2c70476574ab", + "value": "SongXY" + }, + { + "description": "TaskMasters is a state-sponsored Chinese APT that has been active since at least 2010, primarily targeting industrial, energy, and government sectors in Russia and the CIS. The group has been linked to the Webdav-O Trojan, which employs techniques to bypass network defenses by connecting to legitimate services. Investigations suggest that TaskMasters may have been involved in attacks against Russian federal executive authorities in 2020, potentially alongside another Chinese group, TA428. Additionally, the group has been associated with the BackDoor.RemShell.24 malware, indicating a diverse toolkit in their operations.", + "meta": { + "country": "CN", + "refs": [ + "https://www.group-ib.com/blog/task/", + "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/?utm_source=rss&utm_medium=rss&utm_campaign=apt-group-targeting-governmental-agencies-in-east-asia" + ], + "synonyms": [ + "BlueTraveller" + ] + }, + "uuid": "f6134b6c-56f1-4eda-be0f-79411d627f19", + "value": "TaskMasters" } ], - "version": 313 + "version": 318 } diff --git a/clusters/tidal-campaigns.json b/clusters/tidal-campaigns.json index 996d30a..80be3e5 100644 --- a/clusters/tidal-campaigns.json +++ b/clusters/tidal-campaigns.json @@ -57,7 +57,7 @@ { "description": "In July 2023, U.S. authorities released joint Cybersecurity Advisory AA23-187A, which detailed increased observations of new variants of the Truebot botnet malware infecting organizations in the United States and Canada. Authorities assessed that Truebot infections are primarily motivated around collection and exfiltration of sensitive victim data for financial gain. Officials also assessed that actors were using both spearphishing emails containing malicious hyperlinks and exploitation of CVE-2022-31199 in the IT system auditing application Netwrix Auditor to deliver Truebot during these attacks. Additional tools associated with the attacks included Raspberry Robin for initial infections, FlawedGrace and Cobalt Strike for various post-exploitation activities, and Teleport, a custom tool for data exfiltration.[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]\n\nThe Advisory did not provide specific impacted victim sectors. The Advisory referred to activity taking place “in recent months” prior to July 2023 but did not provide an estimated date when the summarized activity began. A public threat report referenced in the Advisory reported an observed increase in Truebot infections beginning in August 2022, including several compromises involving education sector organizations.[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)][[Cisco Talos Blog December 08 2022](/references/bcf92374-48a3-480f-a679-9fd34b67bcdd)]\n\n**Related Vulnerabilities**: CVE-2022-31199[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]", "meta": { - "campaign_attack_id": "C5000", + "campaign_attack_id": "C3003", "first_seen": "2022-08-01T00:00:00Z", "last_seen": "2023-05-31T00:00:00Z", "owner": "TidalCyberIan", @@ -75,7 +75,7 @@ { "description": "In August 2023, U.S. Cybersecurity & Infrastructure Security Agency (CISA) and Norwegian National Cyber Security Centre (NCSC-NO) authorities released Cybersecurity Advisory AA23-213A, which detailed observed exploitation of two vulnerabilities, CVE-2023-35078 and CVE-2023-35081, affecting Ivanti Endpoint Manager Mobile (EPMM), a solution which provides elevated access to an organization's mobile devices. According to the Advisory, authorities observed unspecified advanced persistent threat (APT) actors exploiting CVE-2023-35078 as a zero-day from at least April 2023 in order to gather information from unspecified organizations in Norway, and to gain initial access to a Norwegian government agency.\n\nIvanti released a CVE-2023-35078 patch on July 23, but then determined that CVE-2023-35081 could be chained together with the first vulnerability, a process which can enable arbitrary upload and execution of actor files, such as web shells. Ivanti released a CVE-2023-35081 patch on July 28. The Advisory provided mitigation recommendations, vulnerability and compromise identification methods, and incident response guidance, which can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-213a).[[U.S. CISA CVE-2023-35078 Exploits](/references/62305b8a-76c8-49ec-82dc-6756643ccf7a)]\n\n**Related Vulnerabilities**: CVE-2023-35078[[U.S. CISA CVE-2023-35078 Exploits](/references/62305b8a-76c8-49ec-82dc-6756643ccf7a)], CVE-2023-35081[[U.S. CISA CVE-2023-35078 Exploits](/references/62305b8a-76c8-49ec-82dc-6756643ccf7a)]", "meta": { - "campaign_attack_id": "C5004", + "campaign_attack_id": "C3007", "first_seen": "2023-04-01T00:00:00Z", "last_seen": "2023-07-28T00:00:00Z", "owner": "TidalCyberIan", @@ -95,7 +95,7 @@ { "description": "In September 2023, U.S. cybersecurity authorities released Cybersecurity Advisory AA23-250A, which detailed multiple intrusions in early 2023 involving an aeronautical sector organization and attributed to multiple unspecified “nation-state advanced persistent threat (APT) actors”. As early as January, one set of actors exploited CVE-2022-47966, a vulnerability in the Zoho ManageEngine ServiceDesk Plus IT service management application that allows remote code execution, to access the organization’s public-facing web servers. A separate set of actors was also observed exploiting CVE-2022-42475, a vulnerability in Fortinet, Inc.’s FortiOS SSL-VPN that also allows remote code execution, to gain access to the organization’s firewall devices.\n\nAfter gaining access, the actors downloaded malware, performed network discovery, collected administrator credentials, and moved laterally, but according to the advisory, unclear data storage records inhibited insight into whether any proprietary information was accessed, altered, or exfiltrated. A common behavior among both sets of actors was log deletion from critical servers and the use of disabled, legitimate administrator credentials, which in one case belonged to a previously employed contractor (the organization confirmed the credentials were disabled before the observed threat activity).[[U.S. CISA Zoho Exploits September 7 2023](/references/6bb581e8-ed0e-41fe-bf95-49b5d11b4e6b)]\n\nIn addition to behavioral observations and indicators of compromise, the Advisory provided detection and mitigation guidance, which can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a).\n\n**Related Vulnerabilities**: CVE-2022-47966, CVE-2022-42475, CVE-2021-44228[[U.S. CISA Zoho Exploits September 7 2023](/references/6bb581e8-ed0e-41fe-bf95-49b5d11b4e6b)]", "meta": { - "campaign_attack_id": "C5005", + "campaign_attack_id": "C3009", "first_seen": "2023-01-01T00:00:00Z", "last_seen": "2023-04-01T00:00:00Z", "owner": "TidalCyberIan", @@ -115,7 +115,7 @@ { "description": "AMBERSQUID is a \"cloud-native\" financially motivated threat operation that specifically leverages AWS services. Researchers estimated that AMBERSQUID cryptojacking activity could cost its victims more than $10,000 per day.[[Sysdig AMBERSQUID September 18 2023](/references/7ffa880f-5854-4b8a-83f5-da42c1c39345)]", "meta": { - "campaign_attack_id": "C5031", + "campaign_attack_id": "C3030", "first_seen": "2022-05-01T00:00:00Z", "last_seen": "2023-03-31T00:00:00Z", "owner": "TidalCyberIan", @@ -134,7 +134,7 @@ { "description": "In July 2024, U.S. cybersecurity authorities and international partners published Cybersecurity Advisory AA24-207A, which detailed North Korean state-sponsored cyber espionage activity likely intended to support the regime's military and nuclear development programs. The advisory focused on an actor group tracked as Andariel, Onyx Sleet, and APT45 and highlighted how this group has shifted from conducting destructive attacks to carrying out espionage operations that have been funded through ransomware. Where past destructive operations mainly targeted U.S. and South Korean entities, recent espionage attacks targeted various defense, aerospace, nuclear, and engineering organizations, while ransomware attacks targeted U.S. healthcare entities.\n\nAndariel actors gain initial access especially by exploiting software vulnerabilities, use widely available tools for discovery and privilege escalation, and leverage a wide range of custom as well as commodity malware. The advisory does not clearly identify the timeframe in which malicious activities were observed, although it discusses actors' exploits of vulnerabilities disclosed in 2017, 2019, and especially 2021, 2022, and 2023 and referenced public threat reporting published from March 2021 through May 2024.[[U.S. CISA Andariel July 25 2024](/references/b615953e-3c6c-4201-914c-4b75e45bb9ed)]", "meta": { - "campaign_attack_id": "C5048", + "campaign_attack_id": "C3048", "first_seen": "2021-03-01T00:00:00Z", "last_seen": "2024-05-30T00:00:00Z", "owner": "TidalCyberIan", @@ -202,7 +202,7 @@ { "description": "Threat actors, believed to be associated with the FIN7 financially motivated adversary group, stood up malicious hosting websites impersonating prominent brands in the financial services, technology/SaaS, and media sectors, then used paid web search advertisements to direct victims to these sites. Victims were then tricked into downloading malicious binaries, which ultimately led to the ingress of the NetSupport RAT and/or DiceLoader (aka Lizar) malware (these latter tools are known to be used for a range of persistent access and malware ingress purposes).[[Esentire 5 8 2024](/references/67c3a7ed-e2e2-4566-aca7-61e766f177bf)]", "meta": { - "campaign_attack_id": "C5038", + "campaign_attack_id": "C3038", "first_seen": "2024-04-01T00:00:00Z", "last_seen": "2024-04-30T00:00:00Z", "owner": "TidalCyberIan", @@ -219,7 +219,7 @@ { "description": "In April 2023, U.S. and UK cybersecurity authorities released joint Cybersecurity Advisory AA23-108, which detailed a campaign by Russia-backed APT28 to compromise vulnerable routers running Cisco Internetworking Operating System (IOS). Actors collected device information and conducted further network reconnaissance on victims “worldwide”, including U.S. government institutions, 250 Ukrainian entities, and “a small number” of victims elsewhere in Europe. Adversary activity occurred over an unspecified timeframe in 2021.\n\nActors exploited CVE-2017-6742, a Simple Network Management Protocol (SNMP) vulnerability for which Cisco released a patch in 2017, and used default authentication strings to gain initial access to devices and subsequently gather router information, such as router interface details. In some cases, authorities observed actors deploying Jaguar Tooth, a malicious software bundle consisting of a series of payloads and patches. Jaguar Tooth deployments allowed actors to collect further device information via execution of Cisco IOS Command Line Interface commands, discover other network devices, and achieve unauthenticated, backdoor access to victim systems.[[U.S. CISA APT28 Cisco Routers April 18 2023](/references/c532a6fc-b27f-4240-a071-3eaa866bce89)]\n\nIn addition to behavioral observations, the Advisory also provided mitigation recommendations and indicators of compromise, which can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108).\n\n**Related Vulnerabilities**: CVE-2017-6742[[U.S. CISA APT28 Cisco Routers April 18 2023](/references/c532a6fc-b27f-4240-a071-3eaa866bce89)]", "meta": { - "campaign_attack_id": "C5007", + "campaign_attack_id": "C3008", "first_seen": "2021-01-01T00:00:00Z", "last_seen": "2021-12-31T00:00:00Z", "owner": "TidalCyberIan", @@ -236,7 +236,7 @@ { "description": "U.S. authorities and various international partners released joint cybersecurity advisory AA20-150A, which detailed a series of attacks linked to APT28 that leveraged compromised Ubiquiti EdgeRouters to facilitate the attacks. Actors used the network of compromised routers for a range of malicious activities, including harvesting credentials, proxying network traffic, and hosting fake landing pages and post-exploitation tools. Attacks targeted organizations in a wide range of sectors around the world.[[U.S. Federal Bureau of Investigation 2 27 2024](/references/962fb031-dfd1-43a7-8202-3a2231b0472b)] According to a separate U.S. Justice Department announcement, the botnet involved in these attacks differed from previous APT28-linked cases, since nation-state actors accessed routers that had been initially compromised by a separate, unspecified cybercriminal group.[[U.S. Justice Department GRU Botnet February 2024](/references/26a554dc-39c0-4638-902d-7e84fe01b961)]", "meta": { - "campaign_attack_id": "C5015", + "campaign_attack_id": "C3027", "first_seen": "2022-12-01T00:00:00Z", "last_seen": "2024-01-01T00:00:00Z", "owner": "TidalCyberIan", @@ -260,7 +260,7 @@ { "description": "UK cybersecurity authorities and international partners published Cybersecurity Advisory AA24-057A (February 2024), which detailed recent tactics, techniques, and procedures (TTPs) used by Russian state-backed adversary group APT29 to target cloud environments. The advisory indicated that as more government agencies and enterprises move elements of their operations to cloud infrastructure, APT29 actors have especially adapted their TTPs for gaining initial access into these cloud environments.[[U.S. CISA APT29 Cloud Access](/references/e9e08eca-1e01-4ff0-a8ef-49ecf66aaf3d)]", "meta": { - "campaign_attack_id": "C5016", + "campaign_attack_id": "C3028", "first_seen": "2023-02-26T00:00:00Z", "last_seen": "2024-02-26T00:00:00Z", "owner": "TidalCyberIan", @@ -277,7 +277,7 @@ { "description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nIn December 2023, U.S. cybersecurity authorities and international partners released Cybersecurity Advisory AA23-347A, which detailed large-scale observed exploitation of CVE-2023-42793 since September 2023 by cyber threat actors associated with Russia’s Foreign Intelligence Service (SVR). According to the advisory, these actors are also known as APT29, the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard.\n\nCVE-2023-42793 is an authentication bypass vulnerability in the JetBrains TeamCity software development program. After exploiting the vulnerability to gain access into victim networks, SVR actors were then observed escalating privileges, moving laterally, and deploying additional backdoors in an apparent effort to maintain long-term persistent access to victim environments. The advisory noted how SVR actors used access gained during the 2020 compromise of SolarWinds, another software company, to conduct supply chain operations affecting SolarWinds customers, but it also noted that such activity has not been observed in this case to date.\n\nJetBrains released a patch for CVE-2023-42793 in September 2023. The advisory indicated that the compromises observed to date appear to be opportunistic, impacting unpatched, internet-accessible TeamCity servers. “A few dozen” compromised entities have been identified so far (companies in disparate sectors in the United States, Europe, Asia, and Australia), but authorities assess that this tally does not represent the full number of compromised victims. Indicators of compromise, mitigation guidance, and detection resources – including Sigma and YARA rules – can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a).[[U.S. CISA SVR TeamCity Exploits December 2023](/references/5f66f864-58c2-4b41-8011-61f954e04b7e)]", "meta": { - "campaign_attack_id": "C5012", + "campaign_attack_id": "C3017", "first_seen": "2023-09-01T00:00:00Z", "last_seen": "2023-12-14T00:00:00Z", "owner": "TidalCyberIan", @@ -294,7 +294,7 @@ { "description": "On July 8, 2024, international authorities published an advisory (CISA Alert AA24-190A) that detailed recent activity associated with APT40, a Chinese state-sponsored cyber espionage group. The advisory covers observed attacks on Australian organizations, but the group has been recently active elsewhere (Tidal metadata shows observed activity historically across East/Southeast Asia, the Middle East, Europe, and North America). The advisory emphasized that the recently published TTPs are relevant for defenders at organizations “globally”.\n\nThe advisory spotlighted the group's efforts to compromise outdated small-office/home-office (SOHO) routers via vulnerability exploits, using the routers as infrastructure to carry out further attacks. However, the advisory also summarized a range of other Techniques not previously associated with APT40, which were used at phases across the attack chain, including for persistence, credential access, lateral movement, collection, and exfiltration.[[U.S. CISA APT40 July 8 2024](/references/3bf90a48-caf6-4b9d-adc2-3d1176f49ffc)]", "meta": { - "campaign_attack_id": "C5047", + "campaign_attack_id": "C3047", "first_seen": "2022-04-01T00:00:00Z", "last_seen": "2022-09-30T00:00:00Z", "owner": "TidalCyberIan", @@ -325,7 +325,7 @@ { "description": "In July 2024, security researchers publicized a campaign attributed to Chinese state-sponsored espionage group APT41, where actors gained and maintained long-term access to various organizations' networks in multiple sectors around the world. Victims belonged to the shipping/logistics, media, entertainment, technology, and automotive industries and were located in western Europe, the Middle East, and East and Southeast Asia. Actors used a combination of red teaming tools, publicly available software, and custom malware for persistence, command and control, data collection, and exfiltration to Microsoft OneDrive accounts. The intrusions were notable for featuring the reemergence of DUSTPAN, a dropper not observed since a series of older APT41 compromises in 2021 & 2022.[[Mandiant APT41 July 18 2024](/references/34ee3a7c-27c0-492f-a3c6-a5a3e86915f0)]", "meta": { - "campaign_attack_id": "C5049", + "campaign_attack_id": "C3049", "first_seen": "2023-03-21T00:00:00Z", "last_seen": "2024-07-16T00:00:00Z", "owner": "TidalCyberIan", @@ -342,7 +342,7 @@ { "description": "ArcaneDoor was a campaign, which likely ran from November 2023 until around February 2024, that targeted Cisco Adaptive Security Appliances (ASAs). ASAs are network devices that combine firewall, VPN, and other functionality. The campaign targeted unspecified government institutions around the world and was believed to have been conducted for espionage purposes.[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]\n\nResearchers attributed the campaign to UAT4356 (aka Storm-1849), a possible China-linked adversary.[[Wired ArcaneDoor April 24 2024](/references/05a8afd3-0173-41ca-b23b-196ea0f3b1c1)] The initial access vector for the ArcaneDoor attacks remains unclear. After gaining a foothold, actors used the Line Dancer tool to upload Line Runner, a persistence and arbitrary code execution capability, to compromised ASAs (Cisco assigned two vulnerabilities, CVE-2024-20359 and CVE-2024-20353, to these activities). Responders observed various actions on objectives during the attacks, including device configuration modification, network traffic capture, and possible lateral movement.[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]", "meta": { - "campaign_attack_id": "C5019", + "campaign_attack_id": "C3036", "first_seen": "2023-11-01T00:00:00Z", "last_seen": "2024-02-29T00:00:00Z", "owner": "TidalCyberIan", @@ -365,7 +365,7 @@ { "description": "This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker used exposed cloud credentials to gain access to an AWS environment and ultimately collect and exfiltrate data before deleting files and leaving a ransom note extorting the victim to recover the stolen data.[[Www.invictus-ir.com 1 11 2024](/references/5e2a0756-d8f6-4359-9ca3-1e96fb8b5ac9)]", "meta": { - "campaign_attack_id": "C5035", + "campaign_attack_id": "C3034", "first_seen": "2024-01-01T00:00:00Z", "last_seen": "2024-01-01T00:00:00Z", "owner": "TidalCyberIan", @@ -385,7 +385,7 @@ { "description": "Security researchers observed adversary activity that involved deployment of hundreds of AWS ECS Fargate clusters used to run XMRig cryptomining software. Researchers assessed that the activity was likely part of a wider campaign involving potentially hundreds of thousands of environments.[[Datadog ECS January 19 2024](/references/7e4e44a7-b079-41af-b41d-176ba7e99563)]", "meta": { - "campaign_attack_id": "C5032", + "campaign_attack_id": "C3031", "first_seen": "2023-12-01T00:00:00Z", "last_seen": "2024-01-19T00:00:00Z", "owner": "TidalCyberIan", @@ -404,7 +404,7 @@ { "description": "This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker was able to steal AWS Lambda credentials, use them to execute various API calls and enumerate various cloud services, and ultimately perform a cloud-based phishing attack, which reportedly cost the target organization considerable financial damage.[[Unit 42 12 8 2022](/references/e7a4a0cf-ffa2-48cc-9b21-a2333592c773)]", "meta": { - "campaign_attack_id": "C5033", + "campaign_attack_id": "C3032", "first_seen": "2022-05-20T00:00:00Z", "last_seen": "2022-05-20T00:00:00Z", "owner": "TidalCyberIan", @@ -422,7 +422,7 @@ { "description": "Adversaries used email bombing and subsequent voice phishing to convince target users into granting the actors remote access to victim systems via legitimate tools including AnyDesk and the built-in Windows Quick Assist utility. The actors then used malicious remote access tools to access other assets within compromised environments, in some cases followed by deployment of Black Basta ransomware.[[Rapid7 Blog 5 10 2024](/references/ba749fe0-1ac7-4767-85df-97e6351c37f9)][[Microsoft Security Blog 5 15 2024](/references/0876de6e-ea0c-4717-89a4-9c7baed53b6f)]", "meta": { - "campaign_attack_id": "C5037", + "campaign_attack_id": "C3037", "first_seen": "2024-04-15T00:00:00Z", "last_seen": "2024-05-15T00:00:00Z", "owner": "TidalCyberIan", @@ -442,7 +442,7 @@ { "description": "This object represents observed pre-attack, initial access, execution, and other techniques used to distribute Bumblebee malware in 2023 and early 2024. Further background & contextual details can be found in the References tab below, and additional techniques associated with the technical mechanics of Bumblebee binaries can be found in the relevant Software object.", "meta": { - "campaign_attack_id": "C5029", + "campaign_attack_id": "C3025", "first_seen": "2023-03-01T00:00:00Z", "last_seen": "2024-02-01T00:00:00Z", "owner": "TidalCyberIan", @@ -592,7 +592,7 @@ { "description": "In June 2023, U.S. authorities released Cybersecurity Advisory AA23-158A, which detailed observed exploits of a zero-day SQL injection vulnerability (CVE-2023-34362) affecting Progress Software's managed file transfer (MFT) solution, MOVEit Transfer. According to the Advisory, exploit activity began on May 27, 2023, as threat actors, which the Advisory attributed to \"CL0P Ransomware Gang, also known as TA505\", began compromising internet-facing MOVEit Transfer web applications. Actors deployed web shells, dubbed LEMURLOOT, on compromised MOVEit applications, which enabled persistence, discovery of files and folders stored on MOVEit servers, and staging and exfiltration of compressed victim data. Authorities indicated they expected to see \"widespread exploitation of unpatched software services in both private and public networks\".[[U.S. CISA CL0P CVE-2023-34362 Exploitation](/references/07e48ca8-b965-4234-b04a-dfad45d58b22)] Progress Software acknowledged the vulnerability and issued guidance on known affected versions, software upgrades, and patching.[[Progress Software MOVEit Transfer Critical Vulnerability](/references/9f364e22-b73c-4f3a-902c-a3f0eb01a2b9)]\n\n**Related Vulnerabilities**: CVE-2023-34362[[U.S. CISA CL0P CVE-2023-34362 Exploitation](/references/07e48ca8-b965-4234-b04a-dfad45d58b22)]", "meta": { - "campaign_attack_id": "C5002", + "campaign_attack_id": "C3005", "first_seen": "2023-05-27T00:00:00Z", "last_seen": "2023-06-16T00:00:00Z", "owner": "TidalCyberIan", @@ -610,7 +610,7 @@ { "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.", "meta": { - "campaign_attack_id": "C5026", + "campaign_attack_id": "C3022", "first_seen": "2023-11-14T00:00:00Z", "last_seen": "2023-11-24T00:00:00Z", "owner": "TidalCyberIan", @@ -625,6 +625,28 @@ "uuid": "bbbdc2a2-bd7e-4251-a064-b7f4997ac2a4", "value": "Cloudflare Thanksgiving 2023 security incident" }, + { + "description": "Actors deploying a variant of the Mirai botnet, known as Corona, were observed exploiting a zero-day vulnerability (CVE-2024-7029) to achieve initial infection of new devices with the botnet. The vulnerability enables remote code execution on affected devices (AVTECH closed-circuit television (CCTV) cameras), which actors abused to ingress their main payloads.[[Akamai Corona Zero-Day August 28 2024](/references/140284f8-075c-4225-99dd-519ba5cebabe)]", + "meta": { + "campaign_attack_id": "C3051", + "first_seen": "2024-03-18T00:00:00Z", + "last_seen": "2024-08-28T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "55cb344a-cbd5-4fd1-a1e9-30bbc956527e", + "f925e659-1120-4b76-92b6-071a7fb757d6", + "06236145-e9d6-461c-b7e4-284b3de5f561", + "a98d7a43-f227-478e-81de-e7299639a355", + "33d35d5e-f0cf-4c66-9be3-a3ffe6610b1a", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "4f1823b1-80ad-4f5d-ba04-a4d4baf37e72", + "value": "Corona Mirai Botnet Zero-Day Exploit Campaign" + }, { "description": "[CostaRicto](https://app.tidalcyber.com/campaigns/fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48) was a suspected hacker-for-hire cyber espionage campaign that targeted multiple industries worldwide, with a large number being financial institutions. [CostaRicto](https://app.tidalcyber.com/campaigns/fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48) actors targeted organizations in Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia (especially India, Bangladesh, and Singapore), using custom malware, open source tools, and a complex network of proxies and SSH tunnels.[[BlackBerry CostaRicto November 2020](https://app.tidalcyber.com/references/93a23447-641c-4ee2-9fbd-64b2adea8a5f)]", "meta": { @@ -664,7 +686,7 @@ { "description": "This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker gained initial access to an AWS environment using an \"accidentally exposed long term access key belonging to an IAM user\". The actor persisted for approximately a month and ultimately used their access to carry out limited cryptomining acitivty, conduct phishing and spam email attacks via AWS SES, and establish domains for further phishing/spam campaigns.[[Www.invictus-ir.com 1 31 2024](/references/803a084a-0468-4c43-9843-a0b5652acdba)]", "meta": { - "campaign_attack_id": "C5034", + "campaign_attack_id": "C3033", "first_seen": "2024-01-01T00:00:00Z", "last_seen": "2024-01-31T00:00:00Z", "owner": "TidalCyberIan", @@ -682,7 +704,7 @@ { "description": "German and South Korean cybersecurity authorities published an advisory highlighting recent attempts by North Korea-linked cyber actors to target enterprises and research centers in the defense sector. The advisory detailed a supply chain attack, attributed to an unnamed threat group, in which actors compromised a company that maintained a defense sector research center's web servers, then used stolen SSH credentials to remotely access the research center's network. The actors then used various methods to evade defenses, including impersonating security staff, deployed malware via a patch management system, and stole account information and email contents before being evicted from the network.[[BfV North Korea February 17 2024](/references/cc76be15-6d9d-40b2-b7f3-196bb0a7106a)]", "meta": { - "campaign_attack_id": "C5014", + "campaign_attack_id": "C3026", "first_seen": "2022-12-01T00:00:00Z", "last_seen": "2022-12-31T00:00:00Z", "owner": "TidalCyberIan", @@ -700,7 +722,7 @@ { "description": "In September 2023, French cybersecurity authorities released advisory CERTFR-2023-CTI-007, which detailed a network intrusion of the Regional and University Hospital Center of Brest, in northwestern France. Actors used valid credentials belonging to a healthcare professional to connect to a remote desktop service exposed to the Internet, then installed Cobalt Strike and SystemBC to provide backdoor network access. Authorities indicated that the credentials were likely compromised via unspecified infostealer malware.\n\nThe actors used multiple third-party tools for credential access and discovery, and they attempted to exploit at least five vulnerabilities for privilege escalation and lateral movement. Authorities worked with hospital personnel to isolate affected systems and disrupt the intrusion before suspected data exfiltration and encryption could take place. Based on infrastructural and behavioral overlaps with other incidents, officials attributed the intrusion to the FIN12 financially motivated actor group and indicated the same actors are responsible for dozens of attacks on French victims in recent years.\n\nAdditional details, indicators of compromise, and the observed Cobalt Strike configuration can be found in the [source report](https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf).[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]\n\n**Related Vulnerabilities**: CVE-2023-21746, CVE-2022-24521, CVE-2021-34527, CVE-2019-0708, CVE-2020-1472[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]", "meta": { - "campaign_attack_id": "C5006", + "campaign_attack_id": "C3010", "first_seen": "2023-03-01T00:00:00Z", "last_seen": "2023-03-31T00:00:00Z", "owner": "TidalCyberIan", @@ -745,7 +767,7 @@ { "description": "U.S. cybersecurity authorities released an advisory that warned of recent attacks targeting healthcare entities and providers, which leveraged social engineering techniques for initial access and ultimately led to financial theft. The attacks used voice phishing and phishing domains, and sometimes bypassed multi-factor authentication measures, to gain footholds. Actors often used information gathered through extensive reconnaissance to facilitate these efforts.\n\nActors then used \"living off the land\" (LOTL) techniques to persist stealthily in compromised environments. Ultimately, actors sought to modify patient automated clearinghouse (ACH) account information to divert payments to actor-controlled bank accounts. The advisory did not attribute the recent campaign to a named adversary group.[[FBI Social Engineering Attacks June 24 2024](/references/527ac41a-a65e-4cf9-a9c9-194443b37c5b)]", "meta": { - "campaign_attack_id": "C5042", + "campaign_attack_id": "C3042", "first_seen": "2023-08-01T00:00:00Z", "last_seen": "2024-06-24T00:00:00Z", "owner": "TidalCyberIan", @@ -762,7 +784,7 @@ { "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.", "meta": { - "campaign_attack_id": "C5025", + "campaign_attack_id": "C3021", "first_seen": "2023-05-01T00:00:00Z", "last_seen": "2023-12-12T00:00:00Z", "owner": "TidalCyberIan", @@ -780,7 +802,7 @@ { "description": "In November 2022, U.S. cybersecurity authorities released Cybersecurity Advisory AA22-320A, which detailed an incident response engagement at an unspecified U.S. Federal Civilian Executive Branch organization. Authorities assessed that the network compromise was carried out by unspecified Iranian government-sponsored advanced persistent threat (APT) actors. The actors achieved initial network access by exploiting the Log4Shell vulnerability in an unpatched VMware Horizon server. Post-exploit activities included installing XMRig crypto mining software and executing Mimikatz to harvest credentials, as well as moving laterally to the domain controller and implanting Ngrok reverse proxies on multiple hosts to maintain persistence.\n\nAdditional details, including incident response guidance and relevant mitigations, can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a).[[U.S. CISA Advisory November 25 2022](/references/daae1f54-8471-4620-82d5-023d04144acd)]\n\n**Related Vulnerabilities**: CVE-2021-44228[[U.S. CISA Advisory November 25 2022](/references/daae1f54-8471-4620-82d5-023d04144acd)]", "meta": { - "campaign_attack_id": "C5008", + "campaign_attack_id": "C3012", "first_seen": "2022-06-15T00:00:00Z", "last_seen": "2022-07-15T00:00:00Z", "owner": "TidalCyberIan", @@ -797,7 +819,7 @@ { "description": "In November 2020, U.S. cybersecurity authorities released joint Cybersecurity Advisory AA20-304A, which detailed efforts by an unspecified Iranian advanced persistent threat (APT) actor to target U.S. state websites, including election-related sites, with the goal of obtaining voter registration data. The actors used a legitimate vulnerability scanner, Acunetix, to scan state election websites, and they attempted to exploit sites with directory traversal, SQL injection, and web shell upload attacks. Authorities confirmed the actors successfully obtained voter registration data in at least one state – after abusing a website misconfiguration, they used a cURL-based scripting tool to iterate through and retrieve voter records. Officials assessed that the actor behind the website attacks is responsible for mass dissemination of intimidation emails to U.S. citizens and a disinformation campaign featuring a U.S. election-related propaganda video in mid-October 2020. Authorities furthermore assessed that information obtained during the website attacks was featured in the propaganda video.[[U.S. CISA Iran Voter Data November 3 2020](/references/be89be75-c33f-4c58-8bf0-979c1debaad7)]", "meta": { - "campaign_attack_id": "C5010", + "campaign_attack_id": "C3014", "first_seen": "2020-09-20T00:00:00Z", "last_seen": "2020-10-20T00:00:00Z", "owner": "TidalCyberIan", @@ -810,7 +832,7 @@ { "description": "In September 2022, U.S., Canadian, United Kingdom, and Australian cybersecurity authorities released joint Cybersecurity Advisory AA22-257A, which detailed malicious cyber activity attributed to advanced persistent threat (APT) actors affiliated with the Iranian government’s Islamic Revolutionary Guard Corps (IRGC). The advisory updated a previous alert (AA21-321A), published in November 2021, and summarized recent activities linked to the actors. Since at least March 2021, the actors were observed targeting victims in a wide range of U.S. critical infrastructure sectors, including transportation and healthcare, and victims in unspecified sectors in Australia, Canada, and the United Kingdom.\n\nThe actors typically exploited vulnerabilities to gain initial network access. They were observed exploiting vulnerabilities in Microsoft Exchange servers (ProxyShell) and Fortinet devices in 2021, and VMware Horizon (Log4j) in 2022. After gaining access, the actors typically evaluated the perceived value of data held within a victim network and either encrypted it for ransom and/or exfiltrated it. The actors are believed to have sold some exfiltrated data or used it as leverage to further pressure victims into paying a ransom.\n\nIn addition to behavioral observations and indicators of compromise, the advisories provided detection and mitigation guidance, which can be found in the source reports [here](https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-257a) and [here](https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a).\n\n**Related Vulnerabilities**: CVE-2021-34523, CVE-2021-31207, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105[[U.S. CISA IRGC Actors September 14 2022](/references/728b20b0-f702-4dbe-afea-50270648a3a2)], CVE-2021-34473, CVE-2018-13379, CVE-2020-12812, CVE-2019-5591[[U.S. CISA Iranian Government Actors November 19 2021](/references/d7014279-bc6a-43d4-953a-a6bc1d97a13b)]", "meta": { - "campaign_attack_id": "C5009", + "campaign_attack_id": "C3013", "first_seen": "2021-03-01T00:00:00Z", "last_seen": "2022-09-14T00:00:00Z", "owner": "TidalCyberIan", @@ -865,7 +887,7 @@ { "description": "JOKERSPY (aka REF9134) was an intrusion involving a Python-based backdoor, which was used to deploy a malicious macOS-based enumeration tool called Swiftbelt and other open-source tools.[[elastic.co 6 21 2023](/references/42c40ec8-f46a-48fa-bd97-818e3d3d320e)]", "meta": { - "campaign_attack_id": "C5036", + "campaign_attack_id": "C3035", "first_seen": "2023-05-31T00:00:00Z", "last_seen": "2023-06-01T00:00:00Z", "owner": "TidalCyberIan", @@ -882,7 +904,7 @@ { "description": "In July 2023, U.S. Cybersecurity & Infrastructure Security Agency authorities released Cybersecurity Advisory AA23-201A, which detailed an observed exploit of a zero-day vulnerability (CVE-2023-3519) affecting NetScaler (formerly Citrix) Application Delivery Controller (\"ADC\") and NetScaler Gateway appliances. According to the Advisory, the exploitation activity occurred in June 2023, and the victim (an undisclosed entity in the critical infrastructure sector) reported it in July 2023.[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)] Citrix acknowledged the reported exploit of the vulnerability, which enables unauthenticated remote code execution, and released a patch on July 18, 2023.[[Citrix Bulletin CVE-2023-3519](/references/245ef1b7-778d-4df2-99a9-b51c95c57580)]\n\nAfter achieving initial access via exploit of CVE-2023-3519, threat actors dropped a web shell on the vulnerable ADC appliance, which was present on a non-production environment. The web shell enabled subsequent information discovery on the victim's Active Directory (\"AD\"), followed by collection and exfiltration of AD-related data. The actors also attempted lateral movement to a domain controller, but the Advisory indicated that network segementation controls for the ADC appliance blocked this attempted activity.[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)] Separately, in a blog on CVE-2023-3519 exploit investigations released the day after the CISA Advisory, Mandiant indicated that the type of activity observed is \"consistent with previous operations by China-nexus actors\".[[Mandiant CVE-2023-3519 Exploitation](/references/4404ed65-3020-453d-8c51-2885018ba03b)]\n\n**Related Vulnerabilities**: CVE-2023-3519[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)]", "meta": { - "campaign_attack_id": "C5001", + "campaign_attack_id": "C3004", "first_seen": "2023-06-01T00:00:00Z", "last_seen": "2023-06-30T00:00:00Z", "owner": "TidalCyberIan", @@ -900,7 +922,7 @@ { "description": "In November 2023, U.S. cybersecurity authorities and international partners released Cybersecurity Advisory AA23-325A, which detailed observed exploitation of CVE-2023-4966 (known colloquially as the “Citrix Bleed” vulnerability) by threat actors believed to be affiliated with the LockBit ransomware operation.\n\nCitrix Bleed is a vulnerability in Citrix NetScaler web application delivery control (“ADC”) and NetScaler Gateway appliances, which allows adversaries to bypass password requirements and multifactor authentication, enabling hijacking of legitimate user sessions and subsequent credential harvesting, lateral movement, and data or resource access. Authorities indicated that they expected “widespread” Citrix Bleed exploitation on unpatched services due to the ease of carrying out the exploit.\n\nAfter successful Citrix Bleed exploitation, LockBit affiliates were observed using a variety of follow-on TTPs and using a range of software, including abuse of native utilities and popular legitimate remote management and monitoring (“RMM”) tools. Indicators of compromise associated with recent intrusions and further incident response and mitigation guidance can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a).[[U.S. CISA LockBit Citrix Bleed November 21 2023](/references/21f56e0c-9605-4fbb-9cb1-f868ba6eb053)] Public reporting suggested that actors associated with the Medusa and Qilin ransomware operations, plus other unknown ransomware and uncategorized actors, had also exploited Citrix Bleed as part of their operations.[[Malwarebytes Citrix Bleed November 24 2023](/references/fdc86cea-0015-48d1-934f-b22244de6306)][[Cybernews Yanfeng Qilin November 2023](/references/93c89ca5-1863-4ee2-9fff-258f94f655c4)]", "meta": { - "campaign_attack_id": "C5011", + "campaign_attack_id": "C3016", "first_seen": "2023-08-01T00:00:00Z", "last_seen": "2023-11-16T00:00:00Z", "owner": "TidalCyberIan", @@ -917,10 +939,27 @@ "uuid": "f4225d6a-8734-401f-aa2a-1a73c23b16e6", "value": "LockBit Affiliate Citrix Bleed Exploits" }, + { + "description": "Researchers discovered the existence of a newly identified red teaming framework used to generate attack payloads, called \"MacroPack\". The framework was used to deploy the Brute Ratel and Havoc post-exploitation frameworks and the PhantomCore remote access trojan. In addition to red teaming applications, researchers assessed that MacroPack is also being abused by threat actors.[[Cisco Talos Blog September 3 2024](/references/b222cabd-347d-45d4-aeaf-4135795d944d)]", + "meta": { + "campaign_attack_id": "C3052", + "first_seen": "2024-05-01T00:00:00Z", + "last_seen": "2024-07-01T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "2229e945-ec3d-4e20-ad4a-bd12741a6724", + "value": "MacroPack Payload Delivery Activity" + }, { "description": "The DFIR Report researchers reported about activity taking place in May 2023, which saw an adversary, attributed to FIN11 and Lace Tempest, achieve initial access into a victim environment via a spearphishing email, leading to the download of Truebot malware. Several other tools and malware were then subsequently used to move laterally, discover and collect victim information, exfiltrate it, and ultimately deploy a wiper. These included: FlawedGrace, Cobalt Strike, Impacket, various native utilities, and MBR Killer. In total, the activity lasted for 29 hours.[[The DFIR Report Truebot June 12 2023](/references/a6311a66-bb36-4cad-a98f-2b0b89aafa3d)]", "meta": { - "campaign_attack_id": "C5021", + "campaign_attack_id": "C3002", "first_seen": "2023-05-01T00:00:00Z", "last_seen": "2023-05-31T00:00:00Z", "owner": "TidalCyberIan", @@ -937,7 +976,7 @@ { "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.", "meta": { - "campaign_attack_id": "C5027", + "campaign_attack_id": "C3023", "first_seen": "2023-11-30T00:00:00Z", "last_seen": "2024-01-12T00:00:00Z", "owner": "TidalCyberIan", @@ -955,7 +994,7 @@ { "description": "Researchers observed a campaign that took place in the latter half of 2021, apparently directed at individuals representing financial and political figures in Palestine and Tukery, that used malicious, macro-based Microsoft Office files to compromise victim systems with the aim of installing a .NET-based backdoor tool. Researchers attributed the activity to the Molerats APT group.[[Zscaler Molerats Campaign](/references/3b39e73e-229f-4ff4-bec3-d83e6364a66e)]", "meta": { - "campaign_attack_id": "C5022", + "campaign_attack_id": "C3011", "first_seen": "2021-07-01T00:00:00Z", "last_seen": "2021-12-01T00:00:00Z", "owner": "TidalCyberIan", @@ -972,7 +1011,7 @@ { "description": "This object represents a collection of MITRE ATT&CK® Techniques related to multiple incidents attributed to the North Korean actor group Moonstone Sleet that took place from August 2023 through May 2024. Attacks targeted individuals and organizations related to the software, information technology, education, and defense industrial base sectors, and are believed to have been carried out for both financial gain and espionage purposes.[[Microsoft Security Blog 5 28 2024](/references/faf315ed-71f7-4e29-8334-701da35a69ad)]", "meta": { - "campaign_attack_id": "C5039", + "campaign_attack_id": "C3039", "first_seen": "2023-08-01T00:00:00Z", "last_seen": "2024-05-28T00:00:00Z", "owner": "TidalCyberIan", @@ -1001,7 +1040,7 @@ { "description": "According to details published by Okta Security, threat actors gained unauthorized access to Okta’s customer support management system from September 28 to October 17, 2023. Initial access to the system was believed to have been achieved after an employee signed into a personal cloud account on their Okta-managed laptop and saved the legitimate credentials for an Okta service account into that cloud profile. Okta Security believes the personal cloud account was most likely compromised (through unspecified means), exposing the Okta service account credentials.\n\nAfter gaining access to the Okta customer support management system using the valid service account credentials, the threat actor accessed HTTP Archive (HAR) files provided by Okta customers, which can contain cookies and session tokens. Okta indicated that the threat actor used session tokens compromised during the incident to hijack the legitimate Okta sessions of at least five customers. The threat actor is also believed to have run and downloaded a report that contained the names and email addresses of all Okta customer support system users. Considering that customers’ names and email addresses were downloaded, Okta Security indicated that they assessed there is an increased risk of phishing and social engineering attacks directed at those users following the incident.[[Okta HAR Files Incident Notice](/references/14855034-494e-477d-8c91-fc534fd7790d)][[Okta HAR Files RCA](/references/742d095c-9bd1-4f4a-8bc6-16db6d15a9f4)][[Okta HAR Files Incident Update](/references/5e09ab9c-8cb2-49f5-b65f-fd5447e71ef4)]", "meta": { - "campaign_attack_id": "C5023", + "campaign_attack_id": "C3018", "first_seen": "2023-09-28T00:00:00Z", "last_seen": "2023-10-17T00:00:00Z", "owner": "TidalCyberIan", @@ -1019,7 +1058,7 @@ { "description": "\"Operation Bearded Barbie\" was a suspected AridViper (aka APT-C-23/Desert Falcon) campaign that appeared to target Israeli individuals, especially \"high-profile\" defense, law enforcement, and other government service personnel. The campaign heavily relied upon social engineering techniques, including the use of well-developed social media personas, aimed at tricking targets into installing backdoors for Windows and Android devices. The campaign appeared to be motivated by information collection for espionage purposes.[[Cybereason Operation Bearded Barbie April 5 2022](/references/7d71b7c9-531e-4e4f-ab85-df2380555b7a)]", "meta": { - "campaign_attack_id": "C5018", + "campaign_attack_id": "C3015", "first_seen": "2022-03-01T00:00:00Z", "last_seen": "2022-04-01T00:00:00Z", "owner": "TidalCyberIan", @@ -1096,7 +1135,7 @@ { "description": "Operation In(ter)ception refers to a series of threat activities attributed to Lazarus Group dating back to at least late 2019. Operation In(ter)ception campaigns are considered a sub-component of broader Lazarus Group espionage activities known as Operation Dream Job. Operation In(ter)ception attacks typically feature social engineering lures containing fake job vacany announcements for cryptocurrency companies. They are designed to ultimately infect targets with macOS malware.[[SentinelOne 9 26 2022](/references/973a110c-f1cd-46cd-b92b-5c7d8e7492b1)]", "meta": { - "campaign_attack_id": "C5040", + "campaign_attack_id": "C3040", "first_seen": "2019-12-01T00:00:00Z", "last_seen": "2022-09-26T00:00:00Z", "owner": "TidalCyberIan", @@ -1149,7 +1188,7 @@ { "description": "In May 2023, U.S. Cybersecurity & Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) authorities released Cybersecurity Advisory AA23-131A, which detailed observed exploits of a vulnerability, CVE-2023-27350, affecting certain versions of PaperCut NG and PaperCut MF, software applications for print management. PaperCut released a patch for the vulnerability in March 2023.[[PaperCut MF/NG vulnerability bulletin](/references/d6e71b45-fc91-40f4-8201-2186994ae42a)] According to the Advisory, authorities observed unspecified threat actors exploiting the vulnerability in mid-April 2023, followed by exploitation by the self-identified Bl00dy Ransomware Gang the following month.[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]\n\nCVE-2023-27350 allows a remote actor to bypass authentication and remotely execute code on servers running affected versions of PaperCut software. In May, U.S. authorities observed Bl00dy Ransomware Gang actors exploiting the vulnerability to achieve initial access into education sector entities' networks and ingressing both legitimate remote management and maintenance (RMM) tools and several other command and control-related malware, including Lizar, Truebot, and Cobalt Strike. In some cases, the actors ultimately exfiltrated victim data and encrypted files, demanding payment in order to decrypt affected systems (the Advisory did not indicate how precisely actors encrypted data). The Advisory indicated that the \"Education Facilities Subsector\" maintains nearly 70% of exposed (but not necessarily vulnerable) U.S.-based PaperCut servers.[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]\n\nThe Advisory instructed defenders to focus CVE-2023-27350 detection efforts on three areas: network traffic signatures, system monitoring, and server settings and log files. More details and resources for detection can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a).\n\n**Related Vulnerabilities**: CVE-2023-27350[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]", "meta": { - "campaign_attack_id": "C5003", + "campaign_attack_id": "C3006", "first_seen": "2023-04-15T00:00:00Z", "last_seen": "2023-05-30T00:00:00Z", "owner": "TidalCyberIan", @@ -1169,7 +1208,7 @@ { "description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nThis is a single object to represent the initial access and delivery methods observed with Pikabot distribution in the first year after its discovery. Distribution campaigns have been linked to the TA577 threat actor (previously known for distributing payloads including QakBot, IcedID, SystemBC, and Cobalt Strike)[[Malwarebytes Pikabot December 15 2023](/references/50b29ef4-7ade-4672-99b6-fdf367170a5b)][[Unit42 Malware Roundup December 29 2023](/references/a18e19b5-9046-4c2c-bd94-2cd5061064bf)]; however, the Technique- and Procedure level intelligence associated with these campaigns that is provided below was not explicitly linked to that group, so we are providing this intelligence to users in this Campaign form. The Water Curupira intrusion set (affiliated with the Black Basta ransomware operation) has also been observed distributing Pikabot.[[Trend Micro Pikabot January 9 2024](/references/dc7d882b-4e83-42da-8e2f-f557b675930a)]", "meta": { - "campaign_attack_id": "C5013", + "campaign_attack_id": "C3019", "first_seen": "2023-02-01T00:00:00Z", "last_seen": "2023-12-31T00:00:00Z", "owner": "TidalCyberIan", @@ -1186,7 +1225,7 @@ { "description": "Researchers observed a campaign, with activity occurring between March and at least June 2024, where multiple discrete threat actor clusters used similar social engineering techniques to trick users into copying and executing PowerShell scripts, which ultimately led to malware deployment on the victim's system. Payloads included droppers, RATs, and information stealer malware.\n\nInitial contact with the victim occurred through both malspam email campaigns and web browser injects, which would trigger a popup claiming an error occurred when trying to open a document or webpage. The popup would prompt the user to run a script in the PowerShell terminal or Windows Run dialog box. Researchers attributed these campaigns to TA571, an initial access broker, a known intrusion set (ClearFake), and a newer group dubbed ClickFix.[[Proofpoint June 17 2024](/references/a65d7492-04a4-46d4-85ed-134786c6828b)][[BleepingComputer Fake Chrome Errors June 17 2024](/references/6efa70e3-d8eb-4260-b0ab-62335681e6fd)]", "meta": { - "campaign_attack_id": "C5045", + "campaign_attack_id": "C3045", "first_seen": "2024-03-01T00:00:00Z", "last_seen": "2024-06-07T00:00:00Z", "owner": "TidalCyberIan", @@ -1203,7 +1242,7 @@ { "description": "A collections of TTPs associated with a phishing-based campaign that resulted in QakBot deployments. The campaign comes about four months after the reported disruption of QakBot distribution networks in an international law enforcement operation.[[K7 QakBot Returns January 4 2024](/references/5cb5e645-b77b-4bd1-a742-c8f53f234713)]", "meta": { - "campaign_attack_id": "C5024", + "campaign_attack_id": "C3020", "first_seen": "2023-12-11T00:00:00Z", "last_seen": "2024-01-04T00:00:00Z", "owner": "TidalCyberIan", @@ -1221,7 +1260,7 @@ { "description": "Independent investigators reported details about a response to a compromise involving Quantum ransomware. The date of the attack was not disclosed, but the incident was reported in April 2022. IcedID was used to gain an initial foothold, Cobalt Strike and RDP were leveraged for lateral movement, and WMI and PsExec were used to deploy the ransomware payload. The incident was described as \"one of the fastest ransomware cases\" the investigators had handled, with domain-wide encryption occurring within four hours of initial access.[[The DFIR Report April 25 2022](/references/2e28c754-911a-4f08-a7bd-4580f5283571)]", "meta": { - "campaign_attack_id": "C5043", + "campaign_attack_id": "C3043", "first_seen": "2022-04-01T00:00:00Z", "last_seen": "2022-04-25T00:00:00Z", "owner": "TidalCyberIan", @@ -1240,7 +1279,7 @@ { "description": "Researchers have observed an evolution in Scattered Spider's/UNC3944's TTPs since the second half of 2023, with actors especially focusing on gaining wide access to victim SaaS environments for reconnaissance, data theft, and subsequent extortion purposes. This object reflects the MITRE ATT&CK® Techniques associated with this activity.[[Google Cloud June 13 2024](/references/161423a2-165d-448f-90e9-0c53e319a125)]\n\nNotable Techniques newly associated with Scattered Spider via this Campaign object include Forge Web Credentials: SAML Tokens (T1606.002), Impair Defenses: Disable or Modify Tools (T1562.001), Indicator Removal: Clear Windows Event Logs (T1070.001), Software Discovery: Security Software Discovery (T1518.001), and Pre-OS Boot: System Firmware (T1542.001).", "meta": { - "campaign_attack_id": "C5041", + "campaign_attack_id": "C3041", "first_seen": "2023-08-13T00:00:00Z", "last_seen": "2024-06-13T00:00:00Z", "owner": "TidalCyberIan", @@ -1258,7 +1297,7 @@ { "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to recently reported attacks that featured exploits of recently disclosed vulnerabilities in the ConnectWise ScreenConnect utility (CVE-2024-1709 and CVE-2024-1708, aka \"SlashAndGrab\"). Several of the observed attacks saw the ingress of various malicious tools, including suspected ransomware.\n\nFurther background & contextual details can be found in the References tab below.", "meta": { - "campaign_attack_id": "C5028", + "campaign_attack_id": "C3024", "first_seen": "2024-02-19T00:00:00Z", "last_seen": "2024-02-23T00:00:00Z", "owner": "TidalCyberIan", @@ -1296,7 +1335,7 @@ { "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.", "meta": { - "campaign_attack_id": "C5030", + "campaign_attack_id": "C3029", "first_seen": "2024-02-26T00:00:00Z", "last_seen": "2024-02-27T00:00:00Z", "owner": "TidalCyberIan", @@ -1325,10 +1364,38 @@ "uuid": "6c7185e1-bd46-5a80-9a76-a376b16fbc7b", "value": "Triton Safety Instrumented System Attack" }, + { + "description": "On September 5, 2024, international authorities published joint Cybersecurity Advisory AA24-249A, which detailed recent activity linked to cyber actors affiliated with the 161st Specialist Training Center (aka Unit 29155) of the Russian General Staff Main Intelligence Directorate (GRU), the foreign military intelligence agency of Russia's armed forces. The advisory highlighted Unit 29155 espionage, sabotage, and reputational cyber attacks carried out against targets around the world since 2020.\n\nWhile Unit 29155 had been previously linked to influence, interference, and physical sabotage operations, the advisory noted how the group has expanded its tradecraft to now include offensive cyber operations. The advisory indicated that several groups tracked by the cybersecurity community relate to Unit 29155 cyber actors but may not be directly synonyms with all parts of the Unit (or each other), including: Cadet Blizzard, DEV-0586, Ember Bear, Bleeding Bear, Frozenvista, UNC2589, and UAC-0056.[[U.S. CISA Unit 29155 September 5 2024](/references/9631a46d-3e0a-4f25-962b-0b2501c47926)]", + "meta": { + "campaign_attack_id": "C3053", + "first_seen": "2020-08-03T00:00:00Z", + "last_seen": "2024-09-05T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "d8f7e071-fbfd-46f8-b431-e241bb1513ac", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "5b8371c5-1173-4496-82c7-5f0433987e77", + "f18e6c1d-d2ee-4eda-8172-67dcbc4e59ed", + "9e4936f0-e3b7-4721-a638-58b2d093b2f2", + "1281067e-4a7e-4003-acf8-e436105bf395", + "7c67d99a-fc8a-4463-8f46-45e9a39fe6b0", + "fe28cf32-a15c-44cf-892c-faa0360d6109", + "15f2277a-a17e-4d85-8acd-480bf84f16b4" + ] + }, + "related": [], + "uuid": "5e1bc9d2-1f2e-4ba3-b6b8-8d4e1f635762", + "value": "Unit 29155 Russian Military Cyber Activity" + }, { "description": "Researchers observed suspected \"China-nexus\" actor Velvet Ant exploiting CVE-2024-20399 in Cisco Nexus network switch devices in order to upload and execute \"previously unknown custom malware\" on the devices' operating systems. Researchers first observed \"zero-day\" exploit activity in the wild at an undisclosed point \"during the past year\", and after they shared the findings, Cisco acknowledged the vulnerability in an advisory published on July 1, 2024.\n\nThe vulnerability's overall risk is mitigated by the fact that it requires valid administrator-level credentials and network access to the target switch for successful exploitation. However, researchers highlighted how sophisticated threat groups are increasingly targeting network appliances as means of network access and persistence, since those appliances \"are often not sufficiently protected and monitored\". This exploit campaign was discovered as part of a larger investigation into Velvet Ant, which was previously observed targeting F5 load balancer devices for persistence.[[The Hacker News Velvet Ant Cisco July 2 2024](/references/e3949201-c949-4126-9e02-34bfad4713c0)][[Sygnia Velvet Ant July 1 2024](/references/a0cfeeb6-4617-4dea-80d2-290eaf2bcf5b)]", "meta": { - "campaign_attack_id": "C5046", + "campaign_attack_id": "C3046", "first_seen": "2023-07-01T00:00:00Z", "last_seen": "2024-07-01T00:00:00Z", "owner": "TidalCyberIan", @@ -1348,7 +1415,7 @@ { "description": "This object reflects the tools & TTPs associated with a campaign attributed to Velvet Ant, a suspected \"China-nexus\" state-sponsored threat group. Researchers believe the actor managed to maintain extremely prolonged access to a victim network – residing and remaining active there for around three years – notably by abusing a legacy, internet-exposed F5 BIG-IP load balancer appliance as an internal command and control mechanism. Researchers assess the intrusion was carried out for espionage purposes.[[Sygnia Velvet Ant June 17 2024](/references/5c313af4-61a8-449d-a6c7-f7ead6c72e19)][[BleepingComputer Velvet Ant June 17 2024](/references/70235e47-f8bb-4d16-9933-9f4923f08f5d)]", "meta": { - "campaign_attack_id": "C5044", + "campaign_attack_id": "C3044", "first_seen": "2020-12-01T00:00:00Z", "last_seen": "2023-12-01T00:00:00Z", "owner": "TidalCyberIan", @@ -1363,10 +1430,49 @@ "uuid": "b78565ce-8eec-49ad-b762-8d2107fa9ce7", "value": "Velvet Ant F5 BIG-IP Espionage Activity" }, + { + "description": "Void Banshee is an advanced persistent threat (APT) group identified by Trend Micro researchers, which is known to target victims in North America, Europe, and Southeast Asia for information theft and financial gain. In May 2024, researchers observed Void Banshee actors exploiting CVE-2024-38112, a remote code execution vulnerability in the \"MSHTML\" web browser software component. The vulnerability had not been previously disclosed, so the campaign was characterized as \"zero-day\" exploit activity. Actors delivered the Atlantida infostealer malware during the observed attacks.[[Trend Micro Void Banshee July 15 2024](/references/02c4dda2-3aae-43ec-9b14-df282b200def)]\n\nLater, researchers noted that Void Banshee also exploited a separate MSHTML-related vulnerability, CVE-2024-43461, as a zero-day during attacks culminating in Atlantida infostealer deployments.[[BleepingComputer Void Banshee September 16 2024](/references/2c9a2355-02c5-4718-ad6e-b2fac9ad4096)]", + "meta": { + "campaign_attack_id": "C3054", + "first_seen": "2024-05-15T00:00:00Z", + "last_seen": "2024-07-15T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "0281a78d-1eb1-4e10-9327-2032928e37d9", + "ff8a2e10-4bf7-45f0-954c-8847fdcb9612", + "a98d7a43-f227-478e-81de-e7299639a355", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "dbe34d5d-91b0-4a50-98c7-4e36ba0bcda6", + "value": "Void Banshee Zero-Day Exploit Activity" + }, + { + "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.", + "meta": { + "campaign_attack_id": "C3050", + "first_seen": "2024-08-05T00:00:00Z", + "last_seen": "2024-08-29T00:00:00Z", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "fe28cf32-a15c-44cf-892c-faa0360d6109", + "82009876-294a-4e06-8cfc-3236a429bda4", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "e740e392-98cb-428a-ab92-b0a4d1d546b7", + "value": "Voldemort Malware Delivery Campaign" + }, { "description": "A suspected affiliate of the Zloader operation carried out attacks mainly affecting financial institutions. Intrusions typically came via drive-by compromise and initiallly saw the installation of the Atera software, which was then used to load Zloader, and in some cases, Ursnif.[[WeLiveSecurity April 19 2022](/references/f86845b9-03c4-446b-845f-b31b79b247ee)]", "meta": { - "campaign_attack_id": "C5020", + "campaign_attack_id": "C3001", "first_seen": "2020-10-01T00:00:00Z", "last_seen": "2022-04-13T00:00:00Z", "owner": "TidalCyberIan", diff --git a/clusters/tidal-groups.json b/clusters/tidal-groups.json index b3b4666..344c6f0 100644 --- a/clusters/tidal-groups.json +++ b/clusters/tidal-groups.json @@ -12,7 +12,7 @@ { "description": "This object represents the behaviors associated with operators of 8Base ransomware, who may or may not operate as a cohesive unit. Behaviors associated with samples of 8Base ransomware are represented in the \"8Base Ransomware\" Software object.\n \nThe 8Base ransomware operation began claiming significant numbers of victims on its data leak site in June 2023, including organizations in a range of sectors. Researchers have observed considerable similarities between aspects of 8Base's operations and those of other ransomware groups, leading them to suspect that 8Base may be an evolution or offshoot of existing operations. The language in 8Base's ransom notes is similar to the language seen in RansomHouse's notes, and there is strong overlap between the code of Phobos ransomware and 8Base.[[VMWare 8Base June 28 2023](/references/573e9520-6181-4535-9ed3-2338688a8e9f)][[Acronis 8Base July 17 2023](/references/c9822477-1578-4068-9882-41e4d6eaee3f)]", "meta": { - "group_attack_id": "G5030", + "group_attack_id": "G3014", "observed_motivations": [ "Financial Gain" ], @@ -54,12 +54,7 @@ "Financial Services" ] }, - "related": [ - { - "dest-uuid": "ac4bce1f-b3ec-4c44-bd36-b6cc986b319b", - "type": "similar" - } - ], + "related": [], "uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", "value": "admin@338" }, @@ -100,6 +95,7 @@ ], "source": "MITRE", "tags": [ + "fde14c10-e749-4c04-b97f-1d9fbd6e72e7", "0580d361-b60b-4664-9b2e-6d737e495cc1", "9768aada-9d63-4d46-ab9f-d41b8c8e4010", "a159c91c-5258-49ea-af7d-e803008d97d3", @@ -114,6 +110,7 @@ "562e535e-19f5-4d6c-81ed-ce2aec544f09" ], "target_categories": [ + "Aerospace", "Agriculture", "Banks", "Construction", @@ -128,7 +125,8 @@ "Non Profit", "Retail", "Technology", - "Telecommunications" + "Telecommunications", + "Transportation" ] }, "related": [], @@ -310,7 +308,7 @@ { "description": "AnonGhost is an apparent hacktivist collective. In October 2023, following a series of air- and land-based attacks in the Gaza Strip, AnonGhost was one of several hacktivist groups that claimed responsibility for disruptive attacks against computer networks in Israel. Researchers indicated that they observed AnonGhost actors exploit an undisclosed API vulnerability in Red Alert, an application that provides warning of projectile attacks in Israel, using Python scripts to intercept web requests and send spam messages to the app's users.[[Group-IB Threat Intelligence Tweet October 9 2023](/references/2df546ed-6577-44b2-9b26-0a17c3622df7)]", "meta": { - "group_attack_id": "G5011", + "group_attack_id": "G3024", "observed_countries": [ "IL", "US" @@ -330,7 +328,7 @@ { "description": "Anonymous Sudan is an apparent hacktivist collective that has primarily used distributed denial of service (DDoS) and website defacement attacks in support of its ideology, which appears to largely align with Russian state interests. The group regularly cross-promotes communications with Killnet, another hacktivist group that appears to share similar ideologies and methods of operation.[[Flashpoint Anonymous Sudan Timeline](/references/2e7060d2-f7bc-457e-a2e6-12897d503ea6)] Researchers assess that the group is affiliated with neither the Anonymous hacktivist group nor Sudan.[[CyberCX Anonymous Sudan June 19 2023](/references/68ded9b7-3042-44e0-8bf7-cdba2174a3d8)]\n\nSince emerging in January 2023, Anonymous Sudan has claimed and is believed to be responsible for a considerable number of DDoS attacks affecting victims in a wide range of geographic locations and sectors.[[Flashpoint Anonymous Sudan Timeline](/references/2e7060d2-f7bc-457e-a2e6-12897d503ea6)] It claimed responsibility for a series of early June 2023 DDoS attacks that caused temporary interruptions to Microsoft Azure, Outlook, and OneDrive services. Microsoft security researchers attributed those attacks to the Storm-1359 group.[[The Hacker News Microsoft DDoS June 19 2023](/references/2ee27b55-b7a7-40a8-8c0b-5e28943cd273)][[Microsoft DDoS Attacks Response June 2023](/references/d64e941e-785b-4b23-a7d0-04f12024b033)] Like Killnet, Anonymous Sudan claimed responsibility for disruptive attacks against computer networks in Israel following a series of air- and land-based attacks in the Gaza Strip in October 2023.[[FalconFeedsio Tweet October 9 2023](/references/e9810a28-f060-468b-b4ea-ffed9403ae8b)]", "meta": { - "group_attack_id": "G5010", + "group_attack_id": "G3023", "observed_countries": [ "AU", "DK", @@ -419,12 +417,7 @@ "Transportation" ] }, - "related": [ - { - "dest-uuid": "1cb7e1cc-d695-42b1-92f4-fd0112a3c9be", - "type": "similar" - } - ], + "related": [], "uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "value": "APT1" }, @@ -466,12 +459,7 @@ "Technology" ] }, - "related": [ - { - "dest-uuid": "1f73e14f-b882-4032-a565-26dc653b0daf", - "type": "similar" - } - ], + "related": [], "uuid": "06a05175-0812-44f5-a529-30eba07d1762", "value": "APT16" }, @@ -503,12 +491,7 @@ "Technology" ] }, - "related": [ - { - "dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb", - "type": "similar" - } - ], + "related": [], "uuid": "5f083251-f5dc-459a-abfc-47a1aa7f5094", "value": "APT17" }, @@ -526,12 +509,7 @@ "Technology" ] }, - "related": [ - { - "dest-uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c", - "type": "similar" - } - ], + "related": [], "uuid": "a0c31021-b281-4c41-9855-436768299fe7", "value": "APT18" }, @@ -557,12 +535,7 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4", - "type": "similar" - } - ], + "related": [], "uuid": "713e2963-fbf4-406f-a8cf-6a4489d90439", "value": "APT19" }, @@ -570,7 +543,7 @@ "description": "APT20 is a suspected China-attributed espionage actor. It has attacked organizations in a wide range of verticals for data theft. These operations appear to be motivated by the acquisition of intellectual property but also collection of information around individuals with particular political interests.[[Mandiant APT Groups List](/references/c984fcfc-1bfd-4b1e-9034-a6ff3e6ebf97)] Researchers attributed, with medium confidence, the years-long Operation Wocao espionage campaign to APT20.[[FoxIT Wocao December 2019](/references/aa3e31c7-71cd-4a3f-b482-9049c9abb631)]", "meta": { "country": "CN", - "group_attack_id": "G5006", + "group_attack_id": "G3020", "observed_countries": [ "BR", "CN", @@ -705,12 +678,7 @@ "Utilities" ] }, - "related": [ - { - "dest-uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754", - "type": "similar" - } - ], + "related": [], "uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "value": "APT28" }, @@ -800,12 +768,7 @@ "Video Games" ] }, - "related": [ - { - "dest-uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a", - "type": "similar" - } - ], + "related": [], "uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "value": "APT29" }, @@ -864,12 +827,7 @@ "Media" ] }, - "related": [ - { - "dest-uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff", - "type": "similar" - } - ], + "related": [], "uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "value": "APT30" }, @@ -907,12 +865,7 @@ "Technology" ] }, - "related": [ - { - "dest-uuid": "aa29ae56-e54b-47a2-ad16-d3ab0242d5d7", - "type": "similar" - } - ], + "related": [], "uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "value": "APT32" }, @@ -927,6 +880,7 @@ "IL", "KR", "SA", + "AE", "GB", "US" ], @@ -935,20 +889,23 @@ ], "source": "MITRE", "tags": [ + "cb5803f0-8ab4-4ada-8540-7758dfc126e2", + "0f1b7cb0-c4de-485e-8ff5-fe12ffccd738", + "dd24557e-a8e8-4202-872d-c2f411974cad", "c9c73000-30a5-4a16-8c8b-79169f9c24aa", "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647" ], "target_categories": [ "Aerospace", - "Energy" + "Defense", + "Education", + "Energy", + "Government", + "Pharmaceuticals", + "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "4f69ec6d-cb6b-42af-b8e2-920a2aa4be10", - "type": "similar" - } - ], + "related": [], "uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "value": "APT33" }, @@ -983,12 +940,7 @@ "Technology" ] }, - "related": [ - { - "dest-uuid": "50cd027f-df14-40b2-aa22-bf5de5061163", - "type": "similar" - } - ], + "related": [], "uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "value": "APT37" }, @@ -1054,12 +1006,7 @@ "Media" ] }, - "related": [ - { - "dest-uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376", - "type": "similar" - } - ], + "related": [], "uuid": "dfbce236-735c-436d-b433-933bd6eae17b", "value": "APT38" }, @@ -1078,6 +1025,9 @@ "AE", "US" ], + "observed_motivations": [ + "Cyber Espionage" + ], "source": "MITRE", "target_categories": [ "Education", @@ -1086,12 +1036,7 @@ "Travel Services" ] }, - "related": [ - { - "dest-uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b", - "type": "similar" - } - ], + "related": [], "uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "value": "APT39" }, @@ -1167,12 +1112,7 @@ "Video Games" ] }, - "related": [ - { - "dest-uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6", - "type": "similar" - } - ], + "related": [], "uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "value": "APT41" }, @@ -1180,7 +1120,7 @@ "description": "APT42 is an Iranian state-sponsored espionage group believed to operate on behalf of the Islamic Revolutionary Guard Corps (IRGC) Intelligence Organization (IRGC-IO). APT42 primarily focuses on collecting information on and surveilling its targets, mainly individuals and organizations with strategic significance to Iran's government. The group's operations are characterized by targeted spear-phishing attacks and surveillance activity. Mandiant researchers acknowledged overlaps between APT42 and APT35, which both likely operate on behalf of the IRGC, but noted that the groups display \"substantial differences\" in targeting patterns and TTPs.[[Mandiant Crooked Charms August 12 2022](/references/53bab956-be5b-4d8d-b553-9926bc5d9fee)]", "meta": { "country": "IR", - "group_attack_id": "G5051", + "group_attack_id": "G3050", "observed_countries": [ "AU", "BG", @@ -1327,12 +1267,7 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb", - "type": "similar" - } - ], + "related": [], "uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", "value": "Axiom" }, @@ -1373,7 +1308,7 @@ { "description": "BianLian is an extortion-focused threat actor group. The group originally used double-extortion methods when it began its operations in June 2022, demanding payment in exchange for decrypting locked files while also threatening to leak exfiltrated data. U.S. & Australian cybersecurity officials observed BianLian actors shifting almost exclusively to exfiltration-focused extortion schemes in 2023.[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)]\n\n**Related Vulnerabilities**: CVE-2020-1472[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)], CVE-2021-34473[[BianLian Ransomware Gang Gives It a Go! | [redacted]](/references/fc1aa979-7dbc-4fff-a8d1-b35a3b2bec3d)], CVE-2021-34523[[BianLian Ransomware Gang Gives It a Go! | [redacted]](/references/fc1aa979-7dbc-4fff-a8d1-b35a3b2bec3d)], CVE-2021-31207[[BianLian Ransomware Gang Gives It a Go! | [redacted]](/references/fc1aa979-7dbc-4fff-a8d1-b35a3b2bec3d)]\n\n**PulseDive (IOCs)**: https://pulsedive.com/threat/BianLian", "meta": { - "group_attack_id": "G5000", + "group_attack_id": "G3002", "observed_countries": [ "AU", "CA", @@ -1438,7 +1373,7 @@ { "description": "Bl00dy self-identifies as a ransomware group. It gained attention in May 2023 for a series of data exfiltration and encryption attacks against education entities in the United States that featured exploit of vulnerabilities in PaperCut print management software, which is prevalent in the sector.[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]\n\n**Related Vulnerabilities**: CVE-2023-27350[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]", "meta": { - "group_attack_id": "G5002", + "group_attack_id": "G3010", "observed_countries": [ "US" ], @@ -1472,7 +1407,7 @@ { "description": "This Group object reflects the tools & TTPs associated with threat actors known to deploy Black Basta, a ransomware-as-a-service (RaaS) variant that researchers believe has been used since at least April 2022. Black Basta affiliates have attacked a very wide range of targets, including organizations in at least 12 out of 16 U.S. critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.[[U.S. CISA Black Basta May 10 2024](/references/10fed6c7-4d73-49cd-9170-3f67d06365ca)]\n\nSpecific pre- and post-exploit behaviors may vary among intrusions carried out by different Black Basta affiliates. TTPs associated with the Black Basta ransomware binary itself can be found in the separate dedicated Software object.", "meta": { - "group_attack_id": "G5023", + "group_attack_id": "G3037", "observed_countries": [ "AU", "AT", @@ -1522,7 +1457,7 @@ { "description": "This object represents the BlackCat/ALPHV Ransomware-as-a-Service (“RaaS”) apex group and the behaviors associated with its various affiliate ransomware operators. Specific affiliate operations defined by the research community will be tracked as separate objects.\n\nResearchers first observed BlackCat ransomware (AKA ALPHV or Noberus) in November 2021. An April 2022 U.S. FBI advisory linked BlackCat’s developers and money launderers to the defunct Blackmatter and Darkside ransomware operations (the latter was responsible for the major 2021 Colonial Pipeline incident).[[FBI BlackCat April 19 2022](/references/2640b58c-8413-4691-80e1-33aec9b6c7f6)] As of September 2023, BlackCat is believed to be responsible for attacking organizations globally and in virtually every major sector, and it consistently claims some of the highest victim tallies of any RaaS. According to data collected by the [ransomwatch project](https://github.com/joshhighet/ransomwatch) and analyzed by Tidal, BlackCat actors publicly claimed 233 victims in 2022, the third most of any ransomware operation in the dataset (considerably below Clop (558) but well above Hive (181)), and it already surpassed that number by July of 2023.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)] Like many RaaS, BlackCat actors threaten to leak exfiltrated victim data, but they also threaten to carry out denial of service attacks if victims do not pay timely ransoms.[[BlackBerry BlackCat Threat Overview](/references/59f98ae1-c62d-460f-8d2a-9ae287b59953)]\n\nBlackCat developers have regularly evolved the namesake ransomware over time, and collaboration with affiliates means that a large number and variety of tools & TTPs are observed during intrusions involving BlackCat. BlackCat became the first prominent ransomware family to transition to the Rust programming language in 2022, which researchers assess provides greater customization and defense evasion capabilities and faster performance.[[X-Force BlackCat May 30 2023](/references/b80c1f70-9d05-4f4b-bdc2-6157c6837202)][[FBI BlackCat April 19 2022](/references/2640b58c-8413-4691-80e1-33aec9b6c7f6)] A BlackCat variant named Sphynx emerged in early 2023, featuring multiple defense evasion-focused enhancements. In Q3 2023, public reports suggested that Scattered Spider (AKA 0ktapus or UNC3944), a group attributed to several prominent intrusions involving telecommunications, technology, and casino entities, had begun to use BlackCat/Sphynx ransomware during its operations.[[Caesars Scattered Spider September 13 2023](/references/6915c003-7c8b-451c-8fb1-3541f00c14fb)][[BushidoToken Scattered Spider August 16 2023](/references/621a8320-0e3c-444f-b82a-7fd4fdf9fb67)]", "meta": { - "group_attack_id": "G5005", + "group_attack_id": "G3019", "observed_countries": [ "AU", "AT", @@ -1639,19 +1574,14 @@ ], "source": "MITRE" }, - "related": [ - { - "dest-uuid": "8fbd195f-5e03-4e85-8ca5-4f1dff300bec", - "type": "similar" - } - ], + "related": [], "uuid": "428dc121-a593-4981-9127-f958ae0a0fdd", "value": "BlackOasis" }, { "description": "This object reflects the ATT&CK Techniques associated with threat actors who deploy BlackSuit, a ransomware capable of running on Windows and Linux systems. BlackSuit is believed to be a successor to Royal, a ransomware operation which itself derives from the notorious Russia-based Conti gang. BlackSuit operations were first observed in May 2023, and although they were relatively low in number, U.S. authorities issued a warning for healthcare sector organizations due to the ransomware's suspected pedigree.[[HC3 Analyst Note BlackSuit Ransomware November 2023](/references/d956f0c6-d90e-49e8-a64c-a46bfc177cc6)] The number of attacks claimed by BlackSuit operators increased notably in Q2 2024.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]\n\nATT&CK Techniques associated with the BlackSuit ransomware binary are tracked in a separate \"BlackSuit Ransomware\" Software object.", "meta": { - "group_attack_id": "G5048", + "group_attack_id": "G3047", "observed_countries": [ "AU", "BR", @@ -1731,12 +1661,7 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "320c42f7-eab7-4ef9-b09a-74396caa6c3e", - "type": "similar" - } - ], + "related": [], "uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "value": "BlackTech" }, @@ -1780,19 +1705,14 @@ "Manufacturing" ] }, - "related": [ - { - "dest-uuid": "add6554a-815a-4ac3-9b22-9337b9661ab8", - "type": "similar" - } - ], + "related": [], "uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "value": "BRONZE BUTLER" }, { "description": "This Group object reflects the tools & TTPs observed in use by threat actors known to deploy CACTUS, a ransomware that researchers believe has been used since at least March 2023.[[Kroll CACTUS Ransomware May 10 2023](/references/f50de2f6-465f-4cae-a79c-cc135ebfee4f)] Specific pre- and post-exploit behaviors may vary among intrusions carried out by distinct actors or actor clusters. TTPs associated with the CACTUS ransomware binary itself can be found in the separate dedicated Software object.", "meta": { - "group_attack_id": "G5035", + "group_attack_id": "G3030", "observed_countries": [ "AU", "BE", @@ -1814,6 +1734,7 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "0bcc4824-7e68-4aac-b883-935e62b5be39", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "3b615816-3403-46a4-bd7e-f7a723fc56da", "a2e000da-8181-4327-bacd-32013dbd3654", @@ -1877,15 +1798,33 @@ "Financial Services" ] }, - "related": [ - { - "dest-uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb", - "type": "similar" - } - ], + "related": [], "uuid": "72d9bea7-9ca1-43e6-8702-2fb7fb1355de", "value": "Carbanak" }, + { + "description": "Charcoal Stork is a threat actor believed to provide content used to fuel malvertising and search engine optimization (SEO) operations, which affiliates ultimately use to deliver malware to victim systems. Charcoal Stork is thought to be financially motivated, operating on a pay-per-install basis.[[Red Canary March 18 2024](/references/a86131cd-1a42-4222-9d39-221dd6e054ba)]", + "meta": { + "group_attack_id": "G5022", + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Commercial", + "Healthcare", + "Manufacturing" + ] + }, + "related": [], + "uuid": "6d23e83f-fd4f-4802-bd01-daff7348741d", + "value": "Charcoal Stork" + }, { "description": "[Chimera](https://app.tidalcyber.com/groups/ca93af75-0ffa-4df4-b86a-92d4d50e496e) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.[[Cycraft Chimera April 2020](https://app.tidalcyber.com/references/a5a14a4e-2214-44ab-9067-75429409d744)][[NCC Group Chimera January 2021](https://app.tidalcyber.com/references/70c217c3-83a2-40f2-8f47-b68d8bd4cdf0)]", "meta": { @@ -1895,6 +1834,9 @@ "TW" ], "source": "MITRE", + "tags": [ + "ff873c9d-468f-46c4-a6ee-c8c707df0be7" + ], "target_categories": [ "Semi Conductors", "Travel Services" @@ -1904,6 +1846,35 @@ "uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", "value": "Chimera" }, + { + "description": "A suspected ransomware-as-a-service (\"RaaS\") group first observed in June 2024, which extorts victims via traditional ransomware encryption and by threatening to leak allegedly exfiltrated data onto the web.[[Truesec AB August 30 2024](/references/de2de0a9-17d2-41c2-838b-7850762b80ae)]", + "meta": { + "group_attack_id": "G3051", + "observed_countries": [ + "GB", + "US" + ], + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "a2e000da-8181-4327-bacd-32013dbd3654", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Manufacturing" + ] + }, + "related": [], + "uuid": "7a28cff6-80df-49e1-8457-a0305e736897", + "value": "Cicada3301 Ransomware Group" + }, { "description": "[Cinnamon Tempest](https://app.tidalcyber.com/groups/8e059c6b-d278-5454-a234-a8ad69feb66c) is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked [Babuk](https://app.tidalcyber.com/software/0dc07eb9-66df-4116-b1bc-7020ca6395a1) source code. [Cinnamon Tempest](https://app.tidalcyber.com/groups/8e059c6b-d278-5454-a234-a8ad69feb66c) does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, [Cinnamon Tempest](https://app.tidalcyber.com/groups/8e059c6b-d278-5454-a234-a8ad69feb66c) may be motivated by intellectual property theft or cyberespionage rather than financial gain.[[Microsoft Ransomware as a Service](https://app.tidalcyber.com/references/833018b5-6ef6-5327-9af5-1a551df25cd2)][[Microsoft Threat Actor Naming July 2023](https://app.tidalcyber.com/references/78a8137d-694e-533d-aed3-6bd48fc0cd4a)][[Trend Micro Cheerscrypt May 2022](https://app.tidalcyber.com/references/ca7ccf2c-37f3-522a-acfb-09daa16e23d8)][[SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022](https://app.tidalcyber.com/references/0b275cf9-a885-58cc-b859-112090a711e3)]", "meta": { @@ -1952,12 +1923,7 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", - "type": "similar" - } - ], + "related": [], "uuid": "c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07", "value": "Cleaver" }, @@ -1993,12 +1959,7 @@ "Financial Services" ] }, - "related": [ - { - "dest-uuid": "01967480-c49b-4d4a-a7fa-aef0eaf535fe", - "type": "similar" - } - ], + "related": [], "uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "value": "Cobalt Group" }, @@ -2046,19 +2007,67 @@ "Technology" ] }, - "related": [ - { - "dest-uuid": "8cca9a1d-66e4-4bc4-ad49-95f759f4c1ae", - "type": "similar" - } - ], + "related": [], "uuid": "6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b", "value": "CopyKittens" }, + { + "description": "CosmicBeetle is a threat actor, active since 2020, that has been associated with multiple ransomware families. Originally known for using a set of custom tools, including ScRansom (a successor to the \"Scarab\" encryptor), researchers reported in September 2024 that they observed a suspected CosmicBeetle attack that involved deployment of tools and malware associated with the RansomHub ransomware-as-a-service operation.[[WeLiveSecurity CosmicBeetle September 10 2024](/references/8debba29-4d6d-41d2-8772-f97c7d49056b)][[BleepingComputer NoName September 10 2024](/references/79752048-f2fd-4357-9e0a-15b9a2927852)]", + "meta": { + "group_attack_id": "G3053", + "observed_countries": [ + "AT", + "CZ", + "FR", + "GF", + "GE", + "GT", + "IN", + "PE", + "PL", + "ZA", + "ES", + "CH", + "TR" + ], + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "55ba9d29-7185-40eb-ba10-874cb3997a0f", + "793f4441-3916-4b3d-a3fd-686a59dc3de2", + "c40971d6-ad75-4b2d-be6c-5353c96a232d", + "3adcb409-166d-4465-ba1f-ddaecaff8282", + "33d22eff-59a1-47e0-b9eb-615dee314595", + "89c5b94b-ecf4-4d53-9b74-3465086d4565", + "09de661e-60c4-43fb-bfef-df017215d1d8", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Education", + "Financial Services", + "Government", + "Healthcare", + "Hospitality Leisure", + "Legal", + "Manufacturing", + "Pharmaceuticals", + "Technology" + ] + }, + "related": [], + "uuid": "04b73cf2-33f4-4206-be9e-c80c4c9b54e8", + "value": "CosmicBeetle" + }, { "description": "A Group object to represent actors that deploy Cuba Ransomware in victim environments.[[U.S. CISA Cuba Ransomware October 2022](/references/d6ed5172-a319-45b0-b1cb-d270a2a48fa3)]", "meta": { - "group_attack_id": "G5026", + "group_attack_id": "G3008", "observed_motivations": [ "Financial Gain" ], @@ -2090,7 +2099,7 @@ "description": "The Cyber Army of Russia is a threat group that appears to carry out cyber attacks in line with Russian strategic interests. The group has claimed many distributed denial of service (DDoS) attacks against a variety of targets perceived as opposed to Russian interests. More recently, it has claimed disruptive industrial software-based attacks against water utilities in the United States, France, and Poland. Researchers link the Cyber Army of Russia to APT44 / Sandworm Team, although it remains unclear what level of direct support, if any, is provided by the latter group.[[Wired Cyber Army of Russia April 17 2024](/references/53583baf-4e09-4d19-9348-6110206b88be)][[Mandiant APT44 April 17 2024](/references/a64f689e-2bb4-4253-86cd-545e7f633a7e)]", "meta": { "country": "RU", - "group_attack_id": "G5038", + "group_attack_id": "G3035", "observed_countries": [ "FR", "PL", @@ -2124,7 +2133,7 @@ "description": "CyberAv3ngers is a cyber actor group that has claimed responsibility for numerous disruption-focused attacks against critical infrastructure organizations, including an oil refinery and electric utility in Israel and water/wastewater utilities in the United States. According to a joint advisory released by U.S. & Israeli cybersecurity authorities in December 2023, CyberAv3ngers (aka Cyber Av3ngers or Cyber Avengers) is a “cyber persona” of advanced persistent threat actors affiliated with the Iranian Islamic Revolutionary Guard Corps (IRGC). The advisory detailed how suspected CyberAv3ngers actors compromised programmable logic controller (PLC) devices that were exposed to the internet and used the vendor's default passwords and ports, leaving defacement images and possibly rendering the devices inoperable. The defacement messages suggested that the group or affiliates might carry out attacks against other technological equipment produced in or associated with Israel.[[U.S. CISA IRGC-Affiliated PLC Activity December 2023](/references/51a18523-5276-4a67-8644-2bc6997d043c)]", "meta": { "country": "IR", - "group_attack_id": "G5016", + "group_attack_id": "G3028", "observed_countries": [ "IL", "US" @@ -2152,7 +2161,7 @@ { "description": "Cyber Toufan is an apparently politically motivated, destruction-focused threat actor group that has predominantly targeted organizations based in or perceived to be aligned with Israel. Cyber Toufan publicizes many of their cyber operations and in some cases has leaked victim data allegedly exfiltrated during their attacks.[[SOCRadar Cyber Toufan Profile](/references/a9aa6361-8c4d-4456-bb3f-c64ca5260695)] Check Point researchers labeled Cyber Toufan as an \"Iranian-affiliated\", \"hacktivist proxy\" group.[[Check Point Iranian Proxies December 4 2023](/references/60432d84-8f46-4934-951f-df8e0f297ff0)]", "meta": { - "group_attack_id": "G5049", + "group_attack_id": "G3048", "observed_countries": [ "IL", "GB", @@ -2181,7 +2190,7 @@ { "description": "Daixin Team is a ransomware- and data extortion-focused threat group first observed in mid-2022. Daixin Team is known to publicly extort its victims to pressure them into paying a ransom. It has used ransomware (believed to be based on the leaked source code for Babuk Locker) to encrypt victim data and has also exfiltrated sensitive data from victim environments and threatened to publicly leak that data.\n\nMany of Daixin Team’s victims belong to critical infrastructure sectors, especially the Healthcare and Public Health (“HPH”) sector. An October 2022 joint Cybersecurity Advisory noted Daixin Team attacks on multiple U.S. HPH organizations.[[U.S. CISA Daixin Team October 2022](/references/cbf5ecfb-de79-41cc-8250-01790ff6e89b)] Alleged victims referenced on the threat group’s extortion website belong to the healthcare, utilities, transportation (airline), automobile manufacturing, information technology, retail, and media sectors in the United States, Europe, and Asia.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]", "meta": { - "group_attack_id": "G5015", + "group_attack_id": "G3007", "observed_countries": [ "CA", "DE", @@ -2248,12 +2257,7 @@ ], "source": "MITRE" }, - "related": [ - { - "dest-uuid": "3d449c83-4426-431a-b06a-cb4f8a0fca94", - "type": "similar" - } - ], + "related": [], "uuid": "7ad94dbf-9909-42dd-8b62-a435481bdb14", "value": "Dark Caracal" }, @@ -2287,12 +2291,7 @@ "Non Profit" ] }, - "related": [ - { - "dest-uuid": "b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d", - "type": "similar" - } - ], + "related": [], "uuid": "efa1d922-8f48-43a6-89fe-237e1f3812c8", "value": "Darkhotel" }, @@ -2306,12 +2305,7 @@ "Government" ] }, - "related": [ - { - "dest-uuid": "ce2c2dfd-2445-4fbc-a747-9e7092e383f9", - "type": "similar" - } - ], + "related": [], "uuid": "f2b31240-0b4a-4fa4-82a4-6bb00e146e75", "value": "DarkHydrus" }, @@ -2362,12 +2356,7 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4", - "type": "similar" - } - ], + "related": [], "uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", "value": "Deep Panda" }, @@ -2407,12 +2396,7 @@ "Travel Services" ] }, - "related": [ - { - "dest-uuid": "64d6559c-6d5c-4585-bbf9-c17868f763ee", - "type": "similar" - } - ], + "related": [], "uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "value": "Dragonfly" }, @@ -2433,12 +2417,7 @@ "Technology" ] }, - "related": [ - { - "dest-uuid": "a9b44750-992c-4743-8922-129880d277ea", - "type": "similar" - } - ], + "related": [], "uuid": "f2c2db08-624c-46b9-b7ed-b22c21b81813", "value": "DragonOK" }, @@ -2479,19 +2458,14 @@ "Technology" ] }, - "related": [ - { - "dest-uuid": "da754aeb-a86d-4874-b388-d1d2028a56be", - "type": "similar" - } - ], + "related": [], "uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "value": "Elderwood" }, { "description": "This object reflects the ATT&CK Techniques associated with threat actors who deploy Eldorado, a ransomware-as-a-service (\"RaaS\") first advertised for sale on cybercrime forums in March 2024. Researchers assess that Eldorado is a \"unique\" ransomware strain that is likely not derived from previously leaked ransomware source code.[[Group-IB July 3 2024](/references/50148a85-314c-4b29-bdfc-913ab647dadf)]\n\nWindows and Linux-focused versions of the ransomware are known to exist. (ATT&CK Techniques associated with these malware binaries are tracked in a separate \"Eldorado Ransomware\" Software object.)", "meta": { - "group_attack_id": "G5046", + "group_attack_id": "G3045", "observed_motivations": [ "Financial Gain" ], @@ -2576,12 +2550,7 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "7036fb3d-86b7-4d9c-bc66-1e1ead8b7840", - "type": "similar" - } - ], + "related": [], "uuid": "a4704485-65b5-49ec-bebe-5cc932362dd2", "value": "Equation" }, @@ -2651,19 +2620,14 @@ "Mining" ] }, - "related": [ - { - "dest-uuid": "f2d02410-8c2c-11e9-8df1-a31c1fb33d79", - "type": "similar" - } - ], + "related": [], "uuid": "345e553a-164d-4c9d-8bf9-19fcf8a51533", "value": "FIN10" }, { "description": "FIN11 is a financially motivated adversary identified by Mandiant in 2020. Originally known for high-volume phishing campaigns leading to ransomware and data theft, the group more recently is known for carrying out wide-ranging exploitation of multiple vulnerabilities in 2023, including vulnerabilities affecting PaperCut print management software and MOVEit Transfer file transfer software to deliver Clop ransomware and for more general data theft, respectively, as well as GoAnywhere file transfer software exploits.[[Microsoft Threat Intelligence Tweet April 26 2023](/references/3b5a2349-e10c-422b-91e3-20e9033fdb60)][[Mandiant MOVEit Transfer June 2 2023](/references/232c7555-0483-4a57-88cb-71a990f7d683)]. Microsoft Threat Intelligence reports overlaps between FIN11 and Lace Tempest (DEV-0950), which it identifies as a Clop ransomware affiliate. The DFIR Report researchers attributed a May 2023 data theft and wiper campaign to FIN11 and Lace Tempest.[[The DFIR Report Truebot June 12 2023](/references/a6311a66-bb36-4cad-a98f-2b0b89aafa3d)]", "meta": { - "group_attack_id": "G5028", + "group_attack_id": "G3011", "observed_countries": [ "CA", "IN", @@ -2696,7 +2660,7 @@ { "description": "FIN12 is a financially motivated threat actor group believed to be responsible for multiple high-profile ransomware attacks since 2018. The group has attacked victims in various sectors and locations, including multiple attacks on healthcare entities. An October 2021 Mandiant assessment indicated 85% of the group's victims were U.S.-based, and the large majority of them were large enterprises with more than $300 million in annual revenue. The report also assessed that initial access brokers partnering with FIN12 target a wider range of organizations and allow FIN12 actors to select victims for further malicious activity.[[Mandiant FIN12 Group Profile October 07 2021](/references/7af84b3d-bbd6-449f-b29b-2f14591c9f05)]\n\nFIN12's toolset has reportedly shifted over time. Cobalt Strike has been observed in most intrusions. While TrickBot and Empire were common post-exploitation tools historically, French authorities observed the group using SystemBC alongside Cobalt Strike during a March 2023 hospital center intrusion. Ryuk, and to a lesser degree Conti, were traditionally used ransomware payloads, with the former used in a series of attacks on U.S. healthcare entities in 2020. However, a French CERT assessment published in 2023 linked the group to multiple more recent incidents it investigated and analyzed, which featured deployment of various ransomware families, including Hive, Nokoyawa, Play, Royal, and BlackCat, along with Emotet and BazarLoader malware for initial footholds.[[Mandiant FIN12 Group Profile October 07 2021](/references/7af84b3d-bbd6-449f-b29b-2f14591c9f05)][[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]\n\n**Related Vulnerabilities**: CVE-2023-21746, CVE-2022-24521, CVE-2021-34527, CVE-2019-0708, CVE-2020-1472[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]", "meta": { - "group_attack_id": "G5008", + "group_attack_id": "G3005", "observed_countries": [ "AU", "CA", @@ -2773,12 +2737,7 @@ "Pharmaceuticals" ] }, - "related": [ - { - "dest-uuid": "ff449346-aa9f-45f6-b482-71e886a5cf57", - "type": "similar" - } - ], + "related": [], "uuid": "4b6531dc-5b29-4577-8b54-fa99229ab0ca", "value": "FIN4" }, @@ -2795,12 +2754,7 @@ "Hospitality Leisure" ] }, - "related": [ - { - "dest-uuid": "44dc2f9c-8c28-11e9-9b9a-7fdced8cbf70", - "type": "similar" - } - ], + "related": [], "uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", "value": "FIN5" }, @@ -2821,12 +2775,7 @@ "Retail" ] }, - "related": [ - { - "dest-uuid": "647894f6-1723-4cba-aba4-0ef0966d5302", - "type": "similar" - } - ], + "related": [], "uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "value": "FIN6" }, @@ -2880,12 +2829,7 @@ "Transportation" ] }, - "related": [ - { - "dest-uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb", - "type": "similar" - } - ], + "related": [], "uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "value": "FIN7" }, @@ -2915,12 +2859,7 @@ "Technology" ] }, - "related": [ - { - "dest-uuid": "a78ae9fe-71cd-4563-9213-7b6260bd9a73", - "type": "similar" - } - ], + "related": [], "uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "value": "FIN8" }, @@ -2928,9 +2867,10 @@ "description": "Researchers assess that Flax Typhoon is a nation-state-sponsored espionage group based in China that has targeted government, education, manufacturing, and IT organizations in Taiwan, elsewhere in Southeast Asia, North America, and Africa. Flax Typhoon is believed to overlap with the ETHEREAL PANDA group and has been active since mid-2021. Flax Typhoon has been seen establishing persistence, moving laterally, and accessing victim credentials after achieving network access, but to date, researchers have not observed the actors acting on final objectives during intrusions. Microsoft researchers assess that Flax Typhoon's techniques, which lean on legitimate, often built-in tools & utilities, could be used in attacks on victims in other regions.[[Microsoft Flax Typhoon August 24 2023](/references/ec962b72-7b7f-4f7e-b6d6-7c5380b07201)]", "meta": { "country": "CN", - "group_attack_id": "G5031", + "group_attack_id": "G3018", "observed_countries": [ - "TW" + "TW", + "US" ], "observed_motivations": [ "Cyber Espionage" @@ -2938,14 +2878,22 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "33d35d5e-f0cf-4c66-9be3-a3ffe6610b1a", + "a159c91c-5258-49ea-af7d-e803008d97d3", + "70dc52b0-f317-4134-8a42-71aea1443707", + "b20e7912-6a8d-46e3-8e13-9a3fc4813852", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "2feda37d-5579-4102-a073-aa02e82cb49f" ], "target_categories": [ + "Defense", "Education", "Government", "Manufacturing", - "Technology" + "Technology", + "Telecommunications" ] }, "related": [], @@ -2960,6 +2908,7 @@ "observed_countries": [ "AU", "AT", + "AZ", "FI", "FR", "DE", @@ -2982,6 +2931,17 @@ ], "source": "MITRE", "tags": [ + "07f09197-1847-411e-a451-d37211ead1b2", + "0e1abd50-26be-43e7-b8f6-40f8a6aee148", + "1ff4614e-0ee6-4e04-921d-61abba7fcdb7", + "c475ad68-3fdc-4725-8abc-784c56125e96", + "45c5f939-56c4-4d12-844d-578f32d535c3", + "5e42e064-1065-44c6-836e-7dc0a2976bd4", + "ab64f2d8-8da3-48de-ac66-0fd91d634b22", + "cc370970-a67c-4c74-95e3-4fe053e9bfa9", + "0e948c57-6c10-4576-ad27-9832cc2af3a1", + "a159c91c-5258-49ea-af7d-e803008d97d3", + "fe984a01-910d-4e39-9c49-179aa03f75ab", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "9768aada-9d63-4d46-ab9f-d41b8c8e4010", @@ -3101,12 +3061,7 @@ "Non Profit" ] }, - "related": [ - { - "dest-uuid": "1a77e156-76bc-43f5-bdd7-bd67f30fbbbb", - "type": "similar" - } - ], + "related": [], "uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", "value": "Gamaredon Group" }, @@ -3122,12 +3077,7 @@ "Financial Services" ] }, - "related": [ - { - "dest-uuid": "d93889de-b4bc-4a29-9ce7-d67717c140a0", - "type": "similar" - } - ], + "related": [], "uuid": "dbc85db0-937d-47d7-9002-7364d41be48a", "value": "GCMAN" }, @@ -3166,19 +3116,14 @@ "Government" ] }, - "related": [ - { - "dest-uuid": "e47c2c4d-706b-4098-92a2-b93e7103e131", - "type": "similar" - } - ], + "related": [], "uuid": "efb3b5ac-cd86-44a2-9de1-02e4612b8cc2", "value": "Gorgon Group" }, { "description": "GreenMwizi is assessed to be an actor based in Nairobi, Kenya that has carried out scam campaigns involving social media bots. A campaign observed in May 2023 appeared to target customers of a major online travel/hospitality booking brand.[[GreenMwizi - Kenyan scamming campaign using Twitter bots](/references/3b09696a-1345-4283-a59b-e9a13124ef59)]", "meta": { - "group_attack_id": "G5024", + "group_attack_id": "G3001", "observed_motivations": [ "Financial Gain" ], @@ -3203,19 +3148,14 @@ "group_attack_id": "G0043", "source": "MITRE" }, - "related": [ - { - "dest-uuid": "bc8390aa-8c4e-11e9-a9cb-e37c361210af", - "type": "similar" - } - ], + "related": [], "uuid": "fcc6d937-8cd6-4f2c-adb8-48caedbde70a", "value": "Group5" }, { "description": "H0lyGh0st is a North Korea-based ransomware-focused threat actor group.[[H0lyGh0st - North Korean Threat Group Strikes Back With New Ransomware](/references/3f66ef62-ac0d-4ece-9a4b-917ae70f1617)]", "meta": { - "group_attack_id": "G5025", + "group_attack_id": "G3006", "observed_motivations": [ "Financial Gain" ], @@ -3252,12 +3192,7 @@ "Think Tanks" ] }, - "related": [ - { - "dest-uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5", - "type": "similar" - } - ], + "related": [], "uuid": "1bcc9382-ccfe-4b04-91f3-ef1250df5e5b", "value": "HAFNIUM" }, @@ -3298,7 +3233,7 @@ { "description": "This Group object reflects the tools & TTPs associated with threat actors known to deploy Hive, a ransomware-as-a-service (RaaS) variant first observed in June 2021.[[U.S. CISA Hive November 25 2022](/references/fce322e6-5e23-404a-acf8-cd003f00c79d)] Specific pre- and post-compromise behaviors may vary among intrusions carried out by different Hive affiliates.\n\nHive actors have targeted victims in a wide range of verticals, including the government, communications, manufacturing, information technology, financial services, education, and especially the healthcare sectors. In January 2023, international authorities announced they disrupted Hive ransomware operations, seizing control of servers and websites used for communication among Hive actors and capturing Hive decryption keys.[[U.S. Justice Department Hive January 2023](/references/81bd5579-6a8a-40d2-b7b7-5cdb879ebdf0)]", "meta": { - "group_attack_id": "G5042", + "group_attack_id": "G3041", "observed_countries": [ "DE", "NL", @@ -3374,12 +3309,7 @@ "Media" ] }, - "related": [ - { - "dest-uuid": "71ef51ca-a791-11e8-a026-07980ca910ca", - "type": "similar" - } - ], + "related": [], "uuid": "d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6", "value": "Inception" }, @@ -3493,19 +3423,14 @@ "NGOs" ] }, - "related": [ - { - "dest-uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8", - "type": "similar" - } - ], + "related": [], "uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "value": "Ke3chang" }, { "description": "Killnet is an apparent hacktivist collective that has primarily used distributed denial of service (DDoS) attacks in support of its ideology, which appears to largely align with Russian state interests. The group emerged in October 2021, initially offering DDoS capabilities as a for-hire service. However, after the February 2022 Russian invasion of Ukraine, Killnet explicitly pledged allegiance to Russia and began to threaten and claim responsibility for attacks on targets in Ukraine and in countries perceived to support Ukraine. To date, the group has claimed and is believed to be responsible for a considerable number of DDoS attacks on government and private sector targets in a range of sectors, using a variety of discrete techniques to carry them out. It is also believed to be behind a smaller number of data exfiltration-focused attacks, and it has promoted the use of defacement tools in its communication channels with supporters.[[Flashpoint Glossary Killnet](/references/502cc03b-350b-4e2d-9436-364c43a0a203)]\n\nIn October 2023, following a series of air- and land-based attacks in the Gaza Strip, researchers observed Killnet claiming responsibility for disruptive attacks against computer networks in Israel and pledging explicit support for Palestinian interests.[[RyanW3stman Tweet October 10 2023](/references/cfd0ad64-54b2-446f-9624-9c90a9a94f52)]", "meta": { - "group_attack_id": "G5009", + "group_attack_id": "G3022", "observed_countries": [ "BE", "CZ", @@ -3620,12 +3545,7 @@ "Infrastructure" ] }, - "related": [ - { - "dest-uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376", - "type": "similar" - } - ], + "related": [], "uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "value": "Lazarus Group" }, @@ -3732,19 +3652,14 @@ "Transportation" ] }, - "related": [ - { - "dest-uuid": "5b4b6980-3bc7-11e8-84d6-879aaac37dd9", - "type": "similar" - } - ], + "related": [], "uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "value": "Leviathan" }, { "description": "This object represents the LockBit Ransomware-as-a-Service (\"RaaS\") apex group and the behaviors associated with its various affiliate ransomware operators. Specific affiliate operations defined by the research community will be tracked as separate objects.\n\nRansomware labeled \"LockBit\" was first observed in 2020. LockBit developers have introduced multiple versions of the LockBit encryption tool. According to the U.S. Cybersecurity and Infrastructure Security Agency (\"CISA\"), the following major LockBit variants have been observed (first-observed dates in parentheses): ABCD (LockBit malware's predecessor; September 2019), LockBit (January 2020), LockBit 2.0 (June 2021), LockBit Linux-ESXi Locker (October 2021), LockBit 3.0 (March 2022), LockBit Green (a variant that incorporates source code from Conti ransomware; January 2023), and variants capable of targeting macOS environments (April 2023). As of June 2023, CISA reported that the web panel that offers affiliates access to LockBit malware explicitly listed the LockBit 2.0, LockBit 3.0, LockBit Green, and LockBit Linux-ESXi Locker variants.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]\n\nSince emerging in 2020, the LockBit group and its affiliates have carried out a very large number of attacks involving a wide range of victims around the world. In June 2023, the U.S. Federal Bureau of Investigation reported it had identified 1,700 LockBit attacks since 2020.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)] According to data collected by the [ransomwatch project](https://github.com/joshhighet/ransomwatch) and analyzed by Tidal, LockBit actors publicly claimed 970 victims in 2022 (576 associated with the LockBit 2.0 variant and 394 associated with LockBit 3.0), the most of any extortion threat that year. Through April 2023, LockBit had claimed 406 victims, more than double the number of the next threat (Clop, with 179 victims).[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)] CISA reported in June 2023 that U.S. ransoms paid to LockBit since January 2020 totaled $91 million.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]\n\nLockBit affiliate operators are known to use a wide variety of techniques during their attacks. Initial access for LockBit infections has occurred via most methods (including a number of vulnerability exploits), and operators are known to abuse a range of free and open-source software tools for a variety of post-exploitation activities. In addition to victim data encryption, LockBit actors routinely exfiltrate victim data and threaten to leak this data for extortion purposes.\n\n**Related Vulnerabilities**: CVE-2021-22986, CVE-2023-0669, CVE-2023-27350, CVE-2021-44228, CVE-2021-22986, CVE-2020-1472, CVE-2019-0708, CVE-2018-13379[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]", "meta": { - "group_attack_id": "G5004", + "group_attack_id": "G3013", "observed_countries": [ "AR", "AU", @@ -3875,12 +3790,7 @@ "Government" ] }, - "related": [ - { - "dest-uuid": "32fafa69-fe3c-49db-afd4-aac2664bcf0d", - "type": "similar" - } - ], + "related": [], "uuid": "2849455a-cf39-4a9f-bd89-c2b3c1e5dd52", "value": "Lotus Blossom" }, @@ -3897,7 +3807,7 @@ { "description": "Luna Moth (aka Silent Ransom Group) is a financially-motivated, extortion-focused adversary active since at least March 2022 and through at least June 2023. The group is known for carrying out \"callback phishing\" attacks, where actors entice victims to call an actor-controlled number, for example by sending a fraudulent email that claims the victim recently registered for a popular subscription service. Once connected, actors would convince victims to join a live, actor-connected sessions with legitimate remote access tools provided via a link in a subsequent email, then install other legitimate remote administration software used to support further discovery and exfiltration activity.[[Sygnia Luna Moth July 1 2022](/references/115590b2-ab57-432c-900e-000627464a11)][[FBI Ransomware Tools November 7 2023](/references/e096e1f4-6b62-4756-8811-f263cf1dcecc)]", "meta": { - "group_attack_id": "G5043", + "group_attack_id": "G3042", "observed_motivations": [ "Financial Gain" ], @@ -3958,12 +3868,7 @@ "Utilities" ] }, - "related": [ - { - "dest-uuid": "827c17e0-c3f5-4ad1-a4f4-30a40ed0a2d3", - "type": "similar" - } - ], + "related": [], "uuid": "a3be79a2-3d4f-4697-a8a1-83f0884220af", "value": "Machete" }, @@ -3997,6 +3902,17 @@ "Cyber Espionage" ], "source": "MITRE", + "tags": [ + "24448a05-2337-4bc9-a889-a83f2fd1f3ad", + "3ed2343c-a29c-42e2-8259-410381164c6a", + "375983b3-6e87-4281-99e2-1561519dd17b", + "64d3f7d8-30b7-4b03-bee2-a6029672216c", + "915e7ac2-b266-45d7-945c-cb04327d6246", + "e499005b-adba-45bb-85e3-07043fd9edf9", + "8b1cb0dc-dd3e-44ba-828c-55c040e93b93", + "5f5e40cd-0732-4eb4-a083-06940623c3f9", + "1b98f09a-7d93-4abb-8f3e-1eacdb9f9871" + ], "target_categories": [ "Construction", "Defense", @@ -4009,12 +3925,7 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e", - "type": "similar" - } - ], + "related": [], "uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "value": "Magic Hound" }, @@ -4048,13 +3959,14 @@ { "description": "MedusaLocker is a ransomware-as-a-service (\"RaaS\") operation that has been active since September 2019. U.S. cybersecurity authorities indicate that MedusaLocker operators have primarily targeted victims in the healthcare sector, among other unspecified sectors. Initial access for MedusaLocker intrusions originally came via phishing and spam email campaigns, but since 2022 has typically occurred via exploit of vulnerable Remote Desktop Protocol devices.[[HC3 Analyst Note MedusaLocker Ransomware February 2023](/references/49e314d6-5324-41e0-8bee-2b3e08d5e12f)]\n \nThis object represents behaviors associated with operators of MedusaLocker ransomware. As MedusaLocker is licensed on a RaaS model, affiliates likely do not act as a single cohesive unit, and behaviors observed during particular attacks may vary. Behaviors associated with samples of MedusaLocker ransomware are represented in the \"MedusaLocker Ransomware\" Software object.\n\n**Malpedia (Research)**: https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker", "meta": { - "group_attack_id": "G5003", + "group_attack_id": "G3015", "observed_motivations": [ "Financial Gain" ], "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "65cf80be-342d-4eba-bf8d-2477923f0ce4", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "15787198-6c8b-4f79-bf50-258d55072fee", "5e7433ad-a894-4489-93bc-41e90da90019", @@ -4071,7 +3983,7 @@ { "description": "Medusa is a ransomware operation that reportedly launched in June 2021. In 2023, the group launched a website used to publicize alleged victims. The group appears to be independent of the similarly named \"MedusaLocker\" operation.[[Bleeping Computer Medusa Ransomware March 12 2023](/references/21fe1d9e-17f1-49e2-b05f-78e9160f5414)]\n\nAccording to data collected by the [ransomwatch project](https://github.com/joshhighet/ransomwatch) and analyzed by Tidal, Medusa actors publicly claimed around 90 victims through September 2023, ranking it ninth out of the 50+ ransomware operations in the dataset. These victims come from a wide variety of industry sectors and localities.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]", "meta": { - "group_attack_id": "G5007", + "group_attack_id": "G3021", "observed_countries": [ "CA", "CL", @@ -4180,12 +4092,7 @@ "Technology" ] }, - "related": [ - { - "dest-uuid": "56b37b05-72e7-4a89-ba8a-61ce45269a8c", - "type": "similar" - } - ], + "related": [], "uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "value": "menuPass" }, @@ -4219,12 +4126,7 @@ "Manufacturing" ] }, - "related": [ - { - "dest-uuid": "a9b44750-992c-4743-8922-129880d277ea", - "type": "similar" - } - ], + "related": [], "uuid": "4510ce41-27b9-479c-9bf3-a328b77bae29", "value": "Moafee" }, @@ -4282,12 +4184,7 @@ "NGOs" ] }, - "related": [ - { - "dest-uuid": "f7c2e501-73b1-400f-a5d9-2e2e07b7dfde", - "type": "similar" - } - ], + "related": [], "uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "value": "Molerats" }, @@ -4295,7 +4192,7 @@ "description": "Moonstone Sleet is a North Korea state-aligned threat actor group that has targeted individuals and organizations related to the software, information technology, education, and defense industrial base sectors, for both financial gain and espionage purposes. The group is believed to be well-resourced, capable of conducting multiple distinct campaigns simultaneously. Microsoft security researchers assess that Moonstone Sleet has expanded its capabilities, with possible goals of enabling disruptive operations and/or software supply chain attacks.[[Microsoft Security Blog 5 28 2024](/references/faf315ed-71f7-4e29-8334-701da35a69ad)]", "meta": { "country": "KP", - "group_attack_id": "G5040", + "group_attack_id": "G3039", "observed_motivations": [ "Cyber Espionage", "Financial Gain" @@ -4410,6 +4307,9 @@ ], "source": "MITRE", "tags": [ + "ee3188ce-20e9-4e8e-bbfd-cdc527d5a2b2", + "89c5b94b-ecf4-4d53-9b74-3465086d4565", + "0eab0089-86a5-43b1-9ddb-8960f1005267", "992bdd33-4a47-495d-883a-58010a2f0efb" ], "target_categories": [ @@ -4420,12 +4320,7 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "a29af069-03c3-4534-b78b-7d1a77ea085b", - "type": "similar" - } - ], + "related": [], "uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "value": "MuddyWater" }, @@ -4519,12 +4414,7 @@ "Government" ] }, - "related": [ - { - "dest-uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff", - "type": "similar" - } - ], + "related": [], "uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "value": "Naikon" }, @@ -4540,12 +4430,7 @@ ], "source": "MITRE" }, - "related": [ - { - "dest-uuid": "ada08ea8-4517-4eea-aff1-3ad69e5466bb", - "type": "similar" - } - ], + "related": [], "uuid": "3a660ef3-9954-4252-8946-f903f3f42d0c", "value": "NEODYMIUM" }, @@ -4585,8 +4470,13 @@ "GB", "US" ], + "observed_motivations": [ + "Cyber Espionage" + ], "source": "MITRE", "tags": [ + "0f1b7cb0-c4de-485e-8ff5-fe12ffccd738", + "15f2277a-a17e-4d85-8acd-480bf84f16b4", "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647" ], "target_categories": [ @@ -4599,12 +4489,7 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba", - "type": "similar" - } - ], + "related": [], "uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "value": "OilRig" }, @@ -4672,19 +4557,14 @@ "Think Tanks" ] }, - "related": [ - { - "dest-uuid": "18d473a5-831b-47a5-97a1-a32156299825", - "type": "similar" - } - ], + "related": [], "uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "value": "Patchwork" }, { "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Software and/or Campaigns) related to the Phobos ransomware-as-a-service (\"RaaS\") operation. Further background & contextual details can be found in the References tab below.", "meta": { - "group_attack_id": "G5020", + "group_attack_id": "G3033", "observed_countries": [ "US" ], @@ -4694,6 +4574,7 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "ee8be47a-dbd8-4067-8785-2fc1450587eb", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", @@ -4727,12 +4608,7 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "4d37813c-b8e9-4e58-a758-03168d8aa189", - "type": "similar" - } - ], + "related": [], "uuid": "60936d3c-37ed-4116-a407-868da3aa4446", "value": "PittyTiger" }, @@ -4756,19 +4632,14 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "1fc5671f-5757-43bf-8d6d-a9a93b03713a", - "type": "similar" - } - ], + "related": [], "uuid": "f036b992-4c3f-47b7-a458-94ac133bce74", "value": "PLATINUM" }, { "description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nPlay is a ransomware operation first observed in mid-2022. Security researchers have observed filename, filepath, and TTP overlaps between Play and Hive and Nokoyawa ransomwares, which themselves are believed to be linked.[[Trend Micro Play Playbook September 06 2022](/references/2d2b527d-25b0-4b58-9ae6-c87060b64069)] According to publicly available ransomware extortion threat data, Play has claimed more than 300 victims from a wide range of sectors on its data leak site since December 2022.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]\n\n**Malpedia (Research)**: https://malpedia.caad.fkie.fraunhofer.de/details/win.play\n\n**PulseDive (IOCs)**: https://pulsedive.com/threat/PlayCrypt", "meta": { - "group_attack_id": "G5018", + "group_attack_id": "G3016", "observed_countries": [ "AR", "BE", @@ -4791,6 +4662,7 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "a2e000da-8181-4327-bacd-32013dbd3654", "89c5b94b-ecf4-4d53-9b74-3465086d4565", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172", @@ -4853,12 +4725,7 @@ "Utilities" ] }, - "related": [ - { - "dest-uuid": "5fc09923-fcff-4e81-9cae-4518ef31cf4d", - "type": "similar" - } - ], + "related": [], "uuid": "553e2b7b-170c-4eb5-812b-ea33fe1dd4a0", "value": "Poseidon Group" }, @@ -4874,12 +4741,7 @@ ], "source": "MITRE" }, - "related": [ - { - "dest-uuid": "43894e2a-174e-4931-94a8-2296afe8f650", - "type": "similar" - } - ], + "related": [], "uuid": "cc798766-8662-4b55-8536-6d057fbc58f0", "value": "PROMETHIUM" }, @@ -4901,19 +4763,30 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "0ca45163-e223-4167-b1af-f088ed14a93d", - "type": "similar" - } - ], + "related": [], "uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c", "value": "Putter Panda" }, + { + "description": "7777 or Quad7 is a botnet used to compromise network devices such as TP-LINK small office/home office (\"SOHO\") routers and use the infected devices to relay password spraying attacks against Microsoft 365 accounts.[[Sekoia.io Blog July 23 2024](/references/ae84e72a-56b3-4dc4-b053-d3766764ac0d)][[Sekoia.io Blog September 9 2024](/references/eb4a1888-3b04-449b-9738-d96ae26adfee)] This object reflects the various Techniques observed in use by the threat actors known to operate this botnet.", + "meta": { + "group_attack_id": "G3052", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "15f2277a-a17e-4d85-8acd-480bf84f16b4", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "bf3d1108-0bcd-47ae-8d71-4df48e3e2b43", + "value": "Quad7 Botnet Operators" + }, { "description": "This Group object reflects the tools & TTPs associated with threat actors known to deploy Quantum ransomware (aka Quantum Locker, which derives from the MountLocker, AstroLocker, and XingLocker ransomware families). The Quantum group is known to publicly extort its victims.[[Cybereason Quantum Ransomware May 9 2022](/references/19027620-216a-4921-8d78-f56377778a12)] Researchers indicate the group is a rebranding of the \"Conti Team Two\" that formed after the fragmenting of the Ryuk/Conti ransom group in early 2022.[[AdvIntel Bazar Call August 10 2022](/references/5d3dff70-28c2-42a5-bf58-211fe6491fd2)]", "meta": { - "group_attack_id": "G5044", + "group_attack_id": "G3043", "observed_motivations": [ "Financial Gain" ], @@ -4944,29 +4817,50 @@ ], "source": "MITRE" }, - "related": [ - { - "dest-uuid": "79c7c7e0-79d5-11e8-9b9c-1ff96be20c0b", - "type": "similar" - } - ], + "related": [], "uuid": "021b3c71-6467-4e46-a413-8b726f066f2c", "value": "Rancor" }, { "description": "RansomHub is an extortion group that regularly republicizes victim data allegedly stolen in other ransomware groups' attacks, but it is also believed to have developed an original ransomware payload.[[BroadcomSW June 5 2024](/references/3fa49490-cb22-4362-bf48-eaba9e83e6f5)][[The Record RansomHub June 3 2024](/references/1e474240-bd12-4472-8e69-1631b0e4c102)] This object reflects the ATT&CK Techniques and/or associated Software & Campaigns linked to attacks by actors deploying RansomHub ransomware.", "meta": { - "group_attack_id": "G5050", + "group_attack_id": "G3049", + "observed_countries": [ + "US" + ], "observed_motivations": [ "Financial Gain" ], "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "d819ae1a-e385-49fd-88d5-f66660729ecb", + "15787198-6c8b-4f79-bf50-258d55072fee", + "32b1a271-7856-4dda-a802-42325f465d36", + "89c5b94b-ecf4-4d53-9b74-3465086d4565", + "09de661e-60c4-43fb-bfef-df017215d1d8", + "8046a757-48f0-4787-81ab-9dc8c1eb77cd", + "abe1c785-4f3a-4f4f-96eb-c47da570face", + "9794c389-183b-4d6b-bd59-95cfa4a5afc7", + "4ac8dcde-2665-4066-9ad9-b5572d5f0d28", + "b8448700-7ed0-48b8-85f5-ed23e0d9ab97", + "c475ad68-3fdc-4725-8abc-784c56125e96", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", - "7e7b0c67-bb85-4996-a289-da0e792d7172", - "c6e1f516-1a18-4ff9-b563-e6ac8103b104", - "2feda37d-5579-4102-a073-aa02e82cb49f" + "7e7b0c67-bb85-4996-a289-da0e792d7172" + ], + "target_categories": [ + "Agriculture", + "Financial Services", + "Government", + "Healthcare", + "Manufacturing", + "Technology", + "Telecommunications", + "Transportation", + "Utilities", + "Water" ] }, "related": [], @@ -4976,7 +4870,7 @@ { "description": "This object represents the behaviors associated with operators of Rhysida ransomware, which is licensed on a ransomware-as-a-service (\"RaaS\") basis. Various affiliated ransomware operators likely do not operate as a cohesive unit. The Rhysida RaaS operation has been active since May 2023, claiming attacks on multiple sectors in several countries in North and South America, Western Europe, and Australia. Many alleged victims are education sector entities. Security researchers have observed TTP and victimology overlaps with the Vice Society extortion group.[[HC3 Analyst Note Rhysida Ransomware August 2023](/references/3f6e2821-5073-4382-b5dd-08676eaa2240)]\n\n**Related Vulnerabilities**: CVE-2020-1472[[U.S. CISA Rhysida Ransomware November 15 2023](/references/6d902955-d9a9-4ec1-8dd4-264f7594605e)]", "meta": { - "group_attack_id": "G5013", + "group_attack_id": "G3017", "observed_countries": [ "AU", "AT", @@ -5002,6 +4896,7 @@ "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ + "1bafa336-67a8-4094-bb2e-2079a7bdaab5", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "15787198-6c8b-4f79-bf50-258d55072fee", "2743d495-7728-4a75-9e5f-b64854039792", @@ -5039,7 +4934,7 @@ { "description": "Royal is a ransomware group believed to be responsible for hundreds of attacks on victims worldwide, including those in critical infrastructure sectors including manufacturing, communications, healthcare, and education. The actors that comprise the Royal ransomware operation are believed to be former members of other cybercriminal groups linked to Roy/Zeon ransomware, Conti ransomware, and TrickBot. Unlike many of the other most prominent ransomware groups in recent years, the developers of Royal ransomware are not known to lease the malware to affiliates as a service.[[Kroll Royal Deep Dive February 2023](/references/dcdcc965-56d0-58e6-996b-d8bd40916745)]\n\nThe Royal group often pressures victims into paying ransom demands by threatening to leak data exfiltrated during intrusions. While public data from the [ransomwatch project](https://github.com/joshhighet/ransomwatch) suggest the group has claimed roughly 200 victims since Q4 2022, a November 2023 U.S. government advisory indicated that Royal “has targeted over 350 known victims worldwide” since September 2022, with extortion demands at times exceeding $250 million.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)][[CISA Royal AA23-061A March 2023](/references/81baa61e-13c3-51e0-bf22-08383dbfb2a1)]", "meta": { - "group_attack_id": "G5014", + "group_attack_id": "G3003", "observed_countries": [ "AU", "BR", @@ -5102,12 +4997,7 @@ ], "source": "MITRE" }, - "related": [ - { - "dest-uuid": "88100602-8e8b-11e9-bb7c-1bf20b58e305", - "type": "similar" - } - ], + "related": [], "uuid": "666ab5f0-3ef1-4e74-8a10-65c60a7d1acd", "value": "RTM" }, @@ -5151,19 +5041,14 @@ "Transportation" ] }, - "related": [ - { - "dest-uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35", - "type": "similar" - } - ], + "related": [], "uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "value": "Sandworm Team" }, { "description": "SCARLETEEL is a threat actor known to leverage various cloud-based technologies in order to steal proprietary software and other data from victim environments.[[Sysdig Scarleteel February 28 2023](/references/18931f81-51bf-44af-9573-512ccb66c238)]", "meta": { - "group_attack_id": "G5036", + "group_attack_id": "G3032", "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ @@ -5179,6 +5064,21 @@ "uuid": "788ffbf6-1a36-481a-a504-bbcd9f907886", "value": "SCARLETEEL" }, + { + "description": "Scarlet Goldfinch is a threat activity cluster that typically tricks victims into downloading files that appear to be web browser updates, with the file ultimately leading to the deployment of NetSupport Manager, a remote monitoring and management (RMM) utility that has been heavily abused by adversaries.[[Red Canary June 26 2024](/references/e0d62504-6fec-4d95-9f4a-e0dda7e7b6d9)]", + "meta": { + "group_attack_id": "G5023", + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ] + }, + "related": [], + "uuid": "54a13c54-a1d5-46e9-b155-56d981a5ad8f", + "value": "Scarlet Goldfinch" + }, { "description": "[Scarlet Mimic](https://app.tidalcyber.com/groups/6c1bdc51-f633-4512-8b20-04a11c2d97f4) is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by [Scarlet Mimic](https://app.tidalcyber.com/groups/6c1bdc51-f633-4512-8b20-04a11c2d97f4) and [Putter Panda](https://app.tidalcyber.com/groups/6005f4a9-fe26-4237-a44e-3f6cbb1fe75c), it has not been concluded that the groups are the same. [[Scarlet Mimic Jan 2016](https://app.tidalcyber.com/references/f84a5b6d-3af1-45b1-ac55-69ceced8735f)]", "meta": { @@ -5191,12 +5091,7 @@ "Human Rights" ] }, - "related": [ - { - "dest-uuid": "0da10682-85c6-4c0b-bace-ba1f7adfb63e", - "type": "similar" - } - ], + "related": [], "uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4", "value": "Scarlet Mimic" }, @@ -5405,19 +5300,14 @@ "Government" ] }, - "related": [ - { - "dest-uuid": "1ca3b039-404e-4132-88c2-4e41235cd2f5", - "type": "similar" - } - ], + "related": [], "uuid": "6632f07f-7c6b-4d12-8544-82edc6a7a577", "value": "Sowbug" }, { "description": "Spandex Tempest is a financially motivated adversary group associated with Dudear campaigns, which deliver the FlawedGrace remote access Trojan for information theft purposes.[[Microsoft Threat Actor Naming](/references/de9cda86-0b23-4bc8-b524-e74fecf99448)] The group has evolved initial access techniques observed during these campaigns to evade defenses.[[Microsoft Threat Intelligence Tweet June 17 2020](/references/98fc7485-9424-412f-8162-a69d6c10c243)]", "meta": { - "group_attack_id": "G5029", + "group_attack_id": "G3012", "observed_motivations": [ "Financial Gain" ], @@ -5436,7 +5326,7 @@ "description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nStar Blizzard is believed to be a Russia-based cyber threat actor group. According to joint Cybersecurity Advisory AA23-341A (December 2023), U.S. and international authorities assess that Star Blizzard is “almost certainly” a subordinate of the Russian Federal Security Service (FSB) Centre 18. Star Blizzard is known to successfully use spear-phishing attacks against its targets for information-gathering purposes. The advisory indicated that authorities observed these spear-phishing attacks occurring through 2023. Star Blizzard has traditionally targeted academic, defense, government, non-governmental (NGO), and think tank organizations (and associated personnel) in the United States and United Kingdom, other NATO nations, and countries neighboring Russia. Politicians have also been targeted. According to the advisory, beginning in 2022, authorities witnessed Star Blizzard targeting expand to targets in the defense-industrial sector and U.S. Department of Energy facilities.[[U.S. CISA Star Blizzard December 2023](/references/3d53c154-8ced-4dbe-ab4e-db3bc15bfe4b)]", "meta": { "country": "RU", - "group_attack_id": "G5017", + "group_attack_id": "G3029", "observed_countries": [ "GB", "US" @@ -5476,19 +5366,14 @@ "Human Rights" ] }, - "related": [ - { - "dest-uuid": "dab75e38-6969-4e78-9304-dc269c3cbcf0", - "type": "similar" - } - ], + "related": [], "uuid": "ca3016f3-642a-4ae0-86bc-7258475d6937", "value": "Stealth Falcon" }, { "description": "Storm-0844 is a threat actor originally known for distributing Akira ransomware, and more recently, for distributing Fog ransomware. The actor gains initial access likely by abusing valid accounts, then uses freely available tools for discovery, lateral movement, and exfiltration prior to ransomware deployment.[[Microsoft Threat Intelligence LinkedIn July 15 2024](/references/0e7ea8d0-bdb8-48a6-9718-703f64d16460)]", "meta": { - "group_attack_id": "G5047", + "group_attack_id": "G3046", "observed_motivations": [ "Financial Gain" ], @@ -5509,7 +5394,7 @@ { "description": "According to Microsoft security researchers, Storm-1811 is a \"financially motivated cybercriminal group known to deploy Black Basta ransomware\".[[Microsoft Security Blog 5 15 2024](/references/0876de6e-ea0c-4717-89a4-9c7baed53b6f)]", "meta": { - "group_attack_id": "G5039", + "group_attack_id": "G3038", "observed_motivations": [ "Financial Gain" ], @@ -5551,12 +5436,7 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "f3179cfb-9c86-4980-bd6b-e4fa74adaaa7", - "type": "similar" - } - ], + "related": [], "uuid": "deb573c6-071a-4b50-9e92-4aa648d8bdc1", "value": "Strider" }, @@ -5573,12 +5453,7 @@ ], "source": "MITRE" }, - "related": [ - { - "dest-uuid": "5abb12e7-5066-4f84-a109-49a037205c76", - "type": "similar" - } - ], + "related": [], "uuid": "06549082-ff70-43bf-985e-88c695c7113c", "value": "Suckfly" }, @@ -5616,12 +5491,7 @@ ], "source": "MITRE" }, - "related": [ - { - "dest-uuid": "c6472ae1-c6ad-4cf1-8d6e-8c94b94fe314", - "type": "similar" - } - ], + "related": [], "uuid": "e343c1f1-458c-467b-bc4a-c1b97b2127e3", "value": "TA459" }, @@ -5646,12 +5516,7 @@ "a98d7a43-f227-478e-81de-e7299639a355" ] }, - "related": [ - { - "dest-uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f", - "type": "similar" - } - ], + "related": [], "uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "value": "TA505" }, @@ -5664,19 +5529,14 @@ ], "source": "MITRE" }, - "related": [ - { - "dest-uuid": "36e8c848-4d20-47ea-9fc2-31aa17bf82d1", - "type": "similar" - } - ], + "related": [], "uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", "value": "TA551" }, { "description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nTA577 is a cybercriminal actor that has remained highly active since mid-2020. The actor is known for carrying out email-based campaigns that result in the delivery of a wide range of payloads, including at least one leading to ransomware (REvil) deployment. These campaigns are known to impact organizations in a wide range of sectors and geographic locations.[[Proofpoint Ransomware Initial Access June 2021](/references/3b0631ae-f589-4b7c-a00a-04dcd5f3a77b)] The actor appears adept at shifting payloads in response to external factors, for example moving to deliver DarkGate and Pikabot shortly after international authorities disrupted the QakBot botnet in August 2023.[[Malwarebytes Pikabot December 15 2023](/references/50b29ef4-7ade-4672-99b6-fdf367170a5b)]", "meta": { - "group_attack_id": "G5019", + "group_attack_id": "G3031", "observed_motivations": [ "Financial Gain" ], @@ -5727,12 +5587,7 @@ "Infrastructure" ] }, - "related": [ - { - "dest-uuid": "90abfc42-91c6-11e9-89b1-af58de8f7ec2", - "type": "similar" - } - ], + "related": [], "uuid": "3a54b8dc-a231-4db8-96da-1c0c1aa396f6", "value": "TEMP.Veles" }, @@ -5810,12 +5665,7 @@ "Technology" ] }, - "related": [ - { - "dest-uuid": "834e0acd-d92a-4e38-bb14-dc4159d7cb32", - "type": "similar" - } - ], + "related": [], "uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "value": "Threat Group-3390" }, @@ -5835,12 +5685,7 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "98be4300-a9ef-11e8-9a95-bb9221083cfc", - "type": "similar" - } - ], + "related": [], "uuid": "a3b39b07-0bfa-4c69-9f01-acf7dc6033b4", "value": "Thrip" }, @@ -5880,12 +5725,7 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26", - "type": "similar" - } - ], + "related": [], "uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c", "value": "Tonto Team" }, @@ -5958,12 +5798,7 @@ "Transportation" ] }, - "related": [ - { - "dest-uuid": "7f16d1f5-04ee-4d99-abf0-87e1f23f9fee", - "type": "similar" - } - ], + "related": [], "uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b", "value": "Tropic Trooper" }, @@ -6061,12 +5896,7 @@ "Telecommunications" ] }, - "related": [ - { - "dest-uuid": "fa80877c-f509-4daf-8b62-20aba1635f68", - "type": "similar" - } - ], + "related": [], "uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "value": "Turla" }, @@ -6074,7 +5904,7 @@ "description": "UAT4356 (aka Storm-1849) is an actor attributed to the ArcaneDoor campaign targeting Cisco Adaptive Security Appliance (ASA) network devices. The suspected espionage activity targeted unspecified government institutions around the world.[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)] Anonymous sources indicated that the ArcaneDoor campaign appeared aligned with China's state interests.[[Wired ArcaneDoor April 24 2024](/references/05a8afd3-0173-41ca-b23b-196ea0f3b1c1)]", "meta": { "country": "CN", - "group_attack_id": "G5022", + "group_attack_id": "G3036", "observed_motivations": [ "Cyber Espionage" ], @@ -6097,7 +5927,7 @@ { "description": "UNC3966 is a threat actor group tracked by Mandiant. In an intrusion documented in March 2023, UNC3966 received access to a victim network initially compromised by the group UNC961. UNC3966 primary motivations remain unclear. During the intrusion, the group was observed collecting and exfiltrating victim data. While a ransom note was also discovered, UNC3966 did not appear to deploy ransomware encryption software and did not appear to demand a ransom payment.[[Mandiant UNC961 March 23 2023](/references/cef19ceb-179f-4d49-acba-5ce40ab9f65e)]", "meta": { - "group_attack_id": "G5034", + "group_attack_id": "G3027", "owner": "TidalCyberIan", "source": "Tidal Cyber", "tags": [ @@ -6112,7 +5942,7 @@ { "description": "UNC5537 is a threat actor believed to be responsible for compromising a large number of database instances belonging to customers of Snowflake, a multi-cloud data warehousing platform, in Q2 2024. Initial access was largely achieved using stolen customer credentials compromised previously via infostealer malware. Actors sought to monetize their access by selling victim data on underground forums and by extorting victims. Researchers believe UNC5537 is comprised of members based in North America and at least one member in Turkey, and it has targeted hundreds of organizations globally.[[Google Cloud June 10 2024](/references/0afe3662-b55c-4189-9c9a-2be55a9b6a70)]", "meta": { - "group_attack_id": "G5041", + "group_attack_id": "G3040", "observed_countries": [ "ES", "US" @@ -6143,7 +5973,7 @@ { "description": "UNC961 is a financially motivated group active since at least 2018. It traditionally targeted retail and \"business services\" organizations based in North America, until expanding its targeting in 2020 to also include victims in a range of additional sectors in Northern Europe and Western Asia. In all known intrusions, UNC961 gained initial access by exploiting web-facing applications.[[Mandiant Log4Shell March 28 2022](/references/62d4d685-09c4-47b6-865c-4a6096e551cd)]", "meta": { - "group_attack_id": "G5033", + "group_attack_id": "G3026", "observed_motivations": [ "Financial Gain" ], @@ -6177,11 +6007,40 @@ "uuid": "e47b2958-b7c4-4fe1-a006-03137db91963", "value": "UNC961" }, + { + "description": "Vanilla Tempest is a financially motivated threat actor that has been active since July 2022, which has used a variety of ransomware payloads during observed attacks. Microsoft Threat Intelligence researchers indicate that Vanilla Tempest, which was previously tracked under the moniker DEV-0832, \"overlaps with\" activity tracked by other research teams as the Vice Society ransomware/extortion group.[[MSTIC Vanilla Tempest September 18 2024](/references/24c11dff-21df-4ce9-b3df-2e0a886339ff)]", + "meta": { + "group_attack_id": "G3054", + "observed_countries": [ + "US" + ], + "observed_motivations": [ + "Financial Gain" + ], + "owner": "TidalCyberIan", + "source": "Tidal Cyber", + "tags": [ + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "target_categories": [ + "Education", + "Healthcare", + "Manufacturing", + "Technology" + ] + }, + "related": [], + "uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", + "value": "Vanilla Tempest" + }, { "description": "Velvet Ant is a suspected \"China-nexus\" espionage group that has notably targeted network devices as part of its operations. In one case involving an unspecified victim located in East Asia, the group was seen abusing a legacy, internet-exposed F5 BIG-IP load balancer appliance as a command-and-control mechanism, managing to maintain network persistence for a period of three years. As part of the broader investigation into the group, researchers also observed cases of zero-day exploitation of CVE-2024-20399 in Cisco Nexus network switch devices, which allowed actors to upload and execute previously unknown, custom malware. The researchers highlighted how sophisticated threat groups are increasingly targeting network appliances as means of network access and persistence, since those appliances \"are often not sufficiently protected and monitored\".[[Sygnia Velvet Ant June 17 2024](/references/5c313af4-61a8-449d-a6c7-f7ead6c72e19)][[Sygnia Velvet Ant July 1 2024](/references/a0cfeeb6-4617-4dea-80d2-290eaf2bcf5b)]", "meta": { "country": "CN", - "group_attack_id": "G5045", + "group_attack_id": "G3044", "observed_motivations": [ "Cyber Espionage" ], @@ -6202,7 +6061,7 @@ { "description": "Vice Society is an extortion-focused threat actor group first observed in mid-2021. The group gained notoriety after targeting a considerable number of educational institutions, especially lower education institutions. Although the education sector accounts for a disproportionate amount of the group’s victims, Vice Society has claimed victims in multiple other industries too, including the healthcare, retail, financial, insurance, and public services sectors. The group regularly pressures victims into paying a ransom by threatening to leak data exfiltrated during its intrusions. Vice Society is not known to have developed its own ransomware, instead deploying other existing families, including HELLOKITTY/FIVEHANDS and Zeppelin.[[U.S. CISA Vice Society September 2022](/references/0a754513-5f20-44a0-8cea-c5d9519106c8)]\n\n**Related Vulnerabilities**: CVE-2021-1675[[Unit 42 Vice Society December 6 2022](/references/6abf7387-0857-4938-b36e-1374a66d4ed8)], CVE-2021-34527[[Unit 42 Vice Society December 6 2022](/references/6abf7387-0857-4938-b36e-1374a66d4ed8)]", "meta": { - "group_attack_id": "G5012", + "group_attack_id": "G3004", "observed_countries": [ "AR", "AU", @@ -6273,7 +6132,7 @@ { "description": "Void Rabisu is a threat actor believed be responsible for distributing Cuba ransomware.[[Unit 42 Cuba August 9 2022](/references/06f668d9-9a68-4d2f-b9a0-b92beb3b75d6)] Trend Micro researchers assess that, since October 2022, Void Rabisu's use of the RomCom backdoor during attacks could suggest a shift in its motivation towards more geopolitically motivated activity.[[Trend Micro Void Rabisu May 30 2023](/references/5fd628ca-f366-4f0d-b493-8be19fa4dd4e)]", "meta": { - "group_attack_id": "G5027", + "group_attack_id": "G3009", "observed_countries": [ "UA", "US" @@ -6317,10 +6176,6 @@ "Cyber Espionage" ], "source": "MITRE", - "tags": [ - "c6e1f516-1a18-4ff9-b563-e6ac8103b104", - "2feda37d-5579-4102-a073-aa02e82cb49f" - ], "target_categories": [ "Defense", "Education", @@ -6486,12 +6341,7 @@ "Entertainment" ] }, - "related": [ - { - "dest-uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6", - "type": "similar" - } - ], + "related": [], "uuid": "6932662a-53a7-4e43-877f-6e940e2d744b", "value": "Winnti Group" }, @@ -6578,7 +6428,7 @@ "description": "Yellow Liderc (aka Imperial Kitten, Tortoiseshell, TA456, Crimson Sandstorm) is a threat actor group based in Iran that is believed to be aligned with the Iranian Islamic Revolutionary Guard Corp (IRGC). Researchers have observed the group targeting victims in a range of sectors in the United States, Europe, the Middle East and Mediterranean, and South Asia.[[PwC Yellow Liderc October 25 2023](/references/cbeaf9b5-865f-44a1-a913-9eec28d7a5ff)]", "meta": { "country": "IR", - "group_attack_id": "G5032", + "group_attack_id": "G3025", "observed_countries": [ "US" ], @@ -6646,7 +6496,7 @@ { "description": "This object reflects the TTPs used by threat actors to distribute and deploy the Zloader trojan malware. Researchers have observed actors distributing Zloader in campaigns without attributing the activity to named adversaries, such as the operations described by ESET researchers cited in the References.[[WeLiveSecurity April 19 2022](/references/f86845b9-03c4-446b-845f-b31b79b247ee)]\n\nTTPs associated with Zloader binaries themselves can be found in the separate \"Zloader\" Software object.", "meta": { - "group_attack_id": "G5037", + "group_attack_id": "G3034", "observed_countries": [ "AF", "AR", diff --git a/clusters/tidal-references.json b/clusters/tidal-references.json index 115d356..8cbd3d7 100644 --- a/clusters/tidal-references.json +++ b/clusters/tidal-references.json @@ -1933,20 +1933,6 @@ "uuid": "5b6b909d-870a-4d14-85ec-6aa14e598740", "value": "FireEye APT Groups" }, - { - "description": "Mandiant. (n.d.). Advanced Persistent Threats (APTs). Retrieved February 14, 2024.", - "meta": { - "date_accessed": "2024-02-14T00:00:00Z", - "refs": [ - "https://www.mandiant.com/resources/insights/apt-groups" - ], - "source": "MITRE", - "title": "Advanced Persistent Threats (APTs)" - }, - "related": [], - "uuid": "2d16615b-09fc-5925-8f59-6d20f334d236", - "value": "Mandiant Advanced Persistent Threats" - }, { "description": "Mandiant. (n.d.). Advanced Persistent Threats (APTs). Retrieved September 14, 2023.", "meta": { @@ -1962,6 +1948,20 @@ "uuid": "c984fcfc-1bfd-4b1e-9034-a6ff3e6ebf97", "value": "Mandiant APT Groups List" }, + { + "description": "Mandiant. (n.d.). Advanced Persistent Threats (APTs). Retrieved February 14, 2024.", + "meta": { + "date_accessed": "2024-02-14T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/insights/apt-groups" + ], + "source": "MITRE", + "title": "Advanced Persistent Threats (APTs)" + }, + "related": [], + "uuid": "2d16615b-09fc-5925-8f59-6d20f334d236", + "value": "Mandiant Advanced Persistent Threats" + }, { "description": "Simpson, D. et al. (2017, April 19). Advanced security audit policy settings. Retrieved September 14, 2021.", "meta": { @@ -2221,6 +2221,22 @@ "uuid": "28bfb97b-4b58-408a-bef9-9081f6ddedb8", "value": "LogPoint Agent Tesla March 23 2023" }, + { + "description": "Sekoia TDR; Felix Aimé; Pierre-Antoine D; Charles M. (2024, September 9). A glimpse into the Quad7 operators' next moves and associated botnets. Retrieved September 11, 2024.", + "meta": { + "date_accessed": "2024-09-11T00:00:00Z", + "date_published": "2024-09-09T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://blog.sekoia.io/a-glimpse-into-the-quad7-operators-next-moves-and-associated-botnets/" + ], + "source": "Tidal Cyber", + "title": "A glimpse into the Quad7 operators' next moves and associated botnets" + }, + "related": [], + "uuid": "eb4a1888-3b04-449b-9738-d96ae26adfee", + "value": "Sekoia.io Blog September 9 2024" + }, { "description": "Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.", "meta": { @@ -2358,6 +2374,22 @@ "uuid": "1343b052-b158-4dad-9ed4-9dbb7bb778dd", "value": "Sophos Akira May 9 2023" }, + { + "description": "BlackBerry Research and Intelligence Team. (2024, July 11). Akira Ransomware Targets the LATAM Airline Industry. Retrieved September 16, 2024.", + "meta": { + "date_accessed": "2024-09-16T00:00:00Z", + "date_published": "2024-07-11T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry" + ], + "source": "Tidal Cyber", + "title": "Akira Ransomware Targets the LATAM Airline Industry" + }, + "related": [], + "uuid": "59a1bd0f-a907-4918-90e1-d163bf84f927", + "value": "BlackBerry Akira July 11 2024" + }, { "description": "Microsoft. (2023, February 27). AKS-managed Azure Active Directory integration. Retrieved March 8, 2023.", "meta": { @@ -3469,21 +3501,6 @@ "uuid": "03eb080d-0b83-5cbb-9317-c50b35996c9b", "value": "SecureList Fileless" }, - { - "description": "M.Léveillé, M. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved January 8, 2018.", - "meta": { - "date_accessed": "2018-01-08T00:00:00Z", - "date_published": "2014-02-21T00:00:00Z", - "refs": [ - "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" - ], - "source": "MITRE", - "title": "An In-depth Analysis of Linux/Ebury" - }, - "related": [], - "uuid": "39384c7a-3032-4b45-a5eb-8ebe7de22aa2", - "value": "Welivesecurity Ebury SSH" - }, { "description": "M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.", "meta": { @@ -3499,6 +3516,21 @@ "uuid": "eb6d4f77-ac63-4cb8-8487-20f9e709334b", "value": "ESET Ebury Feb 2014" }, + { + "description": "M.Léveillé, M. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved January 8, 2018.", + "meta": { + "date_accessed": "2018-01-08T00:00:00Z", + "date_published": "2014-02-21T00:00:00Z", + "refs": [ + "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" + ], + "source": "MITRE", + "title": "An In-depth Analysis of Linux/Ebury" + }, + "related": [], + "uuid": "39384c7a-3032-4b45-a5eb-8ebe7de22aa2", + "value": "Welivesecurity Ebury SSH" + }, { "description": "Avertium. (2022, June 1). AN IN-DEPTH LOOK AT BLACK BASTA RANSOMWARE. Retrieved March 7, 2023.", "meta": { @@ -4051,21 +4083,6 @@ "uuid": "268e7ade-c0a8-5859-8b16-6fa8aa3b0cb7", "value": "Microsoft App Domains" }, - { - "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", - "meta": { - "date_accessed": "2014-11-18T00:00:00Z", - "date_published": "2008-06-01T00:00:00Z", - "refs": [ - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" - ], - "source": "MITRE", - "title": "Application Lockdown with Software Restriction Policies" - }, - "related": [], - "uuid": "cae409ca-1c77-45df-88cd-c0998ac724ec", - "value": "Corio 2008" - }, { "description": "Corio, C., & Sayana, D. P.. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", "meta": { @@ -4081,6 +4098,21 @@ "uuid": "5dab4466-0871-486a-84ad-0e648b2e937d", "value": "Microsoft Application Lockdown" }, + { + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "meta": { + "date_accessed": "2014-11-18T00:00:00Z", + "date_published": "2008-06-01T00:00:00Z", + "refs": [ + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + ], + "source": "MITRE", + "title": "Application Lockdown with Software Restriction Policies" + }, + "related": [], + "uuid": "cae409ca-1c77-45df-88cd-c0998ac724ec", + "value": "Corio 2008" + }, { "description": "Beechey, J.. (2014, November 18). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", "meta": { @@ -4397,21 +4429,6 @@ "uuid": "3dd67aae-7feb-4b07-a985-ccadc1b16f1d", "value": "Bitdefender APT28 Dec 2015" }, - { - "description": "Matthew Dunwoody. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved November 20, 2017.", - "meta": { - "date_accessed": "2017-11-20T00:00:00Z", - "date_published": "2017-03-27T00:00:00Z", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html" - ], - "source": "MITRE", - "title": "APT29 Domain Fronting With TOR" - }, - "related": [], - "uuid": "1d919991-bc87-41bf-9e58-edf1b3806bb8", - "value": "FireEye APT29 Domain Fronting With TOR March 2017" - }, { "description": "Dunwoody, M. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved March 27, 2017.", "meta": { @@ -4427,6 +4444,21 @@ "uuid": "3e013b07-deaf-4387-acd7-2d0565d196a9", "value": "FireEye APT29 Domain Fronting" }, + { + "description": "Matthew Dunwoody. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved November 20, 2017.", + "meta": { + "date_accessed": "2017-11-20T00:00:00Z", + "date_published": "2017-03-27T00:00:00Z", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html" + ], + "source": "MITRE", + "title": "APT29 Domain Fronting With TOR" + }, + "related": [], + "uuid": "1d919991-bc87-41bf-9e58-edf1b3806bb8", + "value": "FireEye APT29 Domain Fronting With TOR March 2017" + }, { "description": "FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.", "meta": { @@ -5603,21 +5635,6 @@ "uuid": "d4ca3351-eeb8-5342-8c85-806614e22c48", "value": "FireEye TRITON Dec 2017" }, - { - "description": "Runa A. Sandvik. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved August 9, 2022.", - "meta": { - "date_accessed": "2022-08-09T00:00:00Z", - "date_published": "2014-01-14T00:00:00Z", - "refs": [ - "https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/" - ], - "source": "MITRE", - "title": "Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency" - }, - "related": [], - "uuid": "d2186b8c-10c9-493b-8e25-7d69fce006e4", - "value": "GitHub Cloud Service Credentials" - }, { "description": "Sandvik, R. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved October 19, 2020.", "meta": { @@ -5633,6 +5650,21 @@ "uuid": "303f8801-bdd6-4a0c-a90a-37867898c99c", "value": "Forbes GitHub Creds" }, + { + "description": "Runa A. Sandvik. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved August 9, 2022.", + "meta": { + "date_accessed": "2022-08-09T00:00:00Z", + "date_published": "2014-01-14T00:00:00Z", + "refs": [ + "https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/" + ], + "source": "MITRE", + "title": "Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency" + }, + "related": [], + "uuid": "d2186b8c-10c9-493b-8e25-7d69fce006e4", + "value": "GitHub Cloud Service Credentials" + }, { "description": "Chen, J.. (2020, January 29). Attacker's Tactics and Techniques in Unsecured Docker Daemons Revealed. Retrieved March 31, 2021.", "meta": { @@ -7739,6 +7771,22 @@ "uuid": "eef7cd8a-8cb6-4b24-ba49-9b17353d20b5", "value": "Shadowbunny VM Defense Evasion" }, + { + "description": "Kyle Lefton, Larry Cashdollar, Aline Eliovich. (2024, August 28). Beware the Unpatchable: Corona Mirai Botnet Spreads via Zero-Day. Retrieved September 5, 2024.", + "meta": { + "date_accessed": "2024-09-05T00:00:00Z", + "date_published": "2024-08-28T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.akamai.com/blog/security-research/2024-corona-mirai-botnet-infects-zero-day-sirt" + ], + "source": "Tidal Cyber", + "title": "Beware the Unpatchable: Corona Mirai Botnet Spreads via Zero-Day" + }, + "related": [], + "uuid": "140284f8-075c-4225-99dd-519ba5cebabe", + "value": "Akamai Corona Zero-Day August 28 2024" + }, { "description": "Mathanraj Thangaraju, Sijo Jacob. (2023, July 26). Beyond File Search: A Novel Method for Exploiting the \"search-ms\" URI Protocol Handler. Retrieved March 15, 2024.", "meta": { @@ -8574,21 +8622,6 @@ "uuid": "e90b4941-5dff-4f38-b4dd-af3426fd621e", "value": "GitHub Bloodhound" }, - { - "description": "Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming Azure. Retrieved October 23, 2019.", - "meta": { - "date_accessed": "2019-10-23T00:00:00Z", - "date_published": "2018-05-11T00:00:00Z", - "refs": [ - "https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1" - ], - "source": "MITRE", - "title": "Blue Cloud of Death: Red Teaming Azure" - }, - "related": [], - "uuid": "0c764280-9d8c-4fa4-9088-170f02550d4c", - "value": "Blue Cloud of Death" - }, { "description": "Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming Azure. Retrieved November 21, 2019.", "meta": { @@ -8604,6 +8637,21 @@ "uuid": "39b0adf6-c71e-4501-b8bb-fab82718486b", "value": "Blue Cloud of Death Video" }, + { + "description": "Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming Azure. Retrieved October 23, 2019.", + "meta": { + "date_accessed": "2019-10-23T00:00:00Z", + "date_published": "2018-05-11T00:00:00Z", + "refs": [ + "https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1" + ], + "source": "MITRE", + "title": "Blue Cloud of Death: Red Teaming Azure" + }, + "related": [], + "uuid": "0c764280-9d8c-4fa4-9088-170f02550d4c", + "value": "Blue Cloud of Death" + }, { "description": "SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024.", "meta": { @@ -8932,21 +8980,6 @@ "uuid": "60fac434-2815-4568-b951-4bde55c2e3af", "value": "PaloAlto Preventing Opportunistic Attacks Apr 2016" }, - { - "description": "Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 8, 2021.", - "meta": { - "date_accessed": "2021-10-08T00:00:00Z", - "date_published": "2018-06-18T00:00:00Z", - "refs": [ - "https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique" - ], - "source": "MITRE", - "title": "Bring Your Own Land (BYOL) – A Novel Red Teaming Technique" - }, - "related": [], - "uuid": "104a1c1c-0899-4ff9-a5c4-73de702c467d", - "value": "Mandiant BYOL 2018" - }, { "description": "Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 4, 2021.", "meta": { @@ -8962,6 +8995,21 @@ "uuid": "445efe8b-659a-4023-afc7-aa7cd21ee5a1", "value": "Mandiant BYOL" }, + { + "description": "Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 8, 2021.", + "meta": { + "date_accessed": "2021-10-08T00:00:00Z", + "date_published": "2018-06-18T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique" + ], + "source": "MITRE", + "title": "Bring Your Own Land (BYOL) – A Novel Red Teaming Technique" + }, + "related": [], + "uuid": "104a1c1c-0899-4ff9-a5c4-73de702c467d", + "value": "Mandiant BYOL 2018" + }, { "description": "Bischoff, P. (2020, October 15). Broadvoice database of more than 350 million customer records exposed online. Retrieved October 20, 2020.", "meta": { @@ -9579,21 +9627,6 @@ "uuid": "74df644a-06b8-4331-85a3-932358d65b62", "value": "Hybrid Analysis Icacls1 June 2018" }, - { - "description": "Microsoft. (2016, August 31). Cached and Stored Credentials Technical Overview. Retrieved November 24, 2020.", - "meta": { - "date_accessed": "2020-11-24T00:00:00Z", - "date_published": "2016-08-31T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v=ws.11)#credential-manager-store" - ], - "source": "MITRE", - "title": "Cached and Stored Credentials Technical Overview" - }, - "related": [], - "uuid": "c949a29b-bb31-4bd7-a967-ddd48c7efb8e", - "value": "Microsoft Credential Manager store" - }, { "description": "Microsoft. (2016, August 21). Cached and Stored Credentials Technical Overview. Retrieved February 21, 2020.", "meta": { @@ -9609,6 +9642,21 @@ "uuid": "590ea63f-f800-47e4-8d39-df11a184ba84", "value": "Microsoft - Cached Creds" }, + { + "description": "Microsoft. (2016, August 31). Cached and Stored Credentials Technical Overview. Retrieved November 24, 2020.", + "meta": { + "date_accessed": "2020-11-24T00:00:00Z", + "date_published": "2016-08-31T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v=ws.11)#credential-manager-store" + ], + "source": "MITRE", + "title": "Cached and Stored Credentials Technical Overview" + }, + "related": [], + "uuid": "c949a29b-bb31-4bd7-a967-ddd48c7efb8e", + "value": "Microsoft Credential Manager store" + }, { "description": "Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.", "meta": { @@ -9670,6 +9718,21 @@ "uuid": "7180c6a7-e6ea-54bf-bcd7-c5238bbc5f5b", "value": "Cadet Blizzard emerges as novel threat actor" }, + { + "description": "Matt Muir. (2022, April 6). Cado Discovers Denonia: The First Malware Specifically Targeting Lambda. Retrieved May 27, 2022.", + "meta": { + "date_accessed": "2022-05-27T00:00:00Z", + "date_published": "2022-04-06T00:00:00Z", + "refs": [ + "https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/" + ], + "source": "MITRE", + "title": "Cado Discovers Denonia: The First Malware Specifically Targeting Lambda" + }, + "related": [], + "uuid": "584e7ace-ef33-423b-9801-4728a447cb34", + "value": "Cado Security Denonia" + }, { "description": "jbowen. (2022, April 3). Cado Discovers Denonia: The First Malware Specifically Targeting Lambda. Retrieved April 11, 2024.", "meta": { @@ -9686,21 +9749,6 @@ "uuid": "b276c28d-1488-4a21-86d1-7acdfd77794b", "value": "Cado Denonia April 3 2022" }, - { - "description": "Matt Muir. (2022, April 6). Cado Discovers Denonia: The First Malware Specifically Targeting Lambda. Retrieved May 27, 2022.", - "meta": { - "date_accessed": "2022-05-27T00:00:00Z", - "date_published": "2022-04-06T00:00:00Z", - "refs": [ - "https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/" - ], - "source": "MITRE", - "title": "Cado Discovers Denonia: The First Malware Specifically Targeting Lambda" - }, - "related": [], - "uuid": "584e7ace-ef33-423b-9801-4728a447cb34", - "value": "Cado Security Denonia" - }, { "description": "William Turton. (2023, September 13). Caesars Entertainment Paid Millions to Hackers in Attack. Retrieved September 14, 2023.", "meta": { @@ -10681,6 +10729,22 @@ "uuid": "e3949201-c949-4126-9e02-34bfad4713c0", "value": "The Hacker News Velvet Ant Cisco July 2 2024" }, + { + "description": "Bill Toulas. (2024, September 9). Chinese hackers use new data theft malware in govt attacks. Retrieved September 13, 2024.", + "meta": { + "date_accessed": "2024-09-13T00:00:00Z", + "date_published": "2024-09-09T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.bleepingcomputer.com/news/security/chinese-hackers-use-new-data-theft-malware-in-govt-attacks/" + ], + "source": "Tidal Cyber", + "title": "Chinese hackers use new data theft malware in govt attacks" + }, + "related": [], + "uuid": "40774c9c-daca-4ea0-a504-ca73b11e4f29", + "value": "BleepingComputer Mustang Panda September 9 2024" + }, { "description": "Catalin Cimpanu. (2021, July 20). Chinese hacking group APT31 uses mesh of home routers to disguise attacks. Retrieved April 25, 2024.", "meta": { @@ -10817,6 +10881,22 @@ "uuid": "b019406c-6e39-41a2-a8b4-97f8d6482147", "value": "Azure AD Hybrid Identity" }, + { + "description": "Aedan Russell. (2022, May 25). ChromeLoader a pushy malvertiser. Retrieved September 26, 2024.", + "meta": { + "date_accessed": "2024-09-26T00:00:00Z", + "date_published": "2022-05-25T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://redcanary.com/blog/threat-detection/chromeloader/" + ], + "source": "Tidal Cyber", + "title": "ChromeLoader a pushy malvertiser" + }, + "related": [], + "uuid": "bffc87ac-e51b-47e3-8a9f-547e762e95c2", + "value": "Red Canary May 25 2022" + }, { "description": "Huntress. (n.d.). Retrieved March 14, 2024.", "meta": { @@ -10831,6 +10911,38 @@ "uuid": "c1b2d0e9-2396-5080-aea3-58a99c027d20", "value": "Chrome Remote Desktop" }, + { + "description": "Simon Hertzberg. (2024, August 30). Cicada 3301 - Ransomware-as-a-Service - Technical Analysis. Retrieved September 4, 2024.", + "meta": { + "date_accessed": "2024-09-04T00:00:00Z", + "date_published": "2024-08-30T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.truesec.com/hub/blog/dissecting-the-cicada" + ], + "source": "Tidal Cyber", + "title": "Cicada 3301 - Ransomware-as-a-Service - Technical Analysis" + }, + "related": [], + "uuid": "de2de0a9-17d2-41c2-838b-7850762b80ae", + "value": "Truesec AB August 30 2024" + }, + { + "description": "Sergiu Gatlan. (2024, September 20). CISA warns of Windows flaw used in infostealer malware attacks. Retrieved September 19, 2024.", + "meta": { + "date_accessed": "2024-09-19T00:00:00Z", + "date_published": "2024-09-20T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.bleepingcomputer.com/news/security/cisa-warns-of-windows-flaw-used-in-infostealer-malware-attacks/" + ], + "source": "Tidal Cyber", + "title": "CISA warns of Windows flaw used in infostealer malware attacks" + }, + "related": [], + "uuid": "2c9a2355-02c5-4718-ad6e-b2fac9ad4096", + "value": "BleepingComputer Void Banshee September 16 2024" + }, { "description": "Cisco. (2023, March 7). Cisco IOS Security Command Reference: Commands S to Z . Retrieved July 13, 2022.", "meta": { @@ -11260,20 +11372,6 @@ "uuid": "75b89502-21ed-4920-95cc-212eaf17f281", "value": "CL_Mutexverifiers.ps1 - LOLBAS Project" }, - { - "description": "Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.", - "meta": { - "date_accessed": "2021-05-11T00:00:00Z", - "refs": [ - "https://www.cybereason.com/blog/cybereason-vs.-clop-ransomware" - ], - "source": "MITRE", - "title": "Clop Ransomware" - }, - "related": [], - "uuid": "f54d682d-100e-41bb-96be-6a79ea422066", - "value": "Cybereason Clop Dec 2020" - }, { "description": "Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.", "meta": { @@ -11289,6 +11387,20 @@ "uuid": "458141bd-7dd2-41fd-82e8-7ea2e4a477ab", "value": "Mcafee Clop Aug 2019" }, + { + "description": "Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.", + "meta": { + "date_accessed": "2021-05-11T00:00:00Z", + "refs": [ + "https://www.cybereason.com/blog/cybereason-vs.-clop-ransomware" + ], + "source": "MITRE", + "title": "Clop Ransomware" + }, + "related": [], + "uuid": "f54d682d-100e-41bb-96be-6a79ea422066", + "value": "Cybereason Clop Dec 2020" + }, { "description": "Sergiu Gatlan. (2023, February 10). Clop ransomware claims it breached 130 orgs using GoAnywhere zero-day. Retrieved May 8, 2023.", "meta": { @@ -12325,21 +12437,6 @@ "uuid": "ccd0d241-4ff7-4a15-b2b4-06945980c6bf", "value": "Windows RDP Sessions" }, - { - "description": "Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved June 24, 2015.", - "meta": { - "date_accessed": "2015-06-24T00:00:00Z", - "date_published": "2013-07-31T00:00:00Z", - "refs": [ - "https://technet.microsoft.com/en-us/library/dn408187.aspx" - ], - "source": "MITRE", - "title": "Configuring Additional LSA Protection" - }, - "related": [], - "uuid": "4adfc72b-cd32-46a6-bdf4-a4c2c6cffa73", - "value": "Microsoft Configure LSA" - }, { "description": "Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved February 13, 2015.", "meta": { @@ -12370,6 +12467,21 @@ "uuid": "da3f1d7d-188f-4500-9bc6-3299ba043b5c", "value": "Microsoft LSA Protection Mar 2014" }, + { + "description": "Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved June 24, 2015.", + "meta": { + "date_accessed": "2015-06-24T00:00:00Z", + "date_published": "2013-07-31T00:00:00Z", + "refs": [ + "https://technet.microsoft.com/en-us/library/dn408187.aspx" + ], + "source": "MITRE", + "title": "Configuring Additional LSA Protection" + }, + "related": [], + "uuid": "4adfc72b-cd32-46a6-bdf4-a4c2c6cffa73", + "value": "Microsoft Configure LSA" + }, { "description": "Google. (n.d.). Configuring Data Access audit logs. Retrieved October 16, 2020.", "meta": { @@ -12878,6 +12990,22 @@ "uuid": "96ce4324-57d2-422b-8403-f5d4f3ce410c", "value": "Palo Alto ARP" }, + { + "description": "Jakub Souček. (2024, September 10). CosmicBeetle steps up: Probation period at RansomHub. Retrieved September 13, 2024.", + "meta": { + "date_accessed": "2024-09-13T00:00:00Z", + "date_published": "2024-09-10T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/" + ], + "source": "Tidal Cyber", + "title": "CosmicBeetle steps up: Probation period at RansomHub" + }, + "related": [], + "uuid": "8debba29-4d6d-41d2-8772-f97c7d49056b", + "value": "WeLiveSecurity CosmicBeetle September 10 2024" + }, { "description": "F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.", "meta": { @@ -13519,21 +13647,6 @@ "uuid": "51e67e37-2d61-4228-999b-bec6f80cf106", "value": "Bishop Fox Sliver Framework August 2019" }, - { - "description": "Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved February 15, 2024.", - "meta": { - "date_accessed": "2024-02-15T00:00:00Z", - "date_published": "2023-08-31T00:00:00Z", - "refs": [ - "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection" - ], - "source": "MITRE", - "title": "Cross-Tenant Impersonation: Prevention and Detection" - }, - "related": [], - "uuid": "d54188b5-86eb-52a0-8384-823c45431762", - "value": "Okta Cross-Tenant Impersonation 2023" - }, { "description": "Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved March 4, 2024.", "meta": { @@ -13549,6 +13662,21 @@ "uuid": "77dbd22f-ce57-50f7-9c6b-8dc874a4d80d", "value": "Okta Cross-Tenant Impersonation" }, + { + "description": "Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved February 15, 2024.", + "meta": { + "date_accessed": "2024-02-15T00:00:00Z", + "date_published": "2023-08-31T00:00:00Z", + "refs": [ + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection" + ], + "source": "MITRE", + "title": "Cross-Tenant Impersonation: Prevention and Detection" + }, + "related": [], + "uuid": "d54188b5-86eb-52a0-8384-823c45431762", + "value": "Okta Cross-Tenant Impersonation 2023" + }, { "description": "Crowdstrike. (2013, October 16). CrowdCasts Monthly: You Have an Adversary Problem. Retrieved March 1, 2017.", "meta": { @@ -13830,21 +13958,6 @@ "uuid": "be233077-7bb4-48be-aecf-03258931527d", "value": "Microsoft Subkey" }, - { - "description": "MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.", - "meta": { - "date_accessed": "2020-12-30T00:00:00Z", - "date_published": "2020-12-13T00:00:00Z", - "refs": [ - "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" - ], - "source": "MITRE", - "title": "Customer Guidance on Recent Nation-State Cyber Attacks" - }, - "related": [], - "uuid": "47031992-841f-4ef4-87c6-bb4c077fb8dc", - "value": "Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks" - }, { "description": "MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020.", "meta": { @@ -13860,6 +13973,21 @@ "uuid": "b486ae40-a854-4998-bf1b-aaf6ea2047ed", "value": "Microsoft SolarWinds Customer Guidance" }, + { + "description": "MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.", + "meta": { + "date_accessed": "2020-12-30T00:00:00Z", + "date_published": "2020-12-13T00:00:00Z", + "refs": [ + "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" + ], + "source": "MITRE", + "title": "Customer Guidance on Recent Nation-State Cyber Attacks" + }, + "related": [], + "uuid": "47031992-841f-4ef4-87c6-bb4c077fb8dc", + "value": "Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks" + }, { "description": "Apple. (2016, September 13). Customizing Login and Logout. Retrieved April 1, 2022.", "meta": { @@ -15130,6 +15258,22 @@ "uuid": "4476aa0a-b1ef-4ac6-9e44-5721a0b3e92b", "value": "Nccgroup Gh0st April 2018" }, + { + "description": "Michael Gorelik. (2024, September 3). Decoding the Puzzle Cicada3301 Ransomware Threat Analysis. Retrieved September 5, 2024.", + "meta": { + "date_accessed": "2024-09-05T00:00:00Z", + "date_published": "2024-09-03T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://blog.morphisec.com/cicada3301-ransomware-threat-analysis" + ], + "source": "Tidal Cyber", + "title": "Decoding the Puzzle Cicada3301 Ransomware Threat Analysis" + }, + "related": [], + "uuid": "90549699-8815-45e8-820c-4f5a7fc584b8", + "value": "Morphisec September 3 2024" + }, { "description": "Segura, J. (2017, October 13). Decoy Microsoft Word document delivers malware through a RAT. Retrieved July 21, 2018.", "meta": { @@ -15671,6 +15815,22 @@ "uuid": "86053c5a-f2dd-4eb3-9dc2-6a6a4e1c2ae5", "value": "Apple Kernel Extension Deprecation" }, + { + "description": "Black Lotus Labs. (2024, September 18). Derailing the Raptor Train. Retrieved September 19, 2024.", + "meta": { + "date_accessed": "2024-09-19T00:00:00Z", + "date_published": "2024-09-18T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://blog.lumen.com/derailing-the-raptor-train/" + ], + "source": "Tidal Cyber", + "title": "Derailing the Raptor Train" + }, + "related": [], + "uuid": "21e26577-887b-4b8c-a3f8-4ab8868bed69", + "value": "Black Lotus Raptor Train September 18 2024" + }, { "description": "Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020.", "meta": { @@ -16328,6 +16488,22 @@ "uuid": "91efc6bf-e15c-514a-96c1-e838268d222f", "value": "Microsoft Royal ransomware November 2022" }, + { + "description": "Microsoft Threat Intelligence. (2022, October 25). DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector. Retrieved September 19, 2024.", + "meta": { + "date_accessed": "2024-09-19T00:00:00Z", + "date_published": "2022-10-25T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/" + ], + "source": "Tidal Cyber", + "title": "DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector" + }, + "related": [], + "uuid": "5b667611-649d-44d5-86e0-a79527608b3c", + "value": "MSTIC DEV-0832 October 25 2022" + }, { "description": "Felix 'FX' Lindner. (2008, February). Developments in Cisco IOS Forensics. Retrieved October 21, 2020.", "meta": { @@ -17237,21 +17413,6 @@ "uuid": "a1b987cc-7789-411c-9673-3cf6357b207c", "value": "ASERT Donot March 2018" }, - { - "description": "Simonian, Nick. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved January 17, 2024.", - "meta": { - "date_accessed": "2024-01-17T00:00:00Z", - "date_published": "2023-05-22T00:00:00Z", - "refs": [ - "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse" - ], - "source": "MITRE", - "title": "Don't @ Me: URL Obfuscation Through Schema Abuse" - }, - "related": [], - "uuid": "d5ed4c98-6d37-5000-bba0-9aada295a50c", - "value": "mandiant-masking" - }, { "description": "Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved February 13, 2024.", "meta": { @@ -17282,6 +17443,21 @@ "uuid": "b63f5934-2ace-5326-89be-7a850469a563", "value": "Mandiant URL Obfuscation 2023" }, + { + "description": "Simonian, Nick. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved January 17, 2024.", + "meta": { + "date_accessed": "2024-01-17T00:00:00Z", + "date_published": "2023-05-22T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse" + ], + "source": "MITRE", + "title": "Don't @ Me: URL Obfuscation Through Schema Abuse" + }, + "related": [], + "uuid": "d5ed4c98-6d37-5000-bba0-9aada295a50c", + "value": "mandiant-masking" + }, { "description": "TheWover. (2019, May 9). donut. Retrieved March 25, 2022.", "meta": { @@ -17478,21 +17654,6 @@ "uuid": "9514c5cd-2ed6-4dbf-aa9e-1c425e969226", "value": "Symantec Dragonfly" }, - { - "description": "Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022.", - "meta": { - "date_accessed": "2022-04-19T00:00:00Z", - "date_published": "2017-10-07T00:00:00Z", - "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" - ], - "source": "MITRE", - "title": "Dragonfly: Western energy sector targeted by sophisticated attack group" - }, - "related": [], - "uuid": "a0439d4a-a3ea-4be5-9a01-f223ca259681", - "value": "Symantec Dragonfly 2.0 October 2017" - }, { "description": "Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.", "meta": { @@ -17508,6 +17669,21 @@ "uuid": "11bbeafc-ed5d-4d2b-9795-a0a9544fb64e", "value": "Symantec Dragonfly Sept 2017" }, + { + "description": "Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022.", + "meta": { + "date_accessed": "2022-04-19T00:00:00Z", + "date_published": "2017-10-07T00:00:00Z", + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" + ], + "source": "MITRE", + "title": "Dragonfly: Western energy sector targeted by sophisticated attack group" + }, + "related": [], + "uuid": "a0439d4a-a3ea-4be5-9a01-f223ca259681", + "value": "Symantec Dragonfly 2.0 October 2017" + }, { "description": "Slepogin, N. (2017, May 25). Dridex: A History of Evolution. Retrieved May 31, 2019.", "meta": { @@ -17985,20 +18161,6 @@ "uuid": "7b1f945b-2547-4bc6-98bf-30248bdf3587", "value": "Microsoft Dynamic Link Library Search Order" }, - { - "description": "Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved November 27, 2017.", - "meta": { - "date_accessed": "2017-11-27T00:00:00Z", - "refs": [ - "https://msdn.microsoft.com/library/windows/desktop/ff919712.aspx" - ], - "source": "MITRE", - "title": "Dynamic-Link Library Security" - }, - "related": [], - "uuid": "584490c7-b155-4f62-b68d-a5a2a1799e60", - "value": "Microsoft DLL Security" - }, { "description": "Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved July 25, 2016.", "meta": { @@ -18013,6 +18175,20 @@ "uuid": "e087442a-0a53-4cc8-9fd6-772cbd0295d5", "value": "Microsoft Dynamic-Link Library Security" }, + { + "description": "Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved November 27, 2017.", + "meta": { + "date_accessed": "2017-11-27T00:00:00Z", + "refs": [ + "https://msdn.microsoft.com/library/windows/desktop/ff919712.aspx" + ], + "source": "MITRE", + "title": "Dynamic-Link Library Security" + }, + "related": [], + "uuid": "584490c7-b155-4f62-b68d-a5a2a1799e60", + "value": "Microsoft DLL Security" + }, { "description": "Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved July 25, 2016.", "meta": { @@ -18072,6 +18248,22 @@ "uuid": "149c1446-d6a1-4a63-9420-def9272d6cb9", "value": "CrowdStrike StellarParticle January 2022" }, + { + "description": "Lenart Bermejo; Sunny Lu; Ted Lee Read time. (2024, September 9). Earth Preta Evolves its Attacks with New Malware and Strategies. Retrieved September 10, 2024.", + "meta": { + "date_accessed": "2024-09-10T00:00:00Z", + "date_published": "2024-09-09T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.trendmicro.com/en_us/research/24/i/earth-preta-new-malware-and-strategies.html" + ], + "source": "Tidal Cyber", + "title": "Earth Preta Evolves its Attacks with New Malware and Strategies" + }, + "related": [], + "uuid": "0fdc9ee2-5be2-43e0-afb9-c9a94fde3867", + "value": "Trend Micro September 9 2024" + }, { "description": "Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.", "meta": { @@ -18892,6 +19084,21 @@ "uuid": "ad3eda19-08eb-4d59-a2c9-3b5ed8302205", "value": "Google Ensuring Your Information is Safe" }, + { + "description": "Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.", + "meta": { + "date_accessed": "2024-02-09T00:00:00Z", + "date_published": "2018-11-13T00:00:00Z", + "refs": [ + "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign" + ], + "source": "MITRE", + "title": "Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign" + }, + "related": [], + "uuid": "31796564-4154-54c0-958a-7d6802dfefad", + "value": "Ensilo Darkgate 2018" + }, { "description": "Fortinet Blog. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved October 20, 2023.", "meta": { @@ -18908,21 +19115,6 @@ "uuid": "1b9b5c48-d504-4c73-aedc-37e935c47f17", "value": "Fortinet Blog November 13 2018" }, - { - "description": "Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.", - "meta": { - "date_accessed": "2024-02-09T00:00:00Z", - "date_published": "2018-11-13T00:00:00Z", - "refs": [ - "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign" - ], - "source": "MITRE", - "title": "Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign" - }, - "related": [], - "uuid": "31796564-4154-54c0-958a-7d6802dfefad", - "value": "Ensilo Darkgate 2018" - }, { "description": "Splunk Threat Research Team. (2024, January 17). Enter The Gates: An Analysis of the DarkGate AutoIt Loader. Retrieved March 29, 2024.", "meta": { @@ -19100,6 +19292,22 @@ "uuid": "691b4907-3544-4ad0-989c-b5c845e0330f", "value": "LOLBAS Esentutl" }, + { + "description": "ESET Research. (2024, May 14). ESET APT Activity Report Q4 2023-Q1 2024. Retrieved September 1, 2024.", + "meta": { + "date_accessed": "2024-09-01T00:00:00Z", + "date_published": "2024-05-14T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q4-2023-q1-2024.pdf" + ], + "source": "Tidal Cyber", + "title": "ESET APT Activity Report Q4 2023-Q1 2024" + }, + "related": [], + "uuid": "896cc899-b667-4f9d-ba90-8650fb978535", + "value": "ESET APT Activity Report Q4 2023-Q1 2024" + }, { "description": "Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved March 2, 2022.", "meta": { @@ -20155,21 +20363,6 @@ "uuid": "186c1213-d0c5-4eb6-aa0f-0fd61b07a1f7", "value": "ThreatPost Social Media Phishing" }, - { - "description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 30, 2022.", - "meta": { - "date_accessed": "2022-09-30T00:00:00Z", - "date_published": "2021-01-11T00:00:00Z", - "refs": [ - "https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/" - ], - "source": "MITRE", - "title": "FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts" - }, - "related": [], - "uuid": "785f7692-2be8-4f5d-921e-51efdfe0c0b9", - "value": "Sentinel Labs" - }, { "description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.", "meta": { @@ -20185,6 +20378,21 @@ "uuid": "34dc9010-e800-420c-ace4-4f426c915d2f", "value": "SentinelLabs reversing run-only applescripts 2021" }, + { + "description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 30, 2022.", + "meta": { + "date_accessed": "2022-09-30T00:00:00Z", + "date_published": "2021-01-11T00:00:00Z", + "refs": [ + "https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/" + ], + "source": "MITRE", + "title": "FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts" + }, + "related": [], + "uuid": "785f7692-2be8-4f5d-921e-51efdfe0c0b9", + "value": "Sentinel Labs" + }, { "description": "Bill Toulas. (2024, June 17). Fake Google Chrome errors trick you into running malicious PowerShell scripts. Retrieved June 20, 2024.", "meta": { @@ -20774,21 +20982,6 @@ "uuid": "6ee27fdb-1753-4fdf-af72-3295b072ff10", "value": "FireEye FIN7 April 2017" }, - { - "description": "Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.", - "meta": { - "date_accessed": "2022-04-05T00:00:00Z", - "date_published": "2022-04-04T00:00:00Z", - "refs": [ - "https://www.mandiant.com/resources/evolution-of-fin7" - ], - "source": "MITRE", - "title": "FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7" - }, - "related": [], - "uuid": "be9919c0-ca52-593b-aea0-c5e9a262b570", - "value": "Mandiant FIN7 Apr 2022" - }, { "description": "Bryce Abdo, Zander Work, Ioana Teaca, Brendan McKeague. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved May 25, 2023.", "meta": { @@ -20805,6 +20998,21 @@ "uuid": "fbc3ea90-d3d4-440e-964d-6cd2e991df0c", "value": "Mandiant FIN7 April 4 2022" }, + { + "description": "Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.", + "meta": { + "date_accessed": "2022-04-05T00:00:00Z", + "date_published": "2022-04-04T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/evolution-of-fin7" + ], + "source": "MITRE", + "title": "FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7" + }, + "related": [], + "uuid": "be9919c0-ca52-593b-aea0-c5e9a262b570", + "value": "Mandiant FIN7 Apr 2022" + }, { "description": "Gemini Advisory. (2021, October 21). FIN7 Recruits Talent For Push Into Ransomware. Retrieved February 2, 2022.", "meta": { @@ -21636,21 +21844,6 @@ "uuid": "02233ce3-abb2-4aed-95b8-56b65c68a665", "value": "Quick Heal Blog February 17 2023" }, - { - "description": "ALEXANDER MARVI, BRAD SLAYBAUGH, DAN EBREO, TUFAIL AHMED, MUHAMMAD UMAIR, TINA JOHNSON. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved May 15, 2023.", - "meta": { - "date_accessed": "2023-05-15T00:00:00Z", - "date_published": "2023-03-16T00:00:00Z", - "refs": [ - "https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem" - ], - "source": "MITRE", - "title": "Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation" - }, - "related": [], - "uuid": "a43dd8ce-23d6-5768-8522-6973dc45e1ac", - "value": "Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation" - }, { "description": "Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023.", "meta": { @@ -21666,6 +21859,21 @@ "uuid": "7bdc5bbb-ebbd-5eb8-bd10-9087c883aea7", "value": "Mandiant Fortinet Zero Day" }, + { + "description": "ALEXANDER MARVI, BRAD SLAYBAUGH, DAN EBREO, TUFAIL AHMED, MUHAMMAD UMAIR, TINA JOHNSON. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved May 15, 2023.", + "meta": { + "date_accessed": "2023-05-15T00:00:00Z", + "date_published": "2023-03-16T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem" + ], + "source": "MITRE", + "title": "Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation" + }, + "related": [], + "uuid": "a43dd8ce-23d6-5768-8522-6973dc45e1ac", + "value": "Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation" + }, { "description": "Apple. (n.d.). Foundation. Retrieved July 1, 2020.", "meta": { @@ -22845,6 +23053,21 @@ "uuid": "16d0dd05-763a-4503-aa88-c8867d8f202d", "value": "GitHub ohpe Juicy Potato" }, + { + "description": "outflanknl. (n.d.). GitHub outflanknl Dumpert. Retrieved September 5, 2024.", + "meta": { + "date_accessed": "2024-09-05T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://github.com/outflanknl/Dumpert" + ], + "source": "Tidal Cyber", + "title": "GitHub outflanknl Dumpert" + }, + "related": [], + "uuid": "ab375812-def9-4491-a69f-62755fb26910", + "value": "GitHub outflanknl Dumpert" + }, { "description": "Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js. Retrieved January 11, 2021.", "meta": { @@ -23067,6 +23290,21 @@ "uuid": "c2556bcf-9cc9-4f46-8a0f-8f8d801dfdbf", "value": "GitHub Terminator" }, + { + "description": "wavestone-cdt. (n.d.). GitHub wavestone-cdt EDRSandBlast. Retrieved September 5, 2024.", + "meta": { + "date_accessed": "2024-09-05T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://github.com/wavestone-cdt/EDRSandblast" + ], + "source": "Tidal Cyber", + "title": "GitHub wavestone-cdt EDRSandBlast" + }, + "related": [], + "uuid": "228dd3e1-1952-447c-a500-31663a2efe45", + "value": "GitHub wavestone-cdt EDRSandBlast" + }, { "description": "xmrig. (n.d.). GitHub xmrig-proxy. Retrieved October 25, 2023.", "meta": { @@ -24541,21 +24779,6 @@ "uuid": "95d6d1ce-ceba-48ee-88c4-0fb30058bd80", "value": "Specter Ops - Cloud Credential Storage" }, - { - "description": "Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.", - "meta": { - "date_accessed": "2021-01-20T00:00:00Z", - "date_published": "2019-09-23T00:00:00Z", - "refs": [ - "https://securelist.com/my-name-is-dtrack/93338/" - ], - "source": "MITRE", - "title": "Hello! My name is Dtrack" - }, - "related": [], - "uuid": "49bd8841-a4b5-4ced-adfa-0ad0c8625ccd", - "value": "Securelist Dtrack" - }, { "description": "KONSTANTIN ZYKOV. (2019, September 23). Hello! My name is Dtrack. Retrieved September 30, 2022.", "meta": { @@ -24572,19 +24795,19 @@ "value": "Securelist Dtrack2" }, { - "description": "Baggett, M. (2012, November 8). Help eliminate unquoted path vulnerabilities. Retrieved December 4, 2014.", + "description": "Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.", "meta": { - "date_accessed": "2014-12-04T00:00:00Z", - "date_published": "2012-11-08T00:00:00Z", + "date_accessed": "2021-01-20T00:00:00Z", + "date_published": "2019-09-23T00:00:00Z", "refs": [ - "https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464" + "https://securelist.com/my-name-is-dtrack/93338/" ], "source": "MITRE", - "title": "Help eliminate unquoted path vulnerabilities" + "title": "Hello! My name is Dtrack" }, "related": [], - "uuid": "9b234329-5e05-4035-af38-dd8ab20fd68e", - "value": "Baggett 2012" + "uuid": "49bd8841-a4b5-4ced-adfa-0ad0c8625ccd", + "value": "Securelist Dtrack" }, { "description": "Mark Baggett. (2012, November 8). Help eliminate unquoted path vulnerabilities. Retrieved November 8, 2012.", @@ -24601,6 +24824,21 @@ "uuid": "23ad5a8c-cbe1-4f40-8757-f1784a4003a1", "value": "Help eliminate unquoted path" }, + { + "description": "Baggett, M. (2012, November 8). Help eliminate unquoted path vulnerabilities. Retrieved December 4, 2014.", + "meta": { + "date_accessed": "2014-12-04T00:00:00Z", + "date_published": "2012-11-08T00:00:00Z", + "refs": [ + "https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464" + ], + "source": "MITRE", + "title": "Help eliminate unquoted path vulnerabilities" + }, + "related": [], + "uuid": "9b234329-5e05-4035-af38-dd8ab20fd68e", + "value": "Baggett 2012" + }, { "description": "Kellie Eickmeyer. (2022, February 7). Helping users stay safe: Blocking internet macros by default in Office. Retrieved February 7, 2022.", "meta": { @@ -24915,6 +25153,22 @@ "uuid": "647f6be8-fe95-4045-8778-f7d7ff00c96c", "value": "Synack Secure Kernel Extension Broken" }, + { + "description": "Britton Manahan. (2024, September 14). Highway Blobbery: Data Theft using Azure Storage Explorer. Retrieved September 19, 2024.", + "meta": { + "date_accessed": "2024-09-19T00:00:00Z", + "date_published": "2024-09-14T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.modepush.com/blog/highway-blobbery-data-theft-using-azure-storage-explorer" + ], + "source": "Tidal Cyber", + "title": "Highway Blobbery: Data Theft using Azure Storage Explorer" + }, + "related": [], + "uuid": "a4c50b03-f0d7-4d29-a9de-e550be61390c", + "value": "modePUSH Azure Storage Explorer September 14 2024" + }, { "description": "Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.", "meta": { @@ -24961,21 +25215,6 @@ "uuid": "f5e43446-04ea-4dcd-be3a-22f8b10b8aa1", "value": "Hive Ransomware Analysis | Kroll" }, - { - "description": "Microsoft. (2017, April 20). HKLM\\SYSTEM\\CurrentControlSet\\Services Registry Tree. Retrieved March 16, 2020.", - "meta": { - "date_accessed": "2020-03-16T00:00:00Z", - "date_published": "2017-04-20T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree" - ], - "source": "MITRE", - "title": "HKLM\\SYSTEM\\CurrentControlSet\\Services Registry Tree" - }, - "related": [], - "uuid": "cb9b5391-773f-4b56-8c41-d4f548c7b835", - "value": "Microsoft CurrentControlSet Services" - }, { "description": "Microsoft. (2021, August 5). HKLM\\SYSTEM\\CurrentControlSet\\Services Registry Tree. Retrieved August 25, 2021.", "meta": { @@ -24991,6 +25230,21 @@ "uuid": "171cfdf1-d91c-4df3-831e-89b6237e3c8b", "value": "microsoft_services_registry_tree" }, + { + "description": "Microsoft. (2017, April 20). HKLM\\SYSTEM\\CurrentControlSet\\Services Registry Tree. Retrieved March 16, 2020.", + "meta": { + "date_accessed": "2020-03-16T00:00:00Z", + "date_published": "2017-04-20T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree" + ], + "source": "MITRE", + "title": "HKLM\\SYSTEM\\CurrentControlSet\\Services Registry Tree" + }, + "related": [], + "uuid": "cb9b5391-773f-4b56-8c41-d4f548c7b835", + "value": "Microsoft CurrentControlSet Services" + }, { "description": "Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.", "meta": { @@ -27090,6 +27344,22 @@ "uuid": "f5367abc-e776-41a0-b8e5-6dc60079c081", "value": "Cisco Talos Q2 Trends July 26 2023" }, + { + "description": "SentinelOne. (2023, September 21). Inc. Ransom. Retrieved January 1, 2024.", + "meta": { + "date_accessed": "2024-01-01T00:00:00Z", + "date_published": "2023-09-21T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.sentinelone.com/anthology/inc-ransom/" + ], + "source": "Tidal Cyber", + "title": "Inc. Ransom" + }, + "related": [], + "uuid": "7e793738-c132-47bf-90aa-1f0659564d16", + "value": "SentinelOne September 21 2023" + }, { "description": "Cybersecurity and Infrastructure Security Agency. (2023, July 6). Increased Truebot Activity Infects U.S. and Canada Based Networks. Retrieved July 6, 2023.", "meta": { @@ -28374,6 +28644,20 @@ "uuid": "956b3d80-4e19-4cab-a65f-ad86f233aa12", "value": "GitHub Invoke-Obfuscation" }, + { + "description": "Barrett Adams . (n.d.). Invoke-PSImage . Retrieved September 30, 2022.", + "meta": { + "date_accessed": "2022-09-30T00:00:00Z", + "refs": [ + "https://github.com/peewpw/Invoke-PSImage" + ], + "source": "MITRE", + "title": "Invoke-PSImage" + }, + "related": [], + "uuid": "449c873c-c5af-45b8-8bd7-505d2181a05c", + "value": "GitHub PSImage" + }, { "description": "Adams, B. (2017, December 17). Invoke-PSImage. Retrieved April 10, 2018.", "meta": { @@ -28389,20 +28673,6 @@ "uuid": "dd210b79-bd5f-4282-9542-4d1ae2f16438", "value": "GitHub Invoke-PSImage" }, - { - "description": "Barrett Adams . (n.d.). Invoke-PSImage . Retrieved September 30, 2022.", - "meta": { - "date_accessed": "2022-09-30T00:00:00Z", - "refs": [ - "https://github.com/peewpw/Invoke-PSImage" - ], - "source": "MITRE", - "title": "Invoke-PSImage" - }, - "related": [], - "uuid": "449c873c-c5af-45b8-8bd7-505d2181a05c", - "value": "GitHub PSImage" - }, { "description": "PowerShellMafia. (2016, December 14). Invoke-Shellcode. Retrieved May 25, 2023.", "meta": { @@ -29437,21 +29707,6 @@ "uuid": "26a554dc-39c0-4638-902d-7e84fe01b961", "value": "U.S. Justice Department GRU Botnet February 2024" }, - { - "description": "Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved February 1, 2022.", - "meta": { - "date_accessed": "2022-02-01T00:00:00Z", - "date_published": "2020-06-13T00:00:00Z", - "refs": [ - "https://o365blog.com/post/just-looking" - ], - "source": "MITRE", - "title": "Just looking: Azure Active Directory reconnaissance as an outsider" - }, - "related": [], - "uuid": "16565eaf-44fb-44f4-b490-40dc1160ff2b", - "value": "Azure AD Recon" - }, { "description": "Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved May 27, 2022.", "meta": { @@ -29467,6 +29722,21 @@ "uuid": "42dad2a3-5b33-4be4-a19b-58a27fb3ee5d", "value": "Azure Active Directory Reconnaisance" }, + { + "description": "Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved February 1, 2022.", + "meta": { + "date_accessed": "2022-02-01T00:00:00Z", + "date_published": "2020-06-13T00:00:00Z", + "refs": [ + "https://o365blog.com/post/just-looking" + ], + "source": "MITRE", + "title": "Just looking: Azure Active Directory reconnaissance as an outsider" + }, + "related": [], + "uuid": "16565eaf-44fb-44f4-b490-40dc1160ff2b", + "value": "Azure AD Recon" + }, { "description": "Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware turning to Golang. Retrieved December 17, 2020.", "meta": { @@ -29497,21 +29767,6 @@ "uuid": "459fcde2-7ac3-4640-a5bc-cd8750e54962", "value": "Kali Redsnarf" }, - { - "description": "Hull, D. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019.", - "meta": { - "date_accessed": "2019-10-10T00:00:00Z", - "date_published": "2014-05-03T00:00:00Z", - "refs": [ - "https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html" - ], - "source": "MITRE", - "title": "Kansa: Service related collectors and analysis" - }, - "related": [], - "uuid": "58d5bc0b-8548-4c3a-8302-e07df3b961ff", - "value": "TrustedSignal Service Failure" - }, { "description": "Hull, D.. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019.", "meta": { @@ -29527,6 +29782,21 @@ "uuid": "d854f84a-4d70-4ef4-9197-d8f5396feabb", "value": "Kansa Service related collectors" }, + { + "description": "Hull, D. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019.", + "meta": { + "date_accessed": "2019-10-10T00:00:00Z", + "date_published": "2014-05-03T00:00:00Z", + "refs": [ + "https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html" + ], + "source": "MITRE", + "title": "Kansa: Service related collectors and analysis" + }, + "related": [], + "uuid": "58d5bc0b-8548-4c3a-8302-e07df3b961ff", + "value": "TrustedSignal Service Failure" + }, { "description": "Cybersecurity and Infrastructure Security Agency. (2023, December 12). Karakurt Data Extortion Group. Retrieved May 1, 2024.", "meta": { @@ -30608,8 +30878,8 @@ "title": "Lazarus KillDisks Central American casino" }, "related": [], - "uuid": "454704b7-9ede-4d30-acfd-2cf16a89bcb3", - "value": "ESET Lazarus KillDisk April 2018" + "uuid": "6f931476-29e6-4bba-ba1b-37ab742f4b49", + "value": "Lazarus KillDisk" }, { "description": "Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.", @@ -30623,8 +30893,8 @@ "title": "Lazarus KillDisks Central American casino" }, "related": [], - "uuid": "6f931476-29e6-4bba-ba1b-37ab742f4b49", - "value": "Lazarus KillDisk" + "uuid": "454704b7-9ede-4d30-acfd-2cf16a89bcb3", + "value": "ESET Lazarus KillDisk April 2018" }, { "description": "Dinesh Devadoss, Phil Stokes. (2022, September 26). Lazarus \"Operation In(ter)ception\" Targets macOS Users Dreaming of Jobs in Crypto. Retrieved March 8, 2024.", @@ -30672,21 +30942,6 @@ "uuid": "ba6a5fcc-9391-42c0-8b90-57b729525f41", "value": "Kaspersky ThreatNeedle Feb 2021" }, - { - "description": "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved October 3, 2018.", - "meta": { - "date_accessed": "2018-10-03T00:00:00Z", - "date_published": "2017-04-03T00:00:00Z", - "refs": [ - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf" - ], - "source": "MITRE", - "title": "Lazarus Under the Hood" - }, - "related": [], - "uuid": "312b30b1-3bd6-46ea-8f77-504f442499bc", - "value": "Kaspersky Lazarus Under The Hood APR 2017" - }, { "description": "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.", "meta": { @@ -30702,6 +30957,21 @@ "uuid": "a1e1ab6a-8db0-4593-95ec-78784607dfa0", "value": "Kaspersky Lazarus Under The Hood Blog 2017" }, + { + "description": "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved October 3, 2018.", + "meta": { + "date_accessed": "2018-10-03T00:00:00Z", + "date_published": "2017-04-03T00:00:00Z", + "refs": [ + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf" + ], + "source": "MITRE", + "title": "Lazarus Under the Hood" + }, + "related": [], + "uuid": "312b30b1-3bd6-46ea-8f77-504f442499bc", + "value": "Kaspersky Lazarus Under The Hood APR 2017" + }, { "description": "Mclellan, M.. (2018, November 19). Lazy Passwords Become Rocket Fuel for Emotet SMB Spreader. Retrieved March 25, 2019.", "meta": { @@ -32435,21 +32705,6 @@ "uuid": "80bb8646-1eb0-442a-aa51-ee3efaf75915", "value": "alientvault macspy" }, - { - "description": "Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 18, 2021.", - "meta": { - "date_accessed": "2021-03-18T00:00:00Z", - "date_published": "2020-07-07T00:00:00Z", - "refs": [ - "https://blog.malwarebytes.com/detections/osx-thiefquest/" - ], - "source": "MITRE", - "title": "Mac ThiefQuest malware may not be ransomware after all" - }, - "related": [], - "uuid": "b265ef93-c1fb-440d-a9e0-89cf25a3de05", - "value": "Reed thiefquest fake ransom" - }, { "description": "Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 22, 2021.", "meta": { @@ -32465,6 +32720,21 @@ "uuid": "47b49df4-34f1-4a89-9983-e8bc19aadf8c", "value": "reed thiefquest ransomware analysis" }, + { + "description": "Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 18, 2021.", + "meta": { + "date_accessed": "2021-03-18T00:00:00Z", + "date_published": "2020-07-07T00:00:00Z", + "refs": [ + "https://blog.malwarebytes.com/detections/osx-thiefquest/" + ], + "source": "MITRE", + "title": "Mac ThiefQuest malware may not be ransomware after all" + }, + "related": [], + "uuid": "b265ef93-c1fb-440d-a9e0-89cf25a3de05", + "value": "Reed thiefquest fake ransom" + }, { "description": "Jerome Segura. (2023, September 6). Mac users targeted in new malvertising campaign delivering Atomic Stealer. Retrieved April 19, 2024.", "meta": { @@ -33174,21 +33444,6 @@ "uuid": "9b52a72b-938a-5eb6-a3b7-5a925657f0a3", "value": "Malware Monday VBE" }, - { - "description": "Wardle, P. (2015, April). Malware Persistence on OS X Yosemite. Retrieved April 6, 2018.", - "meta": { - "date_accessed": "2018-04-06T00:00:00Z", - "date_published": "2015-04-01T00:00:00Z", - "refs": [ - "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf" - ], - "source": "MITRE", - "title": "Malware Persistence on OS X Yosemite" - }, - "related": [], - "uuid": "7e3f3dda-c407-4b06-a6b0-8b72c4dad6e6", - "value": "RSAC 2015 San Francisco Patrick Wardle" - }, { "description": "Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017.", "meta": { @@ -33204,6 +33459,21 @@ "uuid": "d4e3b066-c439-4284-ba28-3b8bd8ec270e", "value": "Malware Persistence on OS X" }, + { + "description": "Wardle, P. (2015, April). Malware Persistence on OS X Yosemite. Retrieved April 6, 2018.", + "meta": { + "date_accessed": "2018-04-06T00:00:00Z", + "date_published": "2015-04-01T00:00:00Z", + "refs": [ + "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf" + ], + "source": "MITRE", + "title": "Malware Persistence on OS X Yosemite" + }, + "related": [], + "uuid": "7e3f3dda-c407-4b06-a6b0-8b72c4dad6e6", + "value": "RSAC 2015 San Francisco Patrick Wardle" + }, { "description": "Harbour, N. (2010, July 15). Malware Persistence without the Windows Registry. Retrieved November 17, 2020.", "meta": { @@ -34198,20 +34468,6 @@ "uuid": "aa7393ad-0760-4f27-a068-17beba17bbe3", "value": "Secureworks NICKEL ACADEMY Dec 2017" }, - { - "description": "Cybereason Nocturnus. (2020, November 19). Cybereason vs. MedusaLocker Ransomware. Retrieved June 23, 2021.", - "meta": { - "date_accessed": "2021-06-23T00:00:00Z", - "refs": [ - "https://www.cybereason.com/blog/medusalocker-ransomware" - ], - "source": "MITRE", - "title": "MedusaLocker Ransomware" - }, - "related": [], - "uuid": "f7b41120-8455-409f-ad9c-815c2c43edfd", - "value": "Cybereason Nocturnus MedusaLocker 2020" - }, { "description": "Health Sector Cybersecurity Coordination Center (HC3). (2023, February 24). MedusaLocker Ransomware. Retrieved August 11, 2023.", "meta": { @@ -34228,6 +34484,20 @@ "uuid": "49e314d6-5324-41e0-8bee-2b3e08d5e12f", "value": "HC3 Analyst Note MedusaLocker Ransomware February 2023" }, + { + "description": "Cybereason Nocturnus. (2020, November 19). Cybereason vs. MedusaLocker Ransomware. Retrieved June 23, 2021.", + "meta": { + "date_accessed": "2021-06-23T00:00:00Z", + "refs": [ + "https://www.cybereason.com/blog/medusalocker-ransomware" + ], + "source": "MITRE", + "title": "MedusaLocker Ransomware" + }, + "related": [], + "uuid": "f7b41120-8455-409f-ad9c-815c2c43edfd", + "value": "Cybereason Nocturnus MedusaLocker 2020" + }, { "description": "Lawrence Abrams. (2023, March 12). Medusa ransomware gang picks up steam as it targets companies worldwide. Retrieved September 14, 2023.", "meta": { @@ -34695,21 +34965,6 @@ "uuid": "f9daf15d-61ea-4cfa-a4e8-9d33d1acd28f", "value": "Microsoft HTML Help May 2018" }, - { - "description": "Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019.", - "meta": { - "date_accessed": "2019-10-04T00:00:00Z", - "date_published": "2019-08-27T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens" - ], - "source": "MITRE", - "title": "Microsoft identity platform access tokens" - }, - "related": [], - "uuid": "a39d976e-9b52-48f3-b5db-0ffd84ecd338", - "value": "Microsoft Identity Platform Access 2019" - }, { "description": "Microsoft. (2019, August 29). Microsoft identity platform access tokens. Retrieved September 12, 2019.", "meta": { @@ -34725,6 +34980,21 @@ "uuid": "44767d53-8cd7-44dd-a69d-8a7bebc1d87d", "value": "Microsoft - Azure AD Identity Tokens - Aug 2019" }, + { + "description": "Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019.", + "meta": { + "date_accessed": "2019-10-04T00:00:00Z", + "date_published": "2019-08-27T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens" + ], + "source": "MITRE", + "title": "Microsoft identity platform access tokens" + }, + "related": [], + "uuid": "a39d976e-9b52-48f3-b5db-0ffd84ecd338", + "value": "Microsoft Identity Platform Access 2019" + }, { "description": "Microsoft. (n.d.). Microsoft identity platform and OAuth 2.0 authorization code flow. Retrieved September 12, 2019.", "meta": { @@ -34886,21 +35156,6 @@ "uuid": "86955cd2-5980-44ba-aa7b-4b9f8e347730", "value": "Microsoft WDAC" }, - { - "description": "Jordan Geurten et al. . (2022, March 29). Microsoft recommended driver block rules. Retrieved April 7, 2022.", - "meta": { - "date_accessed": "2022-04-07T00:00:00Z", - "date_published": "2022-03-29T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "source": "MITRE", - "title": "Microsoft recommended driver block rules" - }, - "related": [], - "uuid": "9bb5c330-56bd-47e7-8414-729d8e6cb3b3", - "value": "Microsoft driver block rules - Duplicate" - }, { "description": "Microsoft. (2020, October 15). Microsoft recommended driver block rules. Retrieved March 16, 2021.", "meta": { @@ -34916,6 +35171,21 @@ "uuid": "2ad8414a-4490-4896-8266-556b8bdbb77f", "value": "Microsoft Driver Block Rules" }, + { + "description": "Jordan Geurten et al. . (2022, March 29). Microsoft recommended driver block rules. Retrieved April 7, 2022.", + "meta": { + "date_accessed": "2022-04-07T00:00:00Z", + "date_published": "2022-03-29T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "source": "MITRE", + "title": "Microsoft recommended driver block rules" + }, + "related": [], + "uuid": "9bb5c330-56bd-47e7-8414-729d8e6cb3b3", + "value": "Microsoft driver block rules - Duplicate" + }, { "description": "Microsoft. (n.d.). Retrieved January 24, 2020.", "meta": { @@ -35082,6 +35352,22 @@ "uuid": "0e7ea8d0-bdb8-48a6-9718-703f64d16460", "value": "Microsoft Threat Intelligence LinkedIn July 15 2024" }, + { + "description": "Microsoft Threat Intelligence. (2024, September 18). Microsoft Threat Intelligence LinkedIn Vanilla Tempest. Retrieved September 19, 2024.", + "meta": { + "date_accessed": "2024-09-19T00:00:00Z", + "date_published": "2024-09-18T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.linkedin.com/feed/update/urn:li:activity:7242222140853264385/" + ], + "source": "Tidal Cyber", + "title": "Microsoft Threat Intelligence LinkedIn Vanilla Tempest" + }, + "related": [], + "uuid": "24c11dff-21df-4ce9-b3df-2e0a886339ff", + "value": "MSTIC Vanilla Tempest September 18 2024" + }, { "description": "MsftSecIntel. (2023, May 26). Microsoft Threat Intelligence Tweet April 26 2023. Retrieved June 16, 2023.", "meta": { @@ -35357,21 +35643,6 @@ "uuid": "2a01a70c-28a8-444e-95a7-00a568d51ce6", "value": "Harmj0y DCSync Sept 2015" }, - { - "description": "Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved December 4, 2017.", - "meta": { - "date_accessed": "2017-12-04T00:00:00Z", - "date_published": "2015-09-25T00:00:00Z", - "refs": [ - "https://adsecurity.org/?p=1729" - ], - "source": "MITRE", - "title": "Mimikatz DCSync Usage, Exploitation, and Detection" - }, - "related": [], - "uuid": "856ed70b-29b0-4f56-b5ae-a98981a22eaf", - "value": "AdSecurity DCSync Sept 2015" - }, { "description": "Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved August 7, 2017.", "meta": { @@ -35387,6 +35658,21 @@ "uuid": "61b0bb42-2ed6-413d-b331-0a84df12a87d", "value": "ADSecurity Mimikatz DCSync" }, + { + "description": "Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved December 4, 2017.", + "meta": { + "date_accessed": "2017-12-04T00:00:00Z", + "date_published": "2015-09-25T00:00:00Z", + "refs": [ + "https://adsecurity.org/?p=1729" + ], + "source": "MITRE", + "title": "Mimikatz DCSync Usage, Exploitation, and Detection" + }, + "related": [], + "uuid": "856ed70b-29b0-4f56-b5ae-a98981a22eaf", + "value": "AdSecurity DCSync Sept 2015" + }, { "description": "Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz. Retrieved June 20, 2019.", "meta": { @@ -35507,21 +35793,6 @@ "uuid": "0110500c-bf67-43a5-97cb-16eb6c01040b", "value": "APT15 Intezer June 2018" }, - { - "description": "ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.", - "meta": { - "date_accessed": "2024-03-13T00:00:00Z", - "date_published": "2019-11-19T00:00:00Z", - "refs": [ - "https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/" - ], - "source": "MITRE", - "title": "Mispadu: Advertisement for a discounted Unhappy Meal" - }, - "related": [], - "uuid": "e1b945f4-20e0-5b69-8fd7-f05afce8c0ba", - "value": "ESET Security Mispadu Facebook Ads 2019" - }, { "description": "ESET Research. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved April 4, 2024.", "meta": { @@ -35538,6 +35809,21 @@ "uuid": "a27753c1-2f7a-40c4-9e28-a37265bce28c", "value": "ESET Mispadu November 2019" }, + { + "description": "ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.", + "meta": { + "date_accessed": "2024-03-13T00:00:00Z", + "date_published": "2019-11-19T00:00:00Z", + "refs": [ + "https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/" + ], + "source": "MITRE", + "title": "Mispadu: Advertisement for a discounted Unhappy Meal" + }, + "related": [], + "uuid": "e1b945f4-20e0-5b69-8fd7-f05afce8c0ba", + "value": "ESET Security Mispadu Facebook Ads 2019" + }, { "description": "Duarte, H., Morrison, B. (2012). (Mis)trusting and (ab)using ssh. Retrieved January 8, 2018.", "meta": { @@ -35938,6 +36224,22 @@ "uuid": "ea64a3a5-a248-44bb-98cd-f7e3d4c23d4e", "value": "Forcepoint Monsoon" }, + { + "description": "Nathaniel Morales; Joshua Paul Ignacio Read time. (2023, August 14). Monti Ransomware Unleashes a New Encryptor for Linux. Retrieved January 1, 2024.", + "meta": { + "date_accessed": "2024-01-01T00:00:00Z", + "date_published": "2023-08-14T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.trendmicro.com/en_us/research/23/h/monti-ransomware-unleashes-a-new-encryptor-for-linux.html" + ], + "source": "Tidal Cyber", + "title": "Monti Ransomware Unleashes a New Encryptor for Linux" + }, + "related": [], + "uuid": "12d2fbc5-f9cb-41b5-96a6-1cd100b5a173", + "value": "Trend Micro August 14 2023" + }, { "description": "Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks . Retrieved May 29, 2024.", "meta": { @@ -36194,21 +36496,6 @@ "uuid": "e208c277-e477-4123-8c3c-313d55cdc1ea", "value": "Volatility Detecting Hooks Sept 2012" }, - { - "description": "Robert Kugler. (2012, November 20). Mozilla Foundation Security Advisory 2012-98. Retrieved March 10, 2017.", - "meta": { - "date_accessed": "2017-03-10T00:00:00Z", - "date_published": "2012-11-20T00:00:00Z", - "refs": [ - "https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/" - ], - "source": "MITRE", - "title": "Mozilla Foundation Security Advisory 2012-98" - }, - "related": [], - "uuid": "cd720550-a0b5-4d1d-85dd-98da97f45b62", - "value": "mozilla_sec_adv_2012" - }, { "description": "Kugler, R. (2012, November 20). Mozilla Foundation Security Advisory 2012-98. Retrieved March 10, 2017.", "meta": { @@ -36224,6 +36511,21 @@ "uuid": "920d1607-154e-4c74-b1eb-0d8299be536f", "value": "Mozilla Firefox Installer DLL Hijack" }, + { + "description": "Robert Kugler. (2012, November 20). Mozilla Foundation Security Advisory 2012-98. Retrieved March 10, 2017.", + "meta": { + "date_accessed": "2017-03-10T00:00:00Z", + "date_published": "2012-11-20T00:00:00Z", + "refs": [ + "https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/" + ], + "source": "MITRE", + "title": "Mozilla Foundation Security Advisory 2012-98" + }, + "related": [], + "uuid": "cd720550-a0b5-4d1d-85dd-98da97f45b62", + "value": "mozilla_sec_adv_2012" + }, { "description": "LOLBAS. (2020, March 20). MpCmdRun.exe. Retrieved December 4, 2023.", "meta": { @@ -37648,21 +37950,6 @@ "uuid": "5695d3a2-6b6c-433a-9254-d4a2e001a8be", "value": "Bleeping Computer Evil Corp mimics PayloadBin gang 2022" }, - { - "description": "Windows Defender Research. (2016, March 22). New feature in Office 2016 can block macros and help prevent infection. Retrieved April 11, 2018.", - "meta": { - "date_accessed": "2018-04-11T00:00:00Z", - "date_published": "2016-03-22T00:00:00Z", - "refs": [ - "https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/" - ], - "source": "MITRE", - "title": "New feature in Office 2016 can block macros and help prevent infection" - }, - "related": [], - "uuid": "4d0f4d0a-b812-42f8-a52c-a1f5c69e6337", - "value": "Microsoft Block Office Macros" - }, { "description": "Microsoft Malware Protection Center. (2016, March 22). New feature in Office 2016 can block macros and help prevent infection. Retrieved July 3, 2017.", "meta": { @@ -37678,6 +37965,21 @@ "uuid": "f14f08c5-de51-4827-ba3a-f0598dfbe505", "value": "TechNet Office Macro Security" }, + { + "description": "Windows Defender Research. (2016, March 22). New feature in Office 2016 can block macros and help prevent infection. Retrieved April 11, 2018.", + "meta": { + "date_accessed": "2018-04-11T00:00:00Z", + "date_published": "2016-03-22T00:00:00Z", + "refs": [ + "https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/" + ], + "source": "MITRE", + "title": "New feature in Office 2016 can block macros and help prevent infection" + }, + "related": [], + "uuid": "4d0f4d0a-b812-42f8-a52c-a1f5c69e6337", + "value": "Microsoft Block Office Macros" + }, { "description": "Sudhakar Ramakrishna . (2021, January 11). New Findings From Our Investigation of SUNBURST. Retrieved January 13, 2021.", "meta": { @@ -37782,21 +38084,6 @@ "uuid": "1641553f-96e7-4829-8c77-d96388dac5c7", "value": "Avast CCleaner3 2018" }, - { - "description": "Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved December 17, 2020.", - "meta": { - "date_accessed": "2020-12-17T00:00:00Z", - "date_published": "2017-04-06T00:00:00Z", - "refs": [ - "https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/" - ], - "source": "MITRE", - "title": "New IoT/Linux Malware Targets DVRs, Forms Botnet" - }, - "related": [], - "uuid": "95b5b03e-f160-47cf-920c-8f4f3d4114a3", - "value": "Tsunami" - }, { "description": "Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018.", "meta": { @@ -37812,6 +38099,21 @@ "uuid": "489a6c57-f64c-423b-a7bd-169fa36c4cdf", "value": "amnesia malware" }, + { + "description": "Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved December 17, 2020.", + "meta": { + "date_accessed": "2020-12-17T00:00:00Z", + "date_published": "2017-04-06T00:00:00Z", + "refs": [ + "https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/" + ], + "source": "MITRE", + "title": "New IoT/Linux Malware Targets DVRs, Forms Botnet" + }, + "related": [], + "uuid": "95b5b03e-f160-47cf-920c-8f4f3d4114a3", + "value": "Tsunami" + }, { "description": "ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.", "meta": { @@ -37918,21 +38220,6 @@ "uuid": "b1540c5c-0bbc-4b9d-9185-fae224ba31be", "value": "Gallagher 2015" }, - { - "description": "Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved December 18, 2017.", - "meta": { - "date_accessed": "2017-12-18T00:00:00Z", - "date_published": "2017-11-28T00:00:00Z", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" - ], - "source": "MITRE", - "title": "Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection" - }, - "related": [], - "uuid": "9737055a-f583-448e-84d0-1d336c4da9a8", - "value": "FireEye TLS Nov 2017" - }, { "description": "Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019.", "meta": { @@ -37948,6 +38235,21 @@ "uuid": "32c0b9d2-9f31-4e49-8b3a-c63ff4fffa47", "value": "FireEye Ursnif Nov 2017" }, + { + "description": "Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved December 18, 2017.", + "meta": { + "date_accessed": "2017-12-18T00:00:00Z", + "date_published": "2017-11-28T00:00:00Z", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" + ], + "source": "MITRE", + "title": "Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection" + }, + "related": [], + "uuid": "9737055a-f583-448e-84d0-1d336c4da9a8", + "value": "FireEye TLS Nov 2017" + }, { "description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.", "meta": { @@ -38233,6 +38535,22 @@ "uuid": "2263af27-9c30-4bf6-a204-2f148ebdd17c", "value": "Unit 42 MechaFlounder March 2019" }, + { + "description": "Bill Cozens. (2024, September 9). New RansomHub attack uses TDSSKiller and LaZagne, disables EDR. Retrieved September 13, 2024.", + "meta": { + "date_accessed": "2024-09-13T00:00:00Z", + "date_published": "2024-09-09T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.threatdown.com/blog/new-ransomhub-attack-uses-tdskiller-and-lazagne-disables-edr/" + ], + "source": "Tidal Cyber", + "title": "New RansomHub attack uses TDSSKiller and LaZagne, disables EDR" + }, + "related": [], + "uuid": "34422e6e-0e79-48ba-a942-9816e9b4ee7c", + "value": "ThreatDown RansomHub September 9 2024" + }, { "description": "Chiu, A. (2016, June 27). New Ransomware Variant \"Nyetya\" Compromises Systems Worldwide. Retrieved March 26, 2019.", "meta": { @@ -38578,21 +38896,6 @@ "uuid": "bc7755a0-5ee3-477b-b8d7-67174a59d0e2", "value": "Avira Mustang Panda January 2020" }, - { - "description": "Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.", - "meta": { - "date_accessed": "2016-08-17T00:00:00Z", - "date_published": "2016-05-24T00:00:00Z", - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" - ], - "source": "MITRE", - "title": "New Wekby Attacks Use DNS Requests As Command and Control Mechanism" - }, - "related": [], - "uuid": "4a946c3f-ee0a-4649-8104-2bd9d90ebd49", - "value": "Palo Alto DNS Requests" - }, { "description": "Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.", "meta": { @@ -38608,6 +38911,21 @@ "uuid": "6f08aa4e-c89f-4d3e-8f46-e856e21d2d50", "value": "PaloAlto DNS Requests May 2016" }, + { + "description": "Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.", + "meta": { + "date_accessed": "2016-08-17T00:00:00Z", + "date_published": "2016-05-24T00:00:00Z", + "refs": [ + "http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" + ], + "source": "MITRE", + "title": "New Wekby Attacks Use DNS Requests As Command and Control Mechanism" + }, + "related": [], + "uuid": "4a946c3f-ee0a-4649-8104-2bd9d90ebd49", + "value": "Palo Alto DNS Requests" + }, { "description": "Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.", "meta": { @@ -38846,21 +39164,6 @@ "uuid": "65f1bbaa-8ad1-4ad5-b726-660558d27efc", "value": "Nmap: the Network Mapper" }, - { - "description": "Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.", - "meta": { - "date_accessed": "2022-03-25T00:00:00Z", - "date_published": "2021-10-25T00:00:00Z", - "refs": [ - "https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" - ], - "source": "MITRE", - "title": "NOBELIUM targeting delegated administrative privileges to facilitate broader attacks" - }, - "related": [], - "uuid": "7b6cc308-9871-47e5-9039-a9a7e66ce373", - "value": "MSTIC Nobelium Oct 2021" - }, { "description": "Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved January 31, 2022.", "meta": { @@ -38876,6 +39179,21 @@ "uuid": "aa315293-77a5-4ad9-b024-9af844edff9a", "value": "Microsoft Nobelium Admin Privileges" }, + { + "description": "Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.", + "meta": { + "date_accessed": "2022-03-25T00:00:00Z", + "date_published": "2021-10-25T00:00:00Z", + "refs": [ + "https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" + ], + "source": "MITRE", + "title": "NOBELIUM targeting delegated administrative privileges to facilitate broader attacks" + }, + "related": [], + "uuid": "7b6cc308-9871-47e5-9039-a9a7e66ce373", + "value": "MSTIC Nobelium Oct 2021" + }, { "description": "Symantec Threat Hunter Team. (2022, September 22). Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics. Retrieved September 14, 2023.", "meta": { @@ -39025,6 +39343,22 @@ "uuid": "f8700002-5da6-4cb8-be62-34e421d2a573", "value": "Malwarebytes Pony April 2016" }, + { + "description": "Bill Toulas. (2024, September 10). NoName ransomware gang deploying RansomHub malware in recent attacks. Retrieved September 13, 2024.", + "meta": { + "date_accessed": "2024-09-13T00:00:00Z", + "date_published": "2024-09-10T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.bleepingcomputer.com/news/security/noname-ransomware-gang-deploying-ransomhub-malware-in-recent-attacks/" + ], + "source": "Tidal Cyber", + "title": "NoName ransomware gang deploying RansomHub malware in recent attacks" + }, + "related": [], + "uuid": "79752048-f2fd-4357-9e0a-15b9a2927852", + "value": "BleepingComputer NoName September 10 2024" + }, { "description": "Ruohonen, S. & Robinson, S. (2023, February 2). No Pineapple! -DPRK Targeting of Medical Research and Technology Sector. Retrieved July 10, 2023.", "meta": { @@ -39884,6 +40218,21 @@ "uuid": "e3d932fc-0148-43b9-bcc7-971dd7ba3bf8", "value": "Bitdefender Agent Tesla April 2020" }, + { + "description": "Council on Foreign Relations. (n.d.). OilRig. Retrieved September 1, 2024.", + "meta": { + "date_accessed": "2024-09-01T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.cfr.org/cyber-operations/oilrig" + ], + "source": "Tidal Cyber", + "title": "OilRig" + }, + "related": [], + "uuid": "db9985eb-d536-45b9-a82b-34d8cdd2b699", + "value": "CFR OilRig Profile" + }, { "description": "Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017.", "meta": { @@ -39929,6 +40278,38 @@ "uuid": "14bbb07b-caeb-4d17-8e54-047322a5930c", "value": "Palo Alto OilRig Oct 2016" }, + { + "description": "ESET Research. (2024, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved September 3, 2024.", + "meta": { + "date_accessed": "2024-09-03T00:00:00Z", + "date_published": "2024-09-21T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/" + ], + "source": "Tidal Cyber", + "title": "OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes" + }, + "related": [], + "uuid": "21ee3e95-ac4b-48f7-b948-249e1884bc96", + "value": "ESET OilRig September 21 2023" + }, + { + "description": "Zuzana Hromcová, Adam Burgher. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved September 1, 2024.", + "meta": { + "date_accessed": "2024-09-01T00:00:00Z", + "date_published": "2023-12-14T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/" + ], + "source": "Tidal Cyber", + "title": "OilRig’s persistent attacks using cloud service-powered downloaders" + }, + "related": [], + "uuid": "f96b74d5-ff75-47c6-a9a2-b2f43db351bc", + "value": "ESET OilRig December 14 2023" + }, { "description": "Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.", "meta": { @@ -40773,21 +41154,6 @@ "uuid": "4035e871-9291-4d7f-9c5f-d8482d4dc8a7", "value": "AhnLab Kimsuky Kabar Cobra Feb 2019" }, - { - "description": "Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.", - "meta": { - "date_accessed": "2014-11-12T00:00:00Z", - "date_published": "2014-01-01T00:00:00Z", - "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf" - ], - "source": "MITRE", - "title": "OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs" - }, - "related": [], - "uuid": "31504d92-6c4d-43f0-8548-ccc3aa05ba48", - "value": "Villeneuve et al 2014" - }, { "description": "Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.", "meta": { @@ -40803,6 +41169,21 @@ "uuid": "bb45cf96-ceae-4f46-a0f5-08cd89f699c9", "value": "Mandiant Operation Ke3chang November 2014" }, + { + "description": "Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.", + "meta": { + "date_accessed": "2014-11-12T00:00:00Z", + "date_published": "2014-01-01T00:00:00Z", + "refs": [ + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf" + ], + "source": "MITRE", + "title": "OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs" + }, + "related": [], + "uuid": "31504d92-6c4d-43f0-8548-ccc3aa05ba48", + "value": "Villeneuve et al 2014" + }, { "description": "Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.", "meta": { @@ -41461,21 +41842,6 @@ "uuid": "55ee5bcc-ba56-58ac-9afb-2349aa75fe39", "value": "Kubernetes Cloud Native Security" }, - { - "description": "Apple. (2012, July 23). Overview of Dynamic Libraries. Retrieved September 7, 2023.", - "meta": { - "date_accessed": "2023-09-07T00:00:00Z", - "date_published": "2012-07-23T00:00:00Z", - "refs": [ - "https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html" - ], - "source": "MITRE", - "title": "Overview of Dynamic Libraries" - }, - "related": [], - "uuid": "39ffd162-4052-57ec-bd20-2fe6b8e6beab", - "value": "Apple Dev Dynamic Libraries" - }, { "description": "Apple Inc.. (2012, July 23). Overview of Dynamic Libraries. Retrieved March 24, 2021.", "meta": { @@ -41491,6 +41857,21 @@ "uuid": "e3b8cc52-2096-418c-b291-1bc76022961d", "value": "Apple Doco Archive Dynamic Libraries" }, + { + "description": "Apple. (2012, July 23). Overview of Dynamic Libraries. Retrieved September 7, 2023.", + "meta": { + "date_accessed": "2023-09-07T00:00:00Z", + "date_published": "2012-07-23T00:00:00Z", + "refs": [ + "https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html" + ], + "source": "MITRE", + "title": "Overview of Dynamic Libraries" + }, + "related": [], + "uuid": "39ffd162-4052-57ec-bd20-2fe6b8e6beab", + "value": "Apple Dev Dynamic Libraries" + }, { "description": "Google Cloud. (n.d.). Overview of IAM Conditions. Retrieved January 2, 2024.", "meta": { @@ -42279,6 +42660,22 @@ "uuid": "3ca2e78e-751e-460b-9f3c-f851d054bce4", "value": "Pentesting AD Forests" }, + { + "description": "U.S. Federal Bureau of Investigation. (2024, September 18). People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations. Retrieved September 19, 2024.", + "meta": { + "date_accessed": "2024-09-19T00:00:00Z", + "date_published": "2024-09-18T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.ic3.gov/Media/News/2024/240918.pdf" + ], + "source": "Tidal Cyber", + "title": "People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations" + }, + "related": [], + "uuid": "cfb6f191-6c43-423b-9289-02beb3d721d1", + "value": "FBI PRC Botnet September 18 2024" + }, { "description": "Cybersecurity and Infrastructure Security Agency. (2023, September 27). People's Republic of China-Linked Cyber Actors Hide in Router Firmware. Retrieved September 29, 2023.", "meta": { @@ -42493,21 +42890,6 @@ "uuid": "533b8ae2-2fc3-4cf4-bcaa-5d8bfcba91c0", "value": "Prevailion EvilNum May 2020" }, - { - "description": "Ryan Hanson. (2016, September 24). phishery. Retrieved October 23, 2020.", - "meta": { - "date_accessed": "2020-10-23T00:00:00Z", - "date_published": "2016-09-24T00:00:00Z", - "refs": [ - "https://github.com/ryhanson/phishery" - ], - "source": "MITRE", - "title": "phishery" - }, - "related": [], - "uuid": "6da51561-a813-4802-aa84-1b3de1bc2e14", - "value": "GitHub Phishery" - }, { "description": "Hanson, R. (2016, September 24). phishery. Retrieved July 21, 2018.", "meta": { @@ -42523,6 +42905,21 @@ "uuid": "7e643cf0-5df7-455d-add7-2342f36bdbcb", "value": "ryhanson phishery SEPT 2016" }, + { + "description": "Ryan Hanson. (2016, September 24). phishery. Retrieved October 23, 2020.", + "meta": { + "date_accessed": "2020-10-23T00:00:00Z", + "date_published": "2016-09-24T00:00:00Z", + "refs": [ + "https://github.com/ryhanson/phishery" + ], + "source": "MITRE", + "title": "phishery" + }, + "related": [], + "uuid": "6da51561-a813-4802-aa84-1b3de1bc2e14", + "value": "GitHub Phishery" + }, { "description": "ANSSI. (2021, December 6). PHISHING CAMPAIGNS BY THE NOBELIUM INTRUSION SET. Retrieved April 13, 2022.", "meta": { @@ -44328,21 +44725,6 @@ "uuid": "069ef9af-3402-4b13-8c60-b397b0b0bfd7", "value": "PaloAlto EncodedCommand March 2017" }, - { - "description": "Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved December 17, 2020.", - "meta": { - "date_accessed": "2020-12-17T00:00:00Z", - "date_published": "2018-12-06T00:00:00Z", - "refs": [ - "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" - ], - "source": "MITRE", - "title": "Pulling Linux Rabbit/Rabbot Malware Out of a Hat" - }, - "related": [], - "uuid": "ec413dc7-028c-4153-9e98-abe85961747f", - "value": "anomali-linux-rabbit" - }, { "description": "Anomali Labs. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved March 4, 2019.", "meta": { @@ -44358,6 +44740,21 @@ "uuid": "e843eb47-21b0-44b9-8065-02aea0a0b05f", "value": "Anomali Linux Rabbit 2018" }, + { + "description": "Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved December 17, 2020.", + "meta": { + "date_accessed": "2020-12-17T00:00:00Z", + "date_published": "2018-12-06T00:00:00Z", + "refs": [ + "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" + ], + "source": "MITRE", + "title": "Pulling Linux Rabbit/Rabbot Malware Out of a Hat" + }, + "related": [], + "uuid": "ec413dc7-028c-4153-9e98-abe85961747f", + "value": "anomali-linux-rabbit" + }, { "description": "CrowdStrike. (n.d.). Punk Spider. Retrieved February 20, 2024.", "meta": { @@ -45036,21 +45433,6 @@ "uuid": "e096e1f4-6b62-4756-8811-f263cf1dcecc", "value": "FBI Ransomware Tools November 7 2023" }, - { - "description": "Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021.", - "meta": { - "date_accessed": "2021-03-02T00:00:00Z", - "date_published": "2020-02-24T00:00:00Z", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html" - ], - "source": "MITRE", - "title": "Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT" - }, - "related": [], - "uuid": "44856547-2de5-45ff-898f-a523095bd593", - "value": "FireEye Ransomware Feb 2020" - }, { "description": "Zafra, D. Lunden, K. Brubaker, N. Kennelly, J.. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved February 9, 2021.", "meta": { @@ -45066,6 +45448,21 @@ "uuid": "9ffa0f35-98e4-4265-8b66-9c805a2b6525", "value": "FireEye Ransomware Disrupt Industrial Production" }, + { + "description": "Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021.", + "meta": { + "date_accessed": "2021-03-02T00:00:00Z", + "date_published": "2020-02-24T00:00:00Z", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html" + ], + "source": "MITRE", + "title": "Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT" + }, + "related": [], + "uuid": "44856547-2de5-45ff-898f-a523095bd593", + "value": "FireEye Ransomware Feb 2020" + }, { "description": "Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021.", "meta": { @@ -45112,6 +45509,22 @@ "uuid": "d0811fd4-e89d-4337-9bc1-a9a8774d44b1", "value": "Sophos News August 14 2024" }, + { + "description": "Rapid. (2024, September 12). Ransomware Groups Demystified Lynx Ransomware . Retrieved September 12, 2024.", + "meta": { + "date_accessed": "2024-09-12T00:00:00Z", + "date_published": "2024-09-12T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.rapid7.com/blog/post/2024/09/12/ransomware-groups-demystified-lynx-ransomware/" + ], + "source": "Tidal Cyber", + "title": "Ransomware Groups Demystified Lynx Ransomware" + }, + "related": [], + "uuid": "21d393ae-d135-4c5a-8c6d-1baa8c0a1e08", + "value": "Rapid7 Blog September 12 2024" + }, { "description": "Www.invictus-ir.com. (2024, January 11). Ransomware in the cloud. Retrieved April 17, 2024.", "meta": { @@ -46085,6 +46498,20 @@ "uuid": "f58ac1e4-c470-4aac-a077-7f358e25b0fa", "value": "Microsoft Registry Auditing Aug 2016" }, + { + "description": "Microsoft. (n.d.). Registry Key Security and Access Rights. Retrieved March 16, 2017.", + "meta": { + "date_accessed": "2017-03-16T00:00:00Z", + "refs": [ + "https://msdn.microsoft.com/library/windows/desktop/ms724878.aspx" + ], + "source": "MITRE", + "title": "Registry Key Security and Access Rights" + }, + "related": [], + "uuid": "c5627d86-1b59-4c2a-aac0-88f1b4dc6974", + "value": "MSDN Registry Key Security" + }, { "description": "Microsoft. (2018, May 31). Registry Key Security and Access Rights. Retrieved March 16, 2017.", "meta": { @@ -46100,20 +46527,6 @@ "uuid": "f8f12cbb-029c-48b1-87ce-624a7f98c8ab", "value": "Registry Key Security" }, - { - "description": "Microsoft. (n.d.). Registry Key Security and Access Rights. Retrieved March 16, 2017.", - "meta": { - "date_accessed": "2017-03-16T00:00:00Z", - "refs": [ - "https://msdn.microsoft.com/library/windows/desktop/ms724878.aspx" - ], - "source": "MITRE", - "title": "Registry Key Security and Access Rights" - }, - "related": [], - "uuid": "c5627d86-1b59-4c2a-aac0-88f1b4dc6974", - "value": "MSDN Registry Key Security" - }, { "description": "Microsoft. (2021, December 14). Registry Trees for Devices and Drivers. Retrieved March 28, 2023.", "meta": { @@ -47201,21 +47614,6 @@ "uuid": "d1d6b6fe-ef93-4417-844b-7cd8dc76934b", "value": "U.S. HHS Royal & BlackCat Alert" }, - { - "description": "Iacono, L. and Green, S. (2023, February 13). Royal Ransomware Deep Dive. Retrieved March 30, 2023.", - "meta": { - "date_accessed": "2023-03-30T00:00:00Z", - "date_published": "2023-02-13T00:00:00Z", - "refs": [ - "https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive" - ], - "source": "MITRE", - "title": "Royal Ransomware Deep Dive" - }, - "related": [], - "uuid": "dcdcc965-56d0-58e6-996b-d8bd40916745", - "value": "Kroll Royal Deep Dive February 2023" - }, { "description": "Laurie Iacono, Keith Wojcieszek, George Glass. (2023, February 13). Royal Ransomware Deep Dive. Retrieved June 17, 2024.", "meta": { @@ -47232,6 +47630,21 @@ "uuid": "de385ede-f928-4a1e-934c-8ce7a6e7f33b", "value": "Kroll Royal Ransomware February 13 2023" }, + { + "description": "Iacono, L. and Green, S. (2023, February 13). Royal Ransomware Deep Dive. Retrieved March 30, 2023.", + "meta": { + "date_accessed": "2023-03-30T00:00:00Z", + "date_published": "2023-02-13T00:00:00Z", + "refs": [ + "https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive" + ], + "source": "MITRE", + "title": "Royal Ransomware Deep Dive" + }, + "related": [], + "uuid": "dcdcc965-56d0-58e6-996b-d8bd40916745", + "value": "Kroll Royal Deep Dive February 2023" + }, { "description": "Morales, N. et al. (2023, February 20). Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers. Retrieved March 30, 2023.", "meta": { @@ -47791,19 +48204,20 @@ "value": "Unit42 Redaman January 2019" }, { - "description": "Cyber Security Infrastructure Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved May 31, 2022.", + "description": "Cybersecurity and Infrastructure Security Agency. (2024, September 5). Russian Military Cyber Actors Target US and Global Critical Infrastructure. Retrieved September 9, 2024.", "meta": { - "date_accessed": "2022-05-31T00:00:00Z", - "date_published": "2022-03-15T00:00:00Z", + "date_accessed": "2024-09-09T00:00:00Z", + "date_published": "2024-09-05T00:00:00Z", + "owner": "TidalCyberIan", "refs": [ - "https://www.cisa.gov/uscert/ncas/alerts/aa22-074a" + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a" ], - "source": "MITRE", - "title": "Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability" + "source": "Tidal Cyber", + "title": "Russian Military Cyber Actors Target US and Global Critical Infrastructure" }, "related": [], - "uuid": "00c6ff88-6eeb-486d-ae69-dffd5aebafe6", - "value": "Russians Exploit Default MFA Protocol - CISA March 2022" + "uuid": "9631a46d-3e0a-4f25-962b-0b2501c47926", + "value": "U.S. CISA Unit 29155 September 5 2024" }, { "description": "Cybersecurity and Infrastructure Security Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved March 16, 2022.", @@ -47820,6 +48234,21 @@ "uuid": "fa03324e-c79c-422e-80f1-c270fd87d4e2", "value": "CISA MFA PrintNightmare" }, + { + "description": "Cyber Security Infrastructure Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved May 31, 2022.", + "meta": { + "date_accessed": "2022-05-31T00:00:00Z", + "date_published": "2022-03-15T00:00:00Z", + "refs": [ + "https://www.cisa.gov/uscert/ncas/alerts/aa22-074a" + ], + "source": "MITRE", + "title": "Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability" + }, + "related": [], + "uuid": "00c6ff88-6eeb-486d-ae69-dffd5aebafe6", + "value": "Russians Exploit Default MFA Protocol - CISA March 2022" + }, { "description": "US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.", "meta": { @@ -48266,6 +48695,22 @@ "uuid": "3a60f7de-9ead-444e-9d08-689c655b26c7", "value": "Mandiant SCANdalous Jul 2020" }, + { + "description": "Jakub Souček. (2023, August 22). Scarabs colon-izing vulnerable servers. Retrieved September 13, 2024.", + "meta": { + "date_accessed": "2024-09-13T00:00:00Z", + "date_published": "2023-08-22T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.welivesecurity.com/en/eset-research/scarabs-colon-izing-vulnerable-servers/" + ], + "source": "Tidal Cyber", + "title": "Scarabs colon-izing vulnerable servers" + }, + "related": [], + "uuid": "7cbf97fe-1809-4089-b386-a8bfd083df39", + "value": "WeLiveSecurity Scarab August 22 2023" + }, { "description": "GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.", "meta": { @@ -48281,21 +48726,6 @@ "uuid": "2dd5b872-a4ab-4b77-8457-a3d947298fc0", "value": "Securelist ScarCruft May 2019" }, - { - "description": "SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved July 12, 2023.", - "meta": { - "date_accessed": "2023-07-12T00:00:00Z", - "date_published": "2023-07-11T00:00:00Z", - "refs": [ - "https://sysdig.com/blog/scarleteel-2-0/" - ], - "source": "MITRE", - "title": "SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto" - }, - "related": [], - "uuid": "90e60242-82d8-5648-b7e4-def6fd508e16", - "value": "Sysdig ScarletEel 2.0" - }, { "description": "Alessandro Brucato. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved September 25, 2023.", "meta": { @@ -48311,6 +48741,21 @@ "uuid": "285266e7-7a62-5f98-9b0f-fefde4b21c88", "value": "Sysdig ScarletEel 2.0 2023" }, + { + "description": "SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved July 12, 2023.", + "meta": { + "date_accessed": "2023-07-12T00:00:00Z", + "date_published": "2023-07-11T00:00:00Z", + "refs": [ + "https://sysdig.com/blog/scarleteel-2-0/" + ], + "source": "MITRE", + "title": "SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto" + }, + "related": [], + "uuid": "90e60242-82d8-5648-b7e4-def6fd508e16", + "value": "Sysdig ScarletEel 2.0" + }, { "description": "Alberto Pellitteri. (2023, February 28). SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft. Retrieved February 2, 2023.", "meta": { @@ -48327,6 +48772,22 @@ "uuid": "18931f81-51bf-44af-9573-512ccb66c238", "value": "Sysdig Scarleteel February 28 2023" }, + { + "description": "Laura Brosnan. (2024, June 26). Scarlet Goldfinch Taking flight with NetSupport Manager - Red Canary. Retrieved June 26, 2024.", + "meta": { + "date_accessed": "2024-06-26T00:00:00Z", + "date_published": "2024-06-26T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://redcanary.com/blog/threat-intelligence/scarlet-goldfinch/" + ], + "source": "Tidal Cyber", + "title": "Scarlet Goldfinch Taking flight with NetSupport Manager - Red Canary" + }, + "related": [], + "uuid": "e0d62504-6fec-4d95-9f4a-e0dda7e7b6d9", + "value": "Red Canary June 26 2024" + }, { "description": "Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.", "meta": { @@ -48923,21 +49384,6 @@ "uuid": "3cc2c996-10e9-4e25-999c-21dc2c69e4af", "value": "CISA IDN ST05-016" }, - { - "description": "Dr. Nestori Syynimaa.. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved February 1, 2022.", - "meta": { - "date_accessed": "2022-02-01T00:00:00Z", - "date_published": "2017-11-16T00:00:00Z", - "refs": [ - "https://o365blog.com/post/federation-vulnerability/" - ], - "source": "MITRE", - "title": "Security vulnerability in Azure AD & Office 365 identity federation" - }, - "related": [], - "uuid": "123995be-36f5-4cd6-b80a-d601c2d0971e", - "value": "Azure AD Federation Vulnerability" - }, { "description": "Dr. Nestori Syynimaa. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved September 28, 2022.", "meta": { @@ -48953,6 +49399,21 @@ "uuid": "d2005eb6-4da4-4938-97fb-caa0e2381f4e", "value": "AADInternals zure AD Federated Domain" }, + { + "description": "Dr. Nestori Syynimaa.. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved February 1, 2022.", + "meta": { + "date_accessed": "2022-02-01T00:00:00Z", + "date_published": "2017-11-16T00:00:00Z", + "refs": [ + "https://o365blog.com/post/federation-vulnerability/" + ], + "source": "MITRE", + "title": "Security vulnerability in Azure AD & Office 365 identity federation" + }, + "related": [], + "uuid": "123995be-36f5-4cd6-b80a-d601c2d0971e", + "value": "Azure AD Federation Vulnerability" + }, { "description": "ESET Research. (2015, July 10). Sednit APT Group Meets Hacking Team. Retrieved March 1, 2017.", "meta": { @@ -50865,6 +51326,21 @@ "uuid": "01d9c3ba-29e2-5090-b399-0e7adf50a6b9", "value": "SocGholish-update" }, + { + "description": "Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.", + "meta": { + "date_accessed": "2024-03-22T00:00:00Z", + "date_published": "2022-11-07T00:00:00Z", + "refs": [ + "https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/" + ], + "source": "MITRE", + "title": "SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders" + }, + "related": [], + "uuid": "8a26eeb6-6f80-58f1-b773-b38835c6781d", + "value": "SentinelOne SocGholish Infrastructure November 2022" + }, { "description": "Aleksandar Milenkoski. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved May 7, 2023.", "meta": { @@ -50881,21 +51357,6 @@ "uuid": "c2dd119c-25d8-4e48-8eeb-89552a5a096c", "value": "SentinelLabs SocGholish November 2022" }, - { - "description": "Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.", - "meta": { - "date_accessed": "2024-03-22T00:00:00Z", - "date_published": "2022-11-07T00:00:00Z", - "refs": [ - "https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/" - ], - "source": "MITRE", - "title": "SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders" - }, - "related": [], - "uuid": "8a26eeb6-6f80-58f1-b773-b38835c6781d", - "value": "SentinelOne SocGholish Infrastructure November 2022" - }, { "description": "Proofpoint. (2022, November 21). SocGholish Malware: A Real Threat from a Fake Update | Proofpoint US. Retrieved May 7, 2023.", "meta": { @@ -51170,6 +51631,22 @@ "uuid": "6fce30c3-17d6-42a0-8470-319e2930e573", "value": "solution_monitor_dhcp_scopes" }, + { + "description": "Sekoia TDR; Felix Aimé; Pierre-Antoine D; Charles M; Grégoire Clermont; Jeremy Scion. (2024, July 23). Solving the 7777 Botnet enigma A cybersecurity quest. Retrieved July 24, 2024.", + "meta": { + "date_accessed": "2024-07-24T00:00:00Z", + "date_published": "2024-07-23T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://blog.sekoia.io/solving-the-7777-botnet-enigma-a-cybersecurity-quest/" + ], + "source": "Tidal Cyber", + "title": "Solving the 7777 Botnet enigma A cybersecurity quest" + }, + "related": [], + "uuid": "ae84e72a-56b3-4dc4-b053-d3766764ac0d", + "value": "Sekoia.io Blog July 23 2024" + }, { "description": "SophosXOps. (2023, September 13). Sophos X-Ops Tweet September 13 2023. Retrieved September 22, 2023.", "meta": { @@ -51872,21 +52349,6 @@ "uuid": "edd0cab4-48f7-48d8-a318-ced118af6a63", "value": "Sekoia.io Stealc February 27 2023" }, - { - "description": "Syynimaa, N. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved August 3, 2022.", - "meta": { - "date_accessed": "2022-08-03T00:00:00Z", - "date_published": "2022-02-15T00:00:00Z", - "refs": [ - "https://o365blog.com/post/deviceidentity/" - ], - "source": "MITRE", - "title": "Stealing and faking Azure AD device identities" - }, - "related": [], - "uuid": "ec94c043-92ef-4691-b21a-7ea68f39e338", - "value": "O365 Blog Azure AD Device IDs" - }, { "description": "Dr. Nestori Syynimaa. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved February 21, 2023.", "meta": { @@ -51902,6 +52364,21 @@ "uuid": "b5ef16c4-1db0-51e9-93ab-54a8e480debc", "value": "AADInternals Azure AD Device Identities" }, + { + "description": "Syynimaa, N. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved August 3, 2022.", + "meta": { + "date_accessed": "2022-08-03T00:00:00Z", + "date_published": "2022-02-15T00:00:00Z", + "refs": [ + "https://o365blog.com/post/deviceidentity/" + ], + "source": "MITRE", + "title": "Stealing and faking Azure AD device identities" + }, + "related": [], + "uuid": "ec94c043-92ef-4691-b21a-7ea68f39e338", + "value": "O365 Blog Azure AD Device IDs" + }, { "description": "Fuller, R. (2013, September 11). Stealing passwords every time they change. Retrieved November 21, 2017.", "meta": { @@ -52277,6 +52754,22 @@ "uuid": "ad96148c-8230-4923-86fd-4b1da211db1a", "value": "U.S. CISA Play Ransomware December 2023" }, + { + "description": "Cybersecurity and Infrastructure Security Agency. (2024, August 29). #StopRansomware: RansomHub Ransomware. Retrieved September 3, 2024.", + "meta": { + "date_accessed": "2024-09-03T00:00:00Z", + "date_published": "2024-08-29T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a" + ], + "source": "Tidal Cyber", + "title": "#StopRansomware: RansomHub Ransomware" + }, + "related": [], + "uuid": "af338cbd-6416-4dee-95c7-6915f78e2604", + "value": "U.S. CISA RansomHub Ransomware August 29 2024" + }, { "description": "Cybersecurity and Infrastructure Security Agency. (2023, November 15). #StopRansomware: Rhysida Ransomware. Retrieved November 16, 2023.", "meta": { @@ -52340,6 +52833,22 @@ "uuid": "0a754513-5f20-44a0-8cea-c5d9519106c8", "value": "U.S. CISA Vice Society September 2022" }, + { + "description": "Cybersecurity and Infrastructure Security Agency. (2022, August 11). #StopRansomware: Zeppelin Ransomware. Retrieved September 19, 2024.", + "meta": { + "date_accessed": "2024-09-19T00:00:00Z", + "date_published": "2022-08-11T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-223a" + ], + "source": "Tidal Cyber", + "title": "#StopRansomware: Zeppelin Ransomware" + }, + "related": [], + "uuid": "42d98de2-8c9a-4cc4-b5a1-9778c0da3286", + "value": "U.S. CISA Zeppelin Ransomware August 11 2022" + }, { "description": "LOLBAS. (2021, October 21). Stordiag.exe. Retrieved December 4, 2023.", "meta": { @@ -52622,8 +53131,8 @@ "title": "SUNBURST, TEARDROP and the NetSec New Normal" }, "related": [], - "uuid": "4e3d9201-83d4-5375-b3b7-e00dfb16342d", - "value": "CheckPoint Sunburst & Teardrop December 2020" + "uuid": "a6b75979-af51-42ed-9bb9-01d5fb9ceac9", + "value": "Check Point Sunburst Teardrop December 2020" }, { "description": "Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021.", @@ -52637,8 +53146,8 @@ "title": "SUNBURST, TEARDROP and the NetSec New Normal" }, "related": [], - "uuid": "a6b75979-af51-42ed-9bb9-01d5fb9ceac9", - "value": "Check Point Sunburst Teardrop December 2020" + "uuid": "4e3d9201-83d4-5375-b3b7-e00dfb16342d", + "value": "CheckPoint Sunburst & Teardrop December 2020" }, { "description": "CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.", @@ -53204,6 +53713,20 @@ "uuid": "2a3c5216-b153-4d89-b0b1-f32af3aa83d0", "value": "Peripheral Discovery macOS" }, + { + "description": "Microsoft. (n.d.). System Time. Retrieved November 25, 2016.", + "meta": { + "date_accessed": "2016-11-25T00:00:00Z", + "refs": [ + "https://msdn.microsoft.com/ms724961.aspx" + ], + "source": "MITRE", + "title": "System Time" + }, + "related": [], + "uuid": "5e15e03b-be8b-4f3d-a3ae-0df7a4ecfbec", + "value": "MSDN System Time" + }, { "description": "ArchLinux. (2024, February 1). System Time. Retrieved March 27, 2024.", "meta": { @@ -53219,20 +53742,6 @@ "uuid": "2dfd22d7-c78b-5967-b732-736f37ea5489", "value": "linux system time" }, - { - "description": "Microsoft. (n.d.). System Time. Retrieved November 25, 2016.", - "meta": { - "date_accessed": "2016-11-25T00:00:00Z", - "refs": [ - "https://msdn.microsoft.com/ms724961.aspx" - ], - "source": "MITRE", - "title": "System Time" - }, - "related": [], - "uuid": "5e15e03b-be8b-4f3d-a3ae-0df7a4ecfbec", - "value": "MSDN System Time" - }, { "description": "Atomic Red Team. (2023, November). T1003.007 - OS Credential Dumping: Proc Filesystem. Retrieved March 28, 2024.", "meta": { @@ -53715,6 +54224,22 @@ "uuid": "dfd168c0-40da-4402-a123-963eb8e2125a", "value": "dharma_ransomware" }, + { + "description": "Check Point Research. (2024, September 11). Targeted Iranian Attacks Against Iraqi Government Infrastructure - Check Point Research. Retrieved September 11, 2024.", + "meta": { + "date_accessed": "2024-09-11T00:00:00Z", + "date_published": "2024-09-11T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://research.checkpoint.com/2024/iranian-malware-attacks-iraqi-government/" + ], + "source": "Tidal Cyber", + "title": "Targeted Iranian Attacks Against Iraqi Government Infrastructure - Check Point Research" + }, + "related": [], + "uuid": "53320d81-4060-4414-b5b8-21d09362bc44", + "value": "Check Point Research September 11 2024" + }, { "description": "Check Point. (n.d.). Targeted SSL Stripping Attacks Are Real. Retrieved May 24, 2023.", "meta": { @@ -53940,21 +54465,6 @@ "uuid": "b98f1967-c62f-5afe-a2f7-4c426615d576", "value": "AquaSec TeamTNT 2023" }, - { - "description": "Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.", - "meta": { - "date_accessed": "2022-08-04T00:00:00Z", - "date_published": "2022-04-21T00:00:00Z", - "refs": [ - "https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" - ], - "source": "MITRE", - "title": "TeamTNT targeting AWS, Alibaba" - }, - "related": [], - "uuid": "f39b5f92-6e14-4c7f-b79d-7bade722e6d9", - "value": "Cisco Talos Intelligence Group" - }, { "description": "Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved July 8, 2022.", "meta": { @@ -53970,6 +54480,21 @@ "uuid": "acd1b4c5-da28-584e-b892-599180a8dbb0", "value": "Talos TeamTNT" }, + { + "description": "Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.", + "meta": { + "date_accessed": "2022-08-04T00:00:00Z", + "date_published": "2022-04-21T00:00:00Z", + "refs": [ + "https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" + ], + "source": "MITRE", + "title": "TeamTNT targeting AWS, Alibaba" + }, + "related": [], + "uuid": "f39b5f92-6e14-4c7f-b79d-7bade722e6d9", + "value": "Cisco Talos Intelligence Group" + }, { "description": "Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021.", "meta": { @@ -54975,6 +55500,22 @@ "uuid": "7578541b-1ae3-58d0-a8b9-120bd6cd96f5", "value": "CrowdStrike Evolution of Pinchy Spider July 2021" }, + { + "description": "Abe Schneider, Bethany Hardin, Lavine Oluoch . (2022, September 19). The Evolution of the Chromeloader Malware. Retrieved September 26, 2024.", + "meta": { + "date_accessed": "2024-09-26T00:00:00Z", + "date_published": "2022-09-19T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html" + ], + "source": "Tidal Cyber", + "title": "The Evolution of the Chromeloader Malware" + }, + "related": [], + "uuid": "5c2985f1-2d80-488b-ab63-fbd56aba229b", + "value": "VMware Chromeloader September 19 2022" + }, { "description": "Julia Kisielius. (2017, April 25). The Felismus RAT: Powerful Threat, Mysterious Purpose. Retrieved January 10, 2024.", "meta": { @@ -55346,8 +55887,8 @@ "title": "The LaZagne Project !!!" }, "related": [], - "uuid": "33cca4fa-72a8-59a3-a62f-12f71a499a15", - "value": "GitHub LaZange Dec 2018" + "uuid": "9347b507-3a41-405d-87f9-d4fc2bfc48e5", + "value": "GitHub LaZagne Dec 2018" }, { "description": "Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.", @@ -55360,8 +55901,8 @@ "title": "The LaZagne Project !!!" }, "related": [], - "uuid": "9347b507-3a41-405d-87f9-d4fc2bfc48e5", - "value": "GitHub LaZagne Dec 2018" + "uuid": "33cca4fa-72a8-59a3-a62f-12f71a499a15", + "value": "GitHub LaZange Dec 2018" }, { "description": "SecureWorks. (2013). The Lifecycle of Peer-to-Peer (Gameover) ZeuS. Retrieved August 19, 2015.", @@ -55453,6 +55994,22 @@ "uuid": "ed5a2ec0-8328-40db-9f58-7eaac4ad39a0", "value": "Villeneuve 2011" }, + { + "description": "Tommy Madjar; Pim Trouerbach; Selena Larson; The Proofpoint Threat Research Team. (2024, August 29). The Malware That Must Not Be Named Suspected Espionage Campaign Delivers “Voldemort” . Retrieved August 29, 2024.", + "meta": { + "date_accessed": "2024-08-29T00:00:00Z", + "date_published": "2024-08-29T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" + ], + "source": "Tidal Cyber", + "title": "The Malware That Must Not Be Named Suspected Espionage Campaign Delivers “Voldemort”" + }, + "related": [], + "uuid": "548f23b2-3ab6-4ea0-839f-8f9c8745d91d", + "value": "Proofpoint August 29 2024" + }, { "description": "Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.", "meta": { @@ -55932,6 +56489,22 @@ "uuid": "f8a8a3a0-5b30-5f3e-a7b0-f8a4aaae7ee7", "value": "Cofense Agent Tesla" }, + { + "description": "Laura Brosnan. (2024, March 18). The rise of Charcoal Stork . Retrieved September 26, 2024.", + "meta": { + "date_accessed": "2024-09-26T00:00:00Z", + "date_published": "2024-03-18T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://redcanary.com/blog/threat-intelligence/charcoal-stork/" + ], + "source": "Tidal Cyber", + "title": "The rise of Charcoal Stork" + }, + "related": [], + "uuid": "a86131cd-1a42-4222-9d39-221dd6e054ba", + "value": "Red Canary March 18 2024" + }, { "description": "Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.", "meta": { @@ -56595,6 +57168,22 @@ "uuid": "26d7134e-7b93-4aa1-a859-03cf964ca1b5", "value": "Atlas SEO" }, + { + "description": "Vanja Svajcer. (2024, September 3). Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads. Retrieved September 3, 2024.", + "meta": { + "date_accessed": "2024-09-03T00:00:00Z", + "date_published": "2024-09-03T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://blog.talosintelligence.com/threat-actors-using-macropack/" + ], + "source": "Tidal Cyber", + "title": "Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads" + }, + "related": [], + "uuid": "b222cabd-347d-45d4-aeaf-4135795d944d", + "value": "Cisco Talos Blog September 3 2024" + }, { "description": "Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.", "meta": { @@ -56791,6 +57380,21 @@ "uuid": "5e1db76a-0a3e-42ce-a66c-f914fb1a3471", "value": "Unit 42 DGA Feb 2019" }, + { + "description": "Red Canary. (n.d.). Threat: ChromeLoader. Retrieved September 26, 2024.", + "meta": { + "date_accessed": "2024-09-26T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://redcanary.com/threat-detection-report/threats/chromeloader/" + ], + "source": "Tidal Cyber", + "title": "Threat: ChromeLoader" + }, + "related": [], + "uuid": "bcfe9d10-11fe-4241-8262-bce07e8a11c1", + "value": "Red Canary TDR ChromeLoader" + }, { "description": "Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.", "meta": { @@ -57523,21 +58127,6 @@ "uuid": "99e48516-f918-477c-b85e-4ad894cc031f", "value": "JScrip May 2018" }, - { - "description": "Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.", - "meta": { - "date_accessed": "2021-09-02T00:00:00Z", - "date_published": "2021-05-13T00:00:00Z", - "refs": [ - "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html" - ], - "source": "MITRE, Tidal Cyber", - "title": "Transparent Tribe APT expands its Windows malware arsenal" - }, - "related": [], - "uuid": "5d58c285-bc7d-4a8a-a96a-ac7118c1089d", - "value": "Talos Transparent Tribe May 2021" - }, { "description": "Malhotra, A., McKay, K. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal . Retrieved July 29, 2022.", "meta": { @@ -57553,6 +58142,21 @@ "uuid": "be1e3092-1981-457b-ae76-b55b057e1d73", "value": "tt_obliqueRAT" }, + { + "description": "Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.", + "meta": { + "date_accessed": "2021-09-02T00:00:00Z", + "date_published": "2021-05-13T00:00:00Z", + "refs": [ + "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html" + ], + "source": "MITRE, Tidal Cyber", + "title": "Transparent Tribe APT expands its Windows malware arsenal" + }, + "related": [], + "uuid": "5d58c285-bc7d-4a8a-a96a-ac7118c1089d", + "value": "Talos Transparent Tribe May 2021" + }, { "description": "N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.", "meta": { @@ -57583,21 +58187,6 @@ "uuid": "9bdda422-dbf7-4b70-a7b1-9e3ad658c239", "value": "tt_httrack_fake_domains" }, - { - "description": "Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved April 1, 2021.", - "meta": { - "date_accessed": "2021-04-01T00:00:00Z", - "date_published": "2020-08-20T00:00:00Z", - "refs": [ - "https://securelist.com/transparent-tribe-part-1/98127/" - ], - "source": "MITRE", - "title": "Transparent Tribe: Evolution analysis, part 1" - }, - "related": [], - "uuid": "0db470b1-ab22-4b67-a858-472e4de7c6f0", - "value": "Securelist Trasparent Tribe 2020" - }, { "description": "Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.", "meta": { @@ -57613,6 +58202,21 @@ "uuid": "42c7faa2-f664-4e4a-9d23-93c88a09da5b", "value": "Kaspersky Transparent Tribe August 2020" }, + { + "description": "Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved April 1, 2021.", + "meta": { + "date_accessed": "2021-04-01T00:00:00Z", + "date_published": "2020-08-20T00:00:00Z", + "refs": [ + "https://securelist.com/transparent-tribe-part-1/98127/" + ], + "source": "MITRE", + "title": "Transparent Tribe: Evolution analysis, part 1" + }, + "related": [], + "uuid": "0db470b1-ab22-4b67-a858-472e4de7c6f0", + "value": "Securelist Trasparent Tribe 2020" + }, { "description": "Microsoft. (2016, June 1). Transport agents. Retrieved June 24, 2019.", "meta": { @@ -58330,21 +58934,6 @@ "uuid": "5d69d122-13bc-45c4-95ab-68283a21b699", "value": "TrendMicro Tropic Trooper Mar 2018" }, - { - "description": "Ray, V., et al. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved December 18, 2020.", - "meta": { - "date_accessed": "2020-12-18T00:00:00Z", - "date_published": "2016-11-22T00:00:00Z", - "refs": [ - "https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" - ], - "source": "MITRE", - "title": "Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy" - }, - "related": [], - "uuid": "47524b17-1acd-44b1-8de5-168369fa9455", - "value": "paloalto Tropic Trooper 2016" - }, { "description": "Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.", "meta": { @@ -58360,6 +58949,21 @@ "uuid": "cad84e3d-9506-44f8-bdd9-d090e6ce9b06", "value": "Unit 42 Tropic Trooper Nov 2016" }, + { + "description": "Ray, V., et al. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved December 18, 2020.", + "meta": { + "date_accessed": "2020-12-18T00:00:00Z", + "date_published": "2016-11-22T00:00:00Z", + "refs": [ + "https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" + ], + "source": "MITRE", + "title": "Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy" + }, + "related": [], + "uuid": "47524b17-1acd-44b1-8de5-168369fa9455", + "value": "paloalto Tropic Trooper 2016" + }, { "description": "Microsoft. (2023, October 23). Troubleshooting Conditional Access policy changes. Retrieved January 2, 2024.", "meta": { @@ -60361,21 +60965,6 @@ "uuid": "32a30a3f-3ed1-4def-86b1-f40bbffa1cc5", "value": "Microsoft SMB Packet Signing" }, - { - "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", - "meta": { - "date_accessed": "2016-04-07T00:00:00Z", - "date_published": "2012-06-27T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ee791851(v=ws.11)?redirectedfrom=MSDN" - ], - "source": "MITRE", - "title": "Using Software Restriction Policies and AppLocker Policies" - }, - "related": [], - "uuid": "774e6598-0926-4adb-890f-00824de07ae0", - "value": "Microsoft Using Software Restriction" - }, { "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", "meta": { @@ -60391,6 +60980,21 @@ "uuid": "84e1c53f-e858-4106-9c14-1b536d5b56f9", "value": "TechNet Applocker vs SRP" }, + { + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "meta": { + "date_accessed": "2016-04-07T00:00:00Z", + "date_published": "2012-06-27T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ee791851(v=ws.11)?redirectedfrom=MSDN" + ], + "source": "MITRE", + "title": "Using Software Restriction Policies and AppLocker Policies" + }, + "related": [], + "uuid": "774e6598-0926-4adb-890f-00824de07ae0", + "value": "Microsoft Using Software Restriction" + }, { "description": "Jan Schaumann. (2015, November 5). Using the OS X Keychain to store and retrieve passwords. Retrieved March 31, 2022.", "meta": { @@ -60985,6 +61589,22 @@ "uuid": "90a5ab3c-c2a8-4b02-9bd7-628672907737", "value": "Offensive Security VNC Authentication Check" }, + { + "description": "Peter Girnus, Aliakbar Zahravi. (2024, July 15). Void Banshee Targets Windows Users. Retrieved September 19, 2024.", + "meta": { + "date_accessed": "2024-09-19T00:00:00Z", + "date_published": "2024-07-15T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html" + ], + "source": "Tidal Cyber", + "title": "Void Banshee Targets Windows Users" + }, + "related": [], + "uuid": "02c4dda2-3aae-43ec-9b14-df282b200def", + "value": "Trend Micro Void Banshee July 15 2024" + }, { "description": "Feike Hacquebord, Stephen Hilt, Fernando Merces, Lord Alfred Remorin. (2023, May 30). Void Rabisu’s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors’ Goals. Retrieved June 4, 2023.", "meta": { @@ -61016,6 +61636,21 @@ "uuid": "a26344a2-63ca-422e-8cf9-0cf22a5bee72", "value": "CheckPoint Volatile Cedar March 2015" }, + { + "description": "Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.", + "meta": { + "date_accessed": "2023-07-27T00:00:00Z", + "date_published": "2023-05-24T00:00:00Z", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/" + ], + "source": "MITRE", + "title": "Volt Typhoon targets US critical infrastructure with living-off-the-land techniques" + }, + "related": [], + "uuid": "8b74f0b7-9719-598c-b3ee-61d734393e6f", + "value": "Microsoft Volt Typhoon May 2023" + }, { "description": "Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved May 25, 2023.", "meta": { @@ -61032,21 +61667,6 @@ "uuid": "2e94c44a-d2a7-4e56-ac8a-df315fc14ec1", "value": "Microsoft Volt Typhoon May 24 2023" }, - { - "description": "Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.", - "meta": { - "date_accessed": "2023-07-27T00:00:00Z", - "date_published": "2023-05-24T00:00:00Z", - "refs": [ - "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/" - ], - "source": "MITRE", - "title": "Volt Typhoon targets US critical infrastructure with living-off-the-land techniques" - }, - "related": [], - "uuid": "8b74f0b7-9719-598c-b3ee-61d734393e6f", - "value": "Microsoft Volt Typhoon May 2023" - }, { "description": "LOLBAS. (2023, July 12). VSDiagnostics.exe. Retrieved December 4, 2023.", "meta": { @@ -61143,21 +61763,6 @@ "uuid": "70c168a0-9ddf-408d-ba29-885c0c5c936a", "value": "vstest.console.exe - LOLBAS Project" }, - { - "description": "Kanthak, S. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017.", - "meta": { - "date_accessed": "2017-02-03T00:00:00Z", - "date_published": "2016-07-20T00:00:00Z", - "refs": [ - "https://skanthak.homepage.t-online.de/sentinel.html" - ], - "source": "MITRE", - "title": "Vulnerability and Exploit Detector" - }, - "related": [], - "uuid": "94f99326-1512-47ca-8c99-9b382e4d0261", - "value": "Kanthak Sentinel" - }, { "description": "Kanthak, S.. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017.", "meta": { @@ -61173,6 +61778,21 @@ "uuid": "d63d6e14-8fe7-4893-a42f-3752eaec8770", "value": "Vulnerability and Exploit Detector" }, + { + "description": "Kanthak, S. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017.", + "meta": { + "date_accessed": "2017-02-03T00:00:00Z", + "date_published": "2016-07-20T00:00:00Z", + "refs": [ + "https://skanthak.homepage.t-online.de/sentinel.html" + ], + "source": "MITRE", + "title": "Vulnerability and Exploit Detector" + }, + "related": [], + "uuid": "94f99326-1512-47ca-8c99-9b382e4d0261", + "value": "Kanthak Sentinel" + }, { "description": "CertiK. (2020, June 30). Vulnerability in Electron-based Application: Unintentionally Giving Malicious Code Room to Run. Retrieved March 7, 2024.", "meta": { @@ -61667,20 +62287,6 @@ "uuid": "d316c581-646d-48e7-956e-34e2f957c67d", "value": "Cofense Astaroth Sept 2018" }, - { - "description": "Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.", - "meta": { - "date_accessed": "2021-09-14T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil" - ], - "source": "MITRE", - "title": "wevtutil" - }, - "related": [], - "uuid": "25511dde-9e13-4e03-8ae4-2495e9f5eb5e", - "value": "Wevtutil Microsoft Documentation" - }, { "description": "Plett, C. et al.. (2017, October 16). wevtutil. Retrieved July 2, 2018.", "meta": { @@ -61696,6 +62302,20 @@ "uuid": "8896d802-96c6-4546-8a82-c1f7f2d71ea1", "value": "Microsoft wevtutil Oct 2017" }, + { + "description": "Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.", + "meta": { + "date_accessed": "2021-09-14T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil" + ], + "source": "MITRE", + "title": "wevtutil" + }, + "related": [], + "uuid": "25511dde-9e13-4e03-8ae4-2495e9f5eb5e", + "value": "Wevtutil Microsoft Documentation" + }, { "description": "LOLBAS. (2021, September 26). Wfc.exe. Retrieved December 4, 2023.", "meta": { @@ -62669,21 +63289,6 @@ "uuid": "92ac290c-4863-4774-b334-848ed72e3627", "value": "Trend Micro Privileged Container" }, - { - "description": "Mandiant Intelligence. (2023, September 14). Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety. Retrieved January 2, 2024.", - "meta": { - "date_accessed": "2024-01-02T00:00:00Z", - "date_published": "2023-09-14T00:00:00Z", - "refs": [ - "https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware" - ], - "source": "MITRE", - "title": "Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety" - }, - "related": [], - "uuid": "3a310dbd-4b5c-5eaf-a4ce-699e52007c9b", - "value": "Mandiant UNC3944 SMS Phishing 2023" - }, { "description": "Mandiant Intelligence. (2023, September 14). Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety. Retrieved November 16, 2023.", "meta": { @@ -62700,6 +63305,21 @@ "uuid": "7420d79f-c6a3-4932-9c2e-c9cc36e2ca35", "value": "Mandiant UNC3944 September 14 2023" }, + { + "description": "Mandiant Intelligence. (2023, September 14). Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety. Retrieved January 2, 2024.", + "meta": { + "date_accessed": "2024-01-02T00:00:00Z", + "date_published": "2023-09-14T00:00:00Z", + "refs": [ + "https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware" + ], + "source": "MITRE", + "title": "Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety" + }, + "related": [], + "uuid": "3a310dbd-4b5c-5eaf-a4ce-699e52007c9b", + "value": "Mandiant UNC3944 SMS Phishing 2023" + }, { "description": "Stack Overflow. (n.d.). Why do I see an \"Electron Security Warning\" after updating my Electron project to the latest version?. Retrieved March 7, 2024.", "meta": { @@ -62816,6 +63436,22 @@ "uuid": "806eadfc-f473-4f2b-b03b-8a1f1c0a2d96", "value": "ESET Carberp March 2012" }, + { + "description": "Microsoft Corporation. (2012, April 2). Win32Gamarue threat description - Microsoft Security Intelligence. Retrieved September 27, 2024.", + "meta": { + "date_accessed": "2024-09-27T00:00:00Z", + "date_published": "2012-04-02T00:00:00Z", + "owner": "TidalCyberIan", + "refs": [ + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Gamarue" + ], + "source": "Tidal Cyber", + "title": "Win32Gamarue threat description - Microsoft Security Intelligence" + }, + "related": [], + "uuid": "de44abcc-9467-4c63-b0c4-c3a3b282ae39", + "value": "microsoft.com April 2 2012" + }, { "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", "meta": { @@ -63168,21 +63804,6 @@ "uuid": "20ec94d1-4a5c-43f5-bb65-f3ea965d2b6e", "value": "TechNet PowerShell" }, - { - "description": "absolomb. (2018, January 26). Windows Privilege Escalation Guide. Retrieved August 10, 2018.", - "meta": { - "date_accessed": "2018-08-10T00:00:00Z", - "date_published": "2018-01-26T00:00:00Z", - "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/" - ], - "source": "MITRE", - "title": "Windows Privilege Escalation Guide" - }, - "related": [], - "uuid": "185154f2-5f2e-48bf-b609-991e9d6a037b", - "value": "Windows Privilege Escalation Guide" - }, { "description": "McFarland, R. (2018, January 26). Windows Privilege Escalation Guide. Retrieved August 10, 2018.", "meta": { @@ -63198,6 +63819,21 @@ "uuid": "c52945dc-eb20-4e69-8f8e-a262f33c244c", "value": "SploitSpren Windows Priv Jan 2018" }, + { + "description": "absolomb. (2018, January 26). Windows Privilege Escalation Guide. Retrieved August 10, 2018.", + "meta": { + "date_accessed": "2018-08-10T00:00:00Z", + "date_published": "2018-01-26T00:00:00Z", + "refs": [ + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/" + ], + "source": "MITRE", + "title": "Windows Privilege Escalation Guide" + }, + "related": [], + "uuid": "185154f2-5f2e-48bf-b609-991e9d6a037b", + "value": "Windows Privilege Escalation Guide" + }, { "description": "HackHappy. (2018, April 23). Windows Privilege Escalation – Unquoted Services. Retrieved August 10, 2018.", "meta": { @@ -63448,21 +64084,6 @@ "uuid": "25d54a16-59a0-497d-a4a5-021420da8f1c", "value": "Microsoft System Services Fundamentals" }, - { - "description": "Mathers, B. (2017, May 31). Windows Time Service Tools and Settings. Retrieved March 26, 2018.", - "meta": { - "date_accessed": "2018-03-26T00:00:00Z", - "date_published": "2017-05-31T00:00:00Z", - "refs": [ - "https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings" - ], - "source": "MITRE", - "title": "Windows Time Service Tools and Settings" - }, - "related": [], - "uuid": "9e3d8dec-745a-4744-b80c-d65897ebba3c", - "value": "Microsoft W32Time May 2017" - }, { "description": "Mathers, B. (2016, September 30). Windows Time Service Tools and Settings. Retrieved November 25, 2016.", "meta": { @@ -63478,6 +64099,21 @@ "uuid": "0d908e07-abc1-40fc-b147-9b9fd483b262", "value": "Technet Windows Time Service" }, + { + "description": "Mathers, B. (2017, May 31). Windows Time Service Tools and Settings. Retrieved March 26, 2018.", + "meta": { + "date_accessed": "2018-03-26T00:00:00Z", + "date_published": "2017-05-31T00:00:00Z", + "refs": [ + "https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings" + ], + "source": "MITRE", + "title": "Windows Time Service Tools and Settings" + }, + "related": [], + "uuid": "9e3d8dec-745a-4744-b80c-d65897ebba3c", + "value": "Microsoft W32Time May 2017" + }, { "description": "Microsoft. (2018, February 1). Windows Time Service (W32Time). Retrieved March 26, 2018.", "meta": { diff --git a/clusters/tidal-software.json b/clusters/tidal-software.json index 096cdd4..5b1a0f6 100644 --- a/clusters/tidal-software.json +++ b/clusters/tidal-software.json @@ -28,10 +28,6 @@ { "dest-uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c", "type": "used-by" - }, - { - "dest-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", - "type": "similar" } ], "uuid": "71d76208-c465-4447-8d6e-c54f142b65a4", @@ -56,10 +52,6 @@ { "dest-uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c", "type": "used-by" - }, - { - "dest-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", - "type": "similar" } ], "uuid": "a15142a3-4797-4fef-8ec6-065e3322a69b", @@ -72,7 +64,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5023", + "software_attack_id": "S3023", "source": "Tidal Cyber", "tags": [ "e551ae97-d1b4-484e-9267-89f33829ec2c", @@ -137,9 +129,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5299", + "software_attack_id": "S3061", "source": "Tidal Cyber", "tags": [ + "51946995-71d4-4bd3-9f7f-491b450f018b", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", @@ -181,10 +174,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "2c5281dd-b5fd-4531-8aea-c1bf8a0f8756", - "type": "similar" } ], "uuid": "3d33fbf5-c21e-4587-ba31-9aeec3cc10c0", @@ -209,10 +198,6 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" - }, - { - "dest-uuid": "a0ebedca-d558-4e48-8ff7-4bf76208d90c", - "type": "similar" } ], "uuid": "394cadd0-bc4d-4181-ac53-858e84b8e3de", @@ -225,7 +210,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5203", + "software_attack_id": "S3324", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -246,7 +231,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5059", + "software_attack_id": "S3082", "source": "Tidal Cyber", "tags": [ "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c" @@ -284,10 +269,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "04cecafd-cb5f-4daf-aa1f-73899116c4a2", - "type": "similar" } ], "uuid": "cf465790-3d6d-5767-bb8c-63a429f95d83", @@ -309,10 +290,6 @@ { "dest-uuid": "31bc763e-623f-4870-9780-86e43d732594", "type": "used-by" - }, - { - "dest-uuid": "36801ffb-5c85-4c50-9121-6122e389366d", - "type": "similar" } ], "uuid": "202781a3-d481-4984-9e5a-31caafc20135", @@ -334,10 +311,6 @@ { "dest-uuid": "f036b992-4c3f-47b7-a458-94ac133bce74", "type": "used-by" - }, - { - "dest-uuid": "0f1ad2ef-41d4-4b7a-9304-ddae68ea3005", - "type": "similar" } ], "uuid": "f52e759a-a725-4b50-84f2-12bef89d369e", @@ -350,7 +323,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5082", + "software_attack_id": "S3190", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -463,10 +436,6 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" - }, - { - "dest-uuid": "f59508a6-3615-47c3-b493-6676e1a39a87", - "type": "similar" } ], "uuid": "70559096-2a6b-4388-97e6-c2b16f3be78e", @@ -479,7 +448,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5204", + "software_attack_id": "S3325", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -500,7 +469,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5270", + "software_attack_id": "S3111", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -528,7 +497,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5024", + "software_attack_id": "S3024", "source": "Tidal Cyber", "tags": [ "c5a258ce-9045-48d9-b254-ec2bf6437bb5", @@ -586,7 +555,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5006", + "software_attack_id": "S3025", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -637,7 +606,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5025", + "software_attack_id": "S3026", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -672,7 +641,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5187", + "software_attack_id": "S3308", "source": "Tidal Cyber", "tags": [ "7a457caf-c3b6-4a48-84cf-c1f50a2eda27", @@ -708,10 +677,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "type": "similar" } ], "uuid": "ef7f4f5f-6f30-4059-87d1-cd8375bf1bee", @@ -733,12 +698,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", - "type": "similar" - } - ], + "related": [], "uuid": "f27c9a91-c618-40c6-837d-089ba4d80f45", "value": "Agent.btz" }, @@ -749,7 +709,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5205", + "software_attack_id": "S3326", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -772,6 +732,7 @@ "software_attack_id": "S0331", "source": "MITRE", "tags": [ + "d11d22a2-518d-4727-975b-d04d8826e4c0", "16b47583-1c54-431f-9f09-759df7b5ddb7", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], @@ -787,10 +748,6 @@ { "dest-uuid": "e47ae2a7-d34d-4528-ba67-c9c07daa91ba", "type": "used-by" - }, - { - "dest-uuid": "e7a5229f-05eb-440e-b982-9a6d2b2b87c8", - "type": "similar" } ], "uuid": "304650b1-a0b5-460c-9210-23a5b53815a4", @@ -805,6 +762,7 @@ "software_attack_id": "S1129", "source": "MITRE", "tags": [ + "fde14c10-e749-4c04-b97f-1d9fbd6e72e7", "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "e551ae97-d1b4-484e-9267-89f33829ec2c", @@ -825,10 +783,6 @@ { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" - }, - { - "dest-uuid": "6f6b2353-4b39-40ce-9d6d-d00b7a61e656", - "type": "similar" } ], "uuid": "96ae0e1e-975a-5e11-adbe-c79ee17cee11", @@ -886,10 +840,6 @@ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" - }, - { - "dest-uuid": "05318127-5962-444b-b900-a9dcfe0ff6e9", - "type": "similar" } ], "uuid": "f173ec20-ef40-436b-a859-fef017e1e767", @@ -915,10 +865,6 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" - }, - { - "dest-uuid": "5f1d4579-4e8f-48e7-860e-2da773ae432e", - "type": "similar" } ], "uuid": "9521c535-1043-4b82-ba5d-e5eaeca500ee", @@ -936,12 +882,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "dcd9548e-df9e-47c2-81f3-bc084289959d", - "type": "similar" - } - ], + "related": [], "uuid": "69aac793-9e6a-5167-bc62-823189ee2f7b", "value": "ANDROMEDA" }, @@ -954,9 +895,10 @@ "Linux", "Windows" ], - "software_attack_id": "S5274", + "software_attack_id": "S3114", "source": "Tidal Cyber", "tags": [ + "d903e38b-600d-4736-9e3b-cf1a6e436481", "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", @@ -970,6 +912,10 @@ ] }, "related": [ + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, { "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" @@ -985,9 +931,11 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5007", + "software_attack_id": "S3027", "source": "Tidal Cyber", "tags": [ + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "d819ae1a-e385-49fd-88d5-f66660729ecb", "c5a258ce-9045-48d9-b254-ec2bf6437bb5", "cc4ea215-87ce-4351-9579-cf527caf5992", "e551ae97-d1b4-484e-9267-89f33829ec2c", @@ -1017,6 +965,18 @@ "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" }, + { + "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", + "type": "used-by" + }, + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, + { + "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", + "type": "used-by" + }, { "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", "type": "used-by" @@ -1088,7 +1048,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5083", + "software_attack_id": "S3191", "source": "Tidal Cyber", "tags": [ "837cf289-ad09-48ca-adf9-b46b07015666", @@ -1125,10 +1085,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "e2d34c63-6f5a-41f5-86a2-e2380f27f858", - "type": "similar" } ], "uuid": "cdeb3110-07e5-4c3d-9eef-e6f2b760ef33", @@ -1154,10 +1110,6 @@ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" - }, - { - "dest-uuid": "295721d2-ee20-4fa3-ade3-37f4146b4570", - "type": "similar" } ], "uuid": "9df2e42e-b454-46ea-b50d-2f7d999f3d42", @@ -1170,7 +1122,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5206", + "software_attack_id": "S3327", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -1191,7 +1143,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5286", + "software_attack_id": "S3001", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -1223,10 +1175,6 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" - }, - { - "dest-uuid": "3161d76a-e2b2-4b97-9906-24909b735386", - "type": "similar" } ], "uuid": "7ba79887-d496-47aa-8b71-df7f46329322", @@ -1269,10 +1217,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "30489451-5886-4c46-90c9-0dff9adc5252", - "type": "similar" } ], "uuid": "45b51950-6190-4572-b1a2-7c69d865251e", @@ -1285,7 +1229,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5084", + "software_attack_id": "S3192", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -1330,10 +1274,6 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" - }, - { - "dest-uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", - "type": "similar" } ], "uuid": "a0cce010-9158-45e5-978a-f002e5c31a03", @@ -1348,18 +1288,14 @@ "software_attack_id": "S0373", "source": "MITRE", "tags": [ + "84d9893e-e338-442a-bfc0-3148ad5f716d", "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ "malware" ] }, - "related": [ - { - "dest-uuid": "edb24a93-1f7a-4bbf-a738-1397a14662c6", - "type": "similar" - } - ], + "related": [], "uuid": "ea719a35-cbe9-4503-873d-164f68ab4544", "value": "Astaroth" }, @@ -1372,15 +1308,14 @@ "software_attack_id": "S1087", "source": "MITRE", "tags": [ + "9eaf6107-4d57-4bc7-b6d2-4541d5936672", "af5e9be5-b86e-47af-91dd-966a5e34a186", "27a117ce-bb19-4f79-9bc2-a851b69c5c50", "6070668f-1cbd-4878-8066-c636d1d8659c", "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", - "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", - "2feda37d-5579-4102-a073-aa02e82cb49f", "fdd53e62-5bf1-41f1-8bd6-b970a866c39d", "d431939f-2dc0-410b-83f7-86c458125444" ], @@ -1400,10 +1335,6 @@ { "dest-uuid": "153c14a6-31b7-44f2-892e-6d9fdc152267", "type": "used-by" - }, - { - "dest-uuid": "6a5947f3-1a36-4653-8734-526df3e1d28d", - "type": "similar" } ], "uuid": "d587efff-4699-51c7-a4cc-bdbd1b302ed4", @@ -1440,10 +1371,6 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" - }, - { - "dest-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952", - "type": "similar" } ], "uuid": "af01dc7b-a2bc-4fda-bbfe-d2be889c2860", @@ -1456,7 +1383,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5085", + "software_attack_id": "S3194", "source": "Tidal Cyber", "tags": [ "85a29262-64bd-443c-9e08-3ee26aac859b", @@ -1478,7 +1405,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5014", + "software_attack_id": "S3008", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -1510,6 +1437,10 @@ "dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e", "type": "used-by" }, + { + "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", + "type": "used-by" + }, { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" @@ -1549,9 +1480,10 @@ "platforms": [ "macOS" ], - "software_attack_id": "S5314", + "software_attack_id": "S3127", "source": "Tidal Cyber", "tags": [ + "4d767e87-4cf6-438a-927a-43d2d0beaab7", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "2feda37d-5579-4102-a073-aa02e82cb49f" ], @@ -1575,12 +1507,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "8f423bd7-6ca7-4303-9e85-008c7ad5fdaa", - "type": "similar" - } - ], + "related": [], "uuid": "89c35e9f-b435-4f58-9073-f24c1ee8754f", "value": "Attor" }, @@ -1600,10 +1527,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "24b4ce59-eaac-4c8b-8634-9b093b7ccd92", - "type": "similar" } ], "uuid": "d0c25f14-5eb3-40c1-a890-2ab1349dff53", @@ -1617,6 +1540,9 @@ ], "software_attack_id": "S0129", "source": "MITRE", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" + ], "type": [ "malware" ] @@ -1629,10 +1555,6 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" - }, - { - "dest-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", - "type": "similar" } ], "uuid": "3f927596-5219-49eb-bd0d-57068b0e04ed", @@ -1645,7 +1567,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5277", + "software_attack_id": "S3117", "source": "Tidal Cyber", "tags": [ "d819ae1a-e385-49fd-88d5-f66660729ecb", @@ -1686,10 +1608,6 @@ { "dest-uuid": "31bc763e-623f-4870-9780-86e43d732594", "type": "used-by" - }, - { - "dest-uuid": "3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5", - "type": "similar" } ], "uuid": "649a4cfc-c0d0-412d-a28c-1bd4ed604ea8", @@ -1704,6 +1622,7 @@ "software_attack_id": "S0640", "source": "MITRE", "tags": [ + "8c65cb23-442d-4855-9d80-e0ac27bcfc48", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" @@ -1712,12 +1631,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "58c5a3a1-928f-4094-9e98-a5a4e56dd5f3", - "type": "similar" - } - ], + "related": [], "uuid": "bad92974-35f6-4183-8024-b629140c6ee6", "value": "Avaddon" }, @@ -1740,10 +1654,6 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" - }, - { - "dest-uuid": "36ede314-7db4-4d09-b53d-81bbfbe5f6f8", - "type": "similar" } ], "uuid": "e5ca0192-e905-46a1-abef-ce1119c1f967", @@ -1772,15 +1682,45 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "0945a1a5-a79a-47c8-9079-10c16cdfcb5d", - "type": "similar" - } - ], + "related": [], "uuid": "e792dc8d-b0f4-5916-8850-a61ff53125d0", "value": "AvosLocker" }, + { + "description": "AzCopy is a command line tool that enables Azure storage data transfers. It facilitates file transfer activity for Azure Storage Explorer, another legitimate utility that has been abused by ransomware operations like the BianLian and Rhysida gangs.[[modePUSH Azure Storage Explorer September 14 2024](/references/a4c50b03-f0d7-4d29-a9de-e550be61390c)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Azure AD", + "Linux", + "macOS", + "Windows" + ], + "software_attack_id": "S3187", + "source": "Tidal Cyber", + "tags": [ + "c9c73000-30a5-4a16-8c8b-79169f9c24aa", + "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", + "8bf128ad-288b-41bc-904f-093f4fdde745", + "e1af18e3-3224-4e4c-9d0f-533768474508" + ], + "type": [ + "tool" + ] + }, + "related": [ + { + "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", + "type": "used-by" + }, + { + "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", + "type": "used-by" + } + ], + "uuid": "aab3287b-932a-4208-af5e-d10abffb188b", + "value": "AzCopy" + }, { "description": "[Azorult](https://app.tidalcyber.com/software/cc68a7f0-c955-465f-bee0-2dacbb179078) is a commercial Trojan that is used to steal information from compromised hosts. [Azorult](https://app.tidalcyber.com/software/cc68a7f0-c955-465f-bee0-2dacbb179078) has been observed in the wild as early as 2016.\nIn July 2018, [Azorult](https://app.tidalcyber.com/software/cc68a7f0-c955-465f-bee0-2dacbb179078) was seen used in a spearphishing campaign against targets in North America. [Azorult](https://app.tidalcyber.com/software/cc68a7f0-c955-465f-bee0-2dacbb179078) has been seen used for cryptocurrency theft. [[Unit42 Azorult Nov 2018](https://app.tidalcyber.com/references/44ceddf6-bcbf-4a60-bb92-f8cdc675d185)][[Proofpoint Azorult July 2018](https://app.tidalcyber.com/references/a85c869a-3ba3-42c2-9460-d3d1f0874044)]", "meta": { @@ -1800,15 +1740,46 @@ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" - }, - { - "dest-uuid": "f9b05f33-d45d-4e4d-aafe-c208d38a0080", - "type": "similar" } ], "uuid": "cc68a7f0-c955-465f-bee0-2dacbb179078", "value": "Azorult" }, + { + "description": "Azure Storage Explorer is a Microsoft application that provides a graphical interface for managing Azure storage elements, as well as file and folder download and upload capabilities. The associated AzCopy tool facilitates actual Azure Storage Explorer file transfer capabilities.[[modePUSH Azure Storage Explorer September 14 2024](/references/a4c50b03-f0d7-4d29-a9de-e550be61390c)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Azure AD", + "Linux", + "macOS", + "Windows" + ], + "software_attack_id": "S3186", + "source": "Tidal Cyber", + "tags": [ + "c9c73000-30a5-4a16-8c8b-79169f9c24aa", + "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", + "8bf128ad-288b-41bc-904f-093f4fdde745", + "e1af18e3-3224-4e4c-9d0f-533768474508" + ], + "type": [ + "tool" + ] + }, + "related": [ + { + "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", + "type": "used-by" + }, + { + "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", + "type": "used-by" + } + ], + "uuid": "1674b306-aa70-44f5-b373-24bb5fc51cfa", + "value": "Azure Storage Explorer" + }, { "description": "[Babuk](https://app.tidalcyber.com/software/0dc07eb9-66df-4116-b1bc-7020ca6395a1) is a Ransomware-as-a-service (RaaS) malware that has been used since at least 2021. The operators of [Babuk](https://app.tidalcyber.com/software/0dc07eb9-66df-4116-b1bc-7020ca6395a1) employ a \"Big Game Hunting\" approach to targeting major enterprises and operate a leak site to post stolen data as part of their extortion scheme.[[Sogeti CERT ESEC Babuk March 2021](https://app.tidalcyber.com/references/e85e3bd9-6ddc-4d0f-a16c-b525a75baa7e)][[McAfee Babuk February 2021](https://app.tidalcyber.com/references/bb23ca19-78bb-4406-90a4-bf82bd467e04)][[CyberScoop Babuk February 2021](https://app.tidalcyber.com/references/0a0aeacd-0976-4c84-b40d-5704afca9f0e)]", "meta": { @@ -1837,12 +1808,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "61c7a91a-0b83-461d-ad32-75d96eed4a09", - "type": "similar" - } - ], + "related": [], "uuid": "0dc07eb9-66df-4116-b1bc-7020ca6395a1", "value": "Babuk" }, @@ -1865,10 +1831,6 @@ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" - }, - { - "dest-uuid": "d1b7830a-fced-4be3-a99c-f495af9d9e1b", - "type": "similar" } ], "uuid": "ebb824a2-abff-4bfd-87f0-d63cb02b62e6", @@ -1893,10 +1855,6 @@ { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" - }, - { - "dest-uuid": "c13d9621-aca7-436b-ab3d-3a95badb3d00", - "type": "similar" } ], "uuid": "2763ad8c-cf4e-42eb-88db-a40ff8f96cf9", @@ -1921,10 +1879,6 @@ { "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "type": "used-by" - }, - { - "dest-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", - "type": "similar" } ], "uuid": "f7cc5974-767c-4cb4-acc7-36295a386ce5", @@ -1949,10 +1903,6 @@ { "dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "type": "used-by" - }, - { - "dest-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "type": "similar" } ], "uuid": "d0daaa00-68e1-4568-bb08-3f28bcd82c63", @@ -1965,7 +1915,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5026", + "software_attack_id": "S3028", "source": "Tidal Cyber", "tags": [ "d903e38b-600d-4736-9e3b-cf1a6e436481", @@ -2017,10 +1967,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "9dbdadb6-fdbf-490f-a35f-38762d06a0d2", - "type": "similar" } ], "uuid": "d7aa53a5-0912-4952-8f7f-55698e933c3b", @@ -2045,10 +1991,6 @@ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" - }, - { - "dest-uuid": "57d83eac-a2ea-42b0-a7b2-c80c55157790", - "type": "similar" } ], "uuid": "8c454294-81cb-45d0-b299-818994ad3e6f", @@ -2070,10 +2012,6 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" - }, - { - "dest-uuid": "3553b49d-d4ae-4fb6-ab17-0adbc520c888", - "type": "similar" } ], "uuid": "16481e0f-49d5-54c1-a1fe-16d9e7f8d08c", @@ -2095,10 +2033,6 @@ { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" - }, - { - "dest-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "type": "similar" } ], "uuid": "34c24d27-c779-42a4-9f61-3f0d3fea6fd4", @@ -2116,12 +2050,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "9af05de0-bc09-4511-a350-5eb8b06185c1", - "type": "similar" - } - ], + "related": [], "uuid": "10e76722-4b52-47f6-9276-70e95fecb26b", "value": "BadPatch" }, @@ -2132,7 +2061,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5304", + "software_attack_id": "S3070", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -2174,10 +2103,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "2eaa5319-5e1e-4dd7-bbc4-566fced3964a", - "type": "similar" } ], "uuid": "a1d86d8f-fa48-43aa-9833-7355750e455c", @@ -2192,8 +2117,6 @@ "software_attack_id": "S0234", "source": "MITRE", "tags": [ - "c6e1f516-1a18-4ff9-b563-e6ac8103b104", - "2feda37d-5579-4102-a073-aa02e82cb49f", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ @@ -2204,10 +2127,6 @@ { "dest-uuid": "7ad94dbf-9909-42dd-8b62-a435481bdb14", "type": "used-by" - }, - { - "dest-uuid": "835a79f1-842d-472d-b8f4-d54b545c341b", - "type": "similar" } ], "uuid": "5c0f8c35-88ff-40a1-977a-af5ce534e932", @@ -2232,10 +2151,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "1f6e3702-7ca1-4582-b2e7-4591297d05a8", - "type": "similar" } ], "uuid": "24b8471d-698f-48cc-b47a-8fbbaf28b293", @@ -2248,7 +2163,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5086", + "software_attack_id": "S3195", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -2269,7 +2184,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5027", + "software_attack_id": "S3029", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -2325,10 +2240,6 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" - }, - { - "dest-uuid": "99fdf3b4-96ef-4ab9-b191-fc683441cad0", - "type": "similar" } ], "uuid": "b35d9817-6ead-4dbd-a2fa-4b8e217f8eac", @@ -2353,10 +2264,6 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" - }, - { - "dest-uuid": "f0fc920e-57a3-4af5-89be-9ea594c8b1ea", - "type": "similar" } ], "uuid": "3daa5ae1-464e-4c0a-aa46-15264a2a0126", @@ -2374,12 +2281,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "type": "similar" - } - ], + "related": [], "uuid": "be4dab36-d499-4ac3-b204-5e309e3a5331", "value": "BBSRAT" }, @@ -2402,10 +2304,6 @@ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" - }, - { - "dest-uuid": "805480f1-6caa-4a67-8ca9-b2b39650d986", - "type": "similar" } ], "uuid": "a114a498-fcfd-4e0a-9d1e-e26750d71af8", @@ -2418,7 +2316,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5207", + "software_attack_id": "S3328", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -2439,7 +2337,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5001", + "software_attack_id": "S3010", "source": "Tidal Cyber", "tags": [ "35e694ec-5133-46e3-b7e1-5831867c3b55", @@ -2466,7 +2364,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5292", + "software_attack_id": "S3009", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -2503,10 +2401,6 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" - }, - { - "dest-uuid": "b8eb28e4-48a6-40ae-951a-328714f75eda", - "type": "similar" } ], "uuid": "3ad98097-2d10-4aa1-9594-7e74828a3643", @@ -2531,10 +2425,6 @@ { "dest-uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c", "type": "used-by" - }, - { - "dest-uuid": "65ffc206-d7c1-45b3-b543-f6b726e7840d", - "type": "similar" } ], "uuid": "b898816e-610f-4c2f-9045-d9f28a54ee58", @@ -2560,10 +2450,6 @@ { "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", "type": "used-by" - }, - { - "dest-uuid": "fa766a65-5136-4ff3-8429-36d08eaa0100", - "type": "similar" } ], "uuid": "e7dec940-8701-4c06-9865-5b11c61c046d", @@ -2594,6 +2480,10 @@ ] }, "related": [ + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" @@ -2625,10 +2515,6 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" - }, - { - "dest-uuid": "64764dc6-a032-495f-8250-1e4c06bdc163", - "type": "similar" } ], "uuid": "52a20d3d-1edd-4f17-87f0-b77c67d260b4", @@ -2643,6 +2529,7 @@ "software_attack_id": "S1070", "source": "MITRE", "tags": [ + "da5af5bf-d4f3-4bbb-9638-57ea2dc2c776", "89c5b94b-ecf4-4d53-9b74-3465086d4565", "d903e38b-600d-4736-9e3b-cf1a6e436481", "e551ae97-d1b4-484e-9267-89f33829ec2c", @@ -2664,10 +2551,6 @@ { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" - }, - { - "dest-uuid": "8d242fb4-9033-4f13-8a88-4b9b4bcd9a53", - "type": "similar" } ], "uuid": "0d5b24ba-68dc-50fa-8268-3012180fe374", @@ -2683,6 +2566,7 @@ "software_attack_id": "S1068", "source": "MITRE", "tags": [ + "d5248609-d9ed-4aad-849a-aa0476f85dea", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "5e7433ad-a894-4489-93bc-41e90da90019", @@ -2698,6 +2582,10 @@ "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" }, + { + "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", + "type": "used-by" + }, { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" @@ -2709,10 +2597,6 @@ { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" - }, - { - "dest-uuid": "50c44c34-3abb-48ae-9433-a2337de5b0bc", - "type": "similar" } ], "uuid": "691369e5-ef74-5ff9-bc20-34efeb4b6c5b", @@ -2742,10 +2626,6 @@ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" - }, - { - "dest-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", - "type": "similar" } ], "uuid": "e85e2fca-9347-4448-bfc1-342f29d5d6a1", @@ -2770,10 +2650,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "type": "similar" } ], "uuid": "908216c7-3ad4-4e0c-9dd3-a7ed5d1c695f", @@ -2786,7 +2662,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5306", + "software_attack_id": "S3084", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -2818,10 +2694,6 @@ { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" - }, - { - "dest-uuid": "63c4511b-2d6e-4bb2-b582-e2e99a8a467d", - "type": "similar" } ], "uuid": "da348a51-d047-4144-9ba4-34d2ce964a11", @@ -2835,9 +2707,10 @@ "Linux", "Windows" ], - "software_attack_id": "S5324", + "software_attack_id": "S3139", "source": "Tidal Cyber", "tags": [ + "2917207f-aa63-4c4a-b2d2-be7e16d1f25c", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "a2e000da-8181-4327-bacd-32013dbd3654", @@ -2875,10 +2748,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "01dbc71d-0ee8-420d-abb4-3dfb6a4bf725", - "type": "similar" } ], "uuid": "1af8ea81-40df-4fba-8d63-1858b8b31217", @@ -2893,6 +2762,8 @@ "software_attack_id": "S0521", "source": "MITRE", "tags": [ + "d8f7e071-fbfd-46f8-b431-e241bb1513ac", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", @@ -2951,10 +2822,6 @@ { "dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e", "type": "used-by" - }, - { - "dest-uuid": "066b057c-944e-4cfc-b654-e3dfba04b926", - "type": "similar" } ], "uuid": "72658763-8077-451e-8572-38858f8cacf3", @@ -2979,10 +2846,6 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" - }, - { - "dest-uuid": "8bd47506-29ae-44ea-a5c1-c57e8a1ab6b0", - "type": "similar" } ], "uuid": "3aaaaf86-638b-4a65-be18-c6e6dcdcdb97", @@ -3000,12 +2863,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "4c6d62c2-89f5-4159-8fab-0190b1f9d328", - "type": "similar" - } - ], + "related": [], "uuid": "3793db4b-f843-4cfd-89d2-ec28b62feda5", "value": "Bonadan" }, @@ -3017,6 +2875,9 @@ ], "software_attack_id": "S0360", "source": "MITRE", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" + ], "type": [ "malware" ] @@ -3025,10 +2886,6 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" - }, - { - "dest-uuid": "d5268dfb-ae2b-4e0e-ac07-02a460613d8a", - "type": "similar" } ], "uuid": "d8690218-5272-47d8-8189-35d3b518e66f", @@ -3043,6 +2900,7 @@ "software_attack_id": "S0635", "source": "MITRE", "tags": [ + "15126457-d8bb-4799-9cee-b18e17ef9703", "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ @@ -3053,10 +2911,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "c26f1c05-b861-4970-94dc-2f7f921a3074", - "type": "similar" } ], "uuid": "9d393f6f-855e-4348-8a26-008174e3605a", @@ -3081,10 +2935,6 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" - }, - { - "dest-uuid": "56d10a7f-bb42-4267-9b4c-63abb9c06010", - "type": "similar" } ], "uuid": "74a73624-d53b-4c84-a14b-8ae964fd577c", @@ -3102,12 +2952,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "da2ef4a9-7cbe-400a-a379-e2f230f28db3", - "type": "similar" - } - ], + "related": [], "uuid": "d47a4753-80f5-494e-aad7-d033aaff0d6d", "value": "BOOTRASH" }, @@ -3130,10 +2975,6 @@ { "dest-uuid": "988f5312-834e-48ea-93b7-e6e01ee0938d", "type": "used-by" - }, - { - "dest-uuid": "919a056e-5104-43b9-ad55-2ac929108b71", - "type": "similar" } ], "uuid": "d3e46011-3433-426c-83b3-61c2576d5f71", @@ -3155,10 +2996,6 @@ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" - }, - { - "dest-uuid": "28b97733-ef07-4414-aaa5-df50b2d30cc5", - "type": "similar" } ], "uuid": "51b27e2c-c737-4006-a657-195ea1a1f4f0", @@ -3180,10 +3017,6 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" - }, - { - "dest-uuid": "79499993-a8d6-45eb-b343-bf58dea5bdde", - "type": "similar" } ], "uuid": "7942783c-73a7-413c-94d1-8981029a1c51", @@ -3198,6 +3031,7 @@ "software_attack_id": "S1063", "source": "MITRE", "tags": [ + "599dd679-c6a6-42b6-8b7a-29d840db2028", "e1af18e3-3224-4e4c-9d0f-533768474508", "e81ba503-60b0-4b64-8f20-ef93e7783796" ], @@ -3209,10 +3043,6 @@ { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" - }, - { - "dest-uuid": "75d8b521-6b6a-42ff-8af3-d97e20ce12a5", - "type": "similar" } ], "uuid": "23043b44-69a6-5cdf-8f60-5a68068680c7", @@ -3230,12 +3060,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "67fc172a-36fa-4a35-88eb-4ba730ed52a6", - "type": "similar" - } - ], + "related": [], "uuid": "c9e773de-0213-4b64-83fb-637060c8b5ed", "value": "BS2005" }, @@ -3258,10 +3083,6 @@ { "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", "type": "used-by" - }, - { - "dest-uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b", - "type": "similar" } ], "uuid": "2be4e3d2-e8c5-4406-8041-2c17bdb3a547", @@ -3286,10 +3107,6 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" - }, - { - "dest-uuid": "d2c7f8ad-3b50-4cfa-bbb1-799eff06fb40", - "type": "similar" } ], "uuid": "c21d3e6c-0f6d-44a8-bdd5-5b3180a641c9", @@ -3316,10 +3133,6 @@ { "dest-uuid": "396a4361-3e84-47bc-9544-58e287c05799", "type": "used-by" - }, - { - "dest-uuid": "04378e79-4387-468a-a8f7-f974b8254e44", - "type": "similar" } ], "uuid": "cc155181-fb34-4aaf-b083-b7b57b140b7a", @@ -3334,18 +3147,14 @@ "software_attack_id": "S0482", "source": "MITRE", "tags": [ + "707e8a2b-e223-4d99-91c2-43de4b4459f6", "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ "malware" ] }, - "related": [ - { - "dest-uuid": "7bef1b56-4870-4e74-b32a-7dd88c390c44", - "type": "similar" - } - ], + "related": [], "uuid": "e9873bf1-9619-4c62-b4cf-1009e83de186", "value": "Bundlore" }, @@ -3361,12 +3170,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "29a0bb87-1162-4c83-9834-2a98a876051b", - "type": "similar" - } - ], + "related": [], "uuid": "44ed9567-2cb6-590e-b332-154557fb93f9", "value": "BUSHWALK" }, @@ -3386,10 +3190,6 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" - }, - { - "dest-uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52", - "type": "similar" } ], "uuid": "7c03fb92-3cd8-4ce4-a1e0-75e47465e4bc", @@ -3402,9 +3202,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5309", + "software_attack_id": "S3107", "source": "Tidal Cyber", "tags": [ + "83a25621-55a6-4b0d-be67-4905b6d3a1c6", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "a2e000da-8181-4327-bacd-32013dbd3654", "562e535e-19f5-4d6c-81ed-ce2aec544f09", @@ -3440,12 +3241,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "b30d999d-64e0-4e35-9856-884e4b83d611", - "type": "similar" - } - ], + "related": [], "uuid": "62d0ddcd-790d-4d2d-9d94-276f54b40cf0", "value": "CaddyWiper" }, @@ -3465,10 +3261,6 @@ { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" - }, - { - "dest-uuid": "a705b085-1eae-455e-8f4d-842483d814eb", - "type": "similar" } ], "uuid": "c8a51b39-6906-4381-9bb4-4e9e612aa085", @@ -3490,10 +3282,6 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" - }, - { - "dest-uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283", - "type": "similar" } ], "uuid": "ad859a79-c183-44f6-a89a-f734710672a9", @@ -3511,12 +3299,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "b8fdef82-d2cf-4948-8949-6466357b1be1", - "type": "similar" - } - ], + "related": [], "uuid": "6b5b408c-4f9d-4137-bfb1-830d12e9736c", "value": "Calisto" }, @@ -3536,10 +3319,6 @@ { "dest-uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4", "type": "used-by" - }, - { - "dest-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5", - "type": "similar" } ], "uuid": "352ee271-89e6-4d3f-9c26-98dbab0e2986", @@ -3561,10 +3340,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "d20b397a-ea47-48a9-b503-2e2a3551e11d", - "type": "similar" } ], "uuid": "790e931d-2571-496d-9f48-322774a7d482", @@ -3590,10 +3365,6 @@ { "dest-uuid": "72d9bea7-9ca1-43e6-8702-2fb7fb1355de", "type": "used-by" - }, - { - "dest-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", - "type": "similar" } ], "uuid": "4cb9294b-9e4c-41b9-b640-46213a01952d", @@ -3611,12 +3382,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "bbcd7a02-ef24-4171-ac94-a93540173b94", - "type": "similar" - } - ], + "related": [], "uuid": "df9491fd-5e24-4548-8e21-1268dce59d1f", "value": "Carberp" }, @@ -3636,10 +3402,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "b7e9880a-7a7c-4162-bddb-e28e8ef2bf1f", - "type": "similar" } ], "uuid": "61f5d19c-1da2-43d1-ab20-51eacbca71f2", @@ -3660,12 +3422,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "b879758f-bbc4-4cab-b5ba-177ac9b009b4", - "type": "similar" - } - ], + "related": [], "uuid": "fa23acef-3034-43ee-9610-4fc322f0d80b", "value": "Cardinal RAT" }, @@ -3684,12 +3441,7 @@ "tool" ] }, - "related": [ - { - "dest-uuid": "5fc81b43-62b5-41b1-9113-c79ae5f030c4", - "type": "similar" - } - ], + "related": [], "uuid": "84bb4068-b441-435e-8535-02a458ffd50b", "value": "CARROTBALL" }, @@ -3705,12 +3457,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "1b9f0800-035e-4ed1-9648-b18294cc5bc8", - "type": "similar" - } - ], + "related": [], "uuid": "aefa893d-fc6e-41a9-8794-2700049db9e5", "value": "CARROTBAT" }, @@ -3730,10 +3477,6 @@ { "dest-uuid": "a3b39b07-0bfa-4c69-9f01-acf7dc6033b4", "type": "used-by" - }, - { - "dest-uuid": "8d9e758b-735f-4cbc-ba7c-32cd15138b2a", - "type": "similar" } ], "uuid": "04deccb5-9850-45c3-a900-5d7039a94190", @@ -3758,15 +3501,38 @@ { "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", "type": "used-by" - }, - { - "dest-uuid": "751b77e6-af1f-483b-93fe-eddf17f92a64", - "type": "similar" } ], "uuid": "ee88afaa-88bc-4c20-906f-332866388549", "value": "Caterpillar WebShell" }, + { + "description": "CBROVER is a first-stage backdoor, one of a series of software associated with China-based espionage actor Earth Preta (aka Mustang Panda) reported by researchers in September 2024.[[Trend Micro September 9 2024](/references/0fdc9ee2-5be2-43e0-afb9-c9a94fde3867)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3172", + "source": "Tidal Cyber", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", + "type": "used-by" + } + ], + "uuid": "73ff6a0c-12fd-43d6-b2ea-2949a7f748b1", + "value": "CBROVER" + }, { "description": "CC-Attack is a publicly available script that automates the use of open, external proxy servers as part of denial of service flood attacks. Its use has been promoted among the members of the Killnet hacktivist collective.[[Flashpoint Glossary Killnet](/references/502cc03b-350b-4e2d-9436-364c43a0a203)]", "meta": { @@ -3775,7 +3541,7 @@ "Linux", "Windows" ], - "software_attack_id": "S5062", + "software_attack_id": "S3085", "source": "Tidal Cyber", "tags": [ "62bde669-3020-4682-be68-36c83b2588a4" @@ -3808,12 +3574,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "b0f13390-cec7-4814-b37c-ccec01887faa", - "type": "similar" - } - ], + "related": [], "uuid": "4eb0720c-7046-4ff1-adfd-ae603506e499", "value": "CCBkdr" }, @@ -3829,12 +3590,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "a394448a-4576-41b8-81cc-9b61abad94ab", - "type": "similar" - } - ], + "related": [], "uuid": "e00c2a0c-bbe5-4eff-b0ad-b2543456a317", "value": "ccf32" }, @@ -3845,7 +3601,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5208", + "software_attack_id": "S3329", "source": "Tidal Cyber", "tags": [ "4479b9e9-d912-451a-9ad5-08b3d922422d", @@ -3860,6 +3616,33 @@ "uuid": "d9ea2696-7c47-44cd-8784-9aeef5e149ea", "value": "Cdb" }, + { + "description": "A credential dumping tool associated with Iran-linked espionage group OilRig.[[ESET OilRig September 21 2023](/references/21ee3e95-ac4b-48f7-b948-249e1884bc96)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3158", + "source": "Tidal Cyber", + "tags": [ + "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "type": "used-by" + } + ], + "uuid": "0dc7a5a5-c304-40bb-87d7-c0f77dd84b29", + "value": "CDumper" + }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used for installing certificates\n\n**Author:** Ensar Samil\n\n**Paths:**\n* c:\\windows\\system32\\certoc.exe\n* c:\\windows\\syswow64\\certoc.exe\n\n**Resources:**\n* [https://twitter.com/sblmsrsn/status/1445758411803480072?s=20](https://twitter.com/sblmsrsn/status/1445758411803480072?s=20)\n* [https://twitter.com/sblmsrsn/status/1452941226198671363?s=20](https://twitter.com/sblmsrsn/status/1452941226198671363?s=20)\n\n**Detection:**\n* Sigma: [proc_creation_win_certoc_load_dll.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml)\n* IOC: Process creation with given parameter\n* IOC: Unsigned DLL load via certoc.exe\n* IOC: Network connection via certoc.exe[[CertOC.exe - LOLBAS Project](/references/b906498e-2773-419b-8c6d-3e974925ac18)]", "meta": { @@ -3867,7 +3650,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5087", + "software_attack_id": "S3197", "source": "Tidal Cyber", "tags": [ "fb909648-ee44-4871-abe6-82c909c4d677", @@ -3889,7 +3672,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5088", + "software_attack_id": "S3198", "source": "Tidal Cyber", "tags": [ "35a798a2-eaab-48a3-9ee7-5538f36a4172", @@ -3986,10 +3769,6 @@ { "dest-uuid": "570198e3-b59c-5772-b1ee-15d7ea14d48a", "type": "used-by" - }, - { - "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", - "type": "similar" } ], "uuid": "2fe21578-ee31-4ee8-b6ab-b5f76f97d043", @@ -4010,12 +3789,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "77e0ecf7-ca91-4c06-8012-8e728986a87a", - "type": "similar" - } - ], + "related": [], "uuid": "0c8efcd0-bfdf-4771-8754-18aac836c359", "value": "Chaes" }, @@ -4035,12 +3809,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "5bcd5511-6756-4824-a692-e8bb109364af", - "type": "similar" - } - ], + "related": [], "uuid": "92c88765-6b12-42cd-b1d7-f6a65b2236e2", "value": "Chaos" }, @@ -4053,6 +3822,7 @@ "software_attack_id": "S0674", "source": "MITRE", "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ @@ -4063,10 +3833,6 @@ { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" - }, - { - "dest-uuid": "7acb15b6-fe2c-4319-b136-6ab36ff0b2d4", - "type": "similar" } ], "uuid": "b1e3b56f-2e83-4cab-a1c1-16999009d056", @@ -4088,10 +3854,6 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" - }, - { - "dest-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", - "type": "similar" } ], "uuid": "3f2283ef-67c2-49a3-98ac-1aa9f0499361", @@ -4113,10 +3875,6 @@ { "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", "type": "used-by" - }, - { - "dest-uuid": "5d3fa1db-5041-4560-b87b-8f61cc225c52", - "type": "similar" } ], "uuid": "6475bc8c-b95d-5cb3-92f0-aa7e2f18859a", @@ -4134,12 +3892,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "b2203c59-4089-4ee4-bfe1-28fa25f0dbfe", - "type": "similar" - } - ], + "related": [], "uuid": "2fd6f564-918e-4ee7-920a-2b4be858d11a", "value": "Cherry Picker" }, @@ -4195,10 +3948,6 @@ { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" - }, - { - "dest-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", - "type": "similar" } ], "uuid": "723c5ab7-23ca-46f2-83bb-f1d1e550122c", @@ -4216,12 +3965,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "0b639373-5f03-430e-b8f9-2fe8c8faad8e", - "type": "similar" - } - ], + "related": [], "uuid": "7c36563a-9143-4766-8aef-4e1787e18d8c", "value": "Chinoxy" }, @@ -4232,7 +3976,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5063", + "software_attack_id": "S3087", "source": "Tidal Cyber", "tags": [ "e551ae97-d1b4-484e-9267-89f33829ec2c", @@ -4274,7 +4018,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5028", + "software_attack_id": "S3030", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -4323,15 +4067,40 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "type": "similar" } ], "uuid": "01c6c49a-f7c8-44cd-a377-4dfd358ffeba", "value": "CHOPSTICK" }, + { + "description": "ChromeLoader is a \"browser hijacking\" malware that is capable of adjusting victim web browser settings and in order to redirect user traffic to advertisement websites. ChromeLoader is notable for using a relatively uncommon technique whereby PowerShell is leveraged to inject the malware into the browser and add a malicious extension to it.[[Red Canary May 25 2022](/references/bffc87ac-e51b-47e3-8a9f-547e762e95c2)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "macOS", + "Windows" + ], + "software_attack_id": "S5281", + "source": "Tidal Cyber", + "tags": [ + "9775efc2-e8ac-47de-bd2a-bb08202b48fd", + "707e8a2b-e223-4d99-91c2-43de4b4459f6", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "6d23e83f-fd4f-4802-bd01-daff7348741d", + "type": "used-by" + } + ], + "uuid": "1523b0d7-9c95-4f39-a23b-7ca347748dc6", + "value": "ChromeLoader" + }, { "description": "[Chrommme](https://app.tidalcyber.com/software/df77ed2a-f135-4f00-9a5e-79b7a6a2ed14) is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first reported in June 2021; security researchers noted infrastructure overlaps with [Gelsemium](https://app.tidalcyber.com/software/9a117508-1d22-4fea-aa65-db670c13a5c9) malware.[[ESET Gelsemium June 2021](https://app.tidalcyber.com/references/ea28cf8c-8c92-48cb-b499-ffb7ff0e3cf5)]", "meta": { @@ -4347,15 +4116,41 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "579607c2-d046-40df-99ab-beb479c37a2a", - "type": "similar" - } - ], + "related": [], "uuid": "df77ed2a-f135-4f00-9a5e-79b7a6a2ed14", "value": "Chrommme" }, + { + "description": "A ransomware binary used by the ransomware-as-a-service (\"RaaS\") group of the same name, which was first observed in June 2024. This ransomware is written in Rust and can run on Windows and Linux/ESXi hosts. Researchers have highlighted several notable overlaps between Cicada3301 and ALPHV/BlackCat ransomware.[[Truesec AB August 30 2024](/references/de2de0a9-17d2-41c2-838b-7850762b80ae)][[Morphisec September 3 2024](/references/90549699-8815-45e8-820c-4f5a7fc584b8)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Linux", + "Windows" + ], + "software_attack_id": "S3164", + "source": "Tidal Cyber", + "tags": [ + "a2e000da-8181-4327-bacd-32013dbd3654", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "7a28cff6-80df-49e1-8457-a0305e736897", + "type": "used-by" + } + ], + "uuid": "a45b2ee6-43dd-47e8-9846-385a06c0c9ac", + "value": "Cicada3301" + }, { "description": "[Clambling](https://app.tidalcyber.com/software/4bac93bd-7e58-4ddb-a205-d99597b9e65e) is a modular backdoor written in C++ that has been used by [Threat Group-3390](https://app.tidalcyber.com/groups/79be2f31-5626-425e-844c-fd9c99e38fe5) since at least 2017.[[Trend Micro DRBControl February 2020](https://app.tidalcyber.com/references/4dfbf26d-023b-41dd-82c8-12fe18cb10e6)]", "meta": { @@ -4372,10 +4167,6 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" - }, - { - "dest-uuid": "6e95feb1-78ee-48d3-b421-4d76663b5c49", - "type": "similar" } ], "uuid": "4bac93bd-7e58-4ddb-a205-d99597b9e65e", @@ -4388,7 +4179,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5257", + "software_attack_id": "S3378", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -4409,7 +4200,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5255", + "software_attack_id": "S3376", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -4430,7 +4221,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5256", + "software_attack_id": "S3377", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -4453,8 +4244,7 @@ "software_attack_id": "S0611", "source": "MITRE", "tags": [ - "c6e1f516-1a18-4ff9-b563-e6ac8103b104", - "2feda37d-5579-4102-a073-aa02e82cb49f", + "0629ccb3-83b1-4aeb-a9cb-1585b6b21542", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "b15c16f7-b8c7-4962-9acc-a98a39f87b69", "b18b5401-d88d-4f28-8f50-a884a5e58349", @@ -4483,10 +4273,6 @@ { "dest-uuid": "ecdbd431-d62b-4b30-8663-b1ecb4304ec0", "type": "used-by" - }, - { - "dest-uuid": "cad3ba95-8c89-4146-ab10-08daa813f9de", - "type": "similar" } ], "uuid": "5321aa75-924c-47ae-b97a-b36f023abf2a", @@ -4499,7 +4285,7 @@ "platforms": [ "macOS" ], - "software_attack_id": "S5316", + "software_attack_id": "S3129", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -4532,10 +4318,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "cbf646f1-7db5-4dc6-808b-0094313949df", - "type": "similar" } ], "uuid": "b3dd424b-ee96-449c-aa52-abbc7d4dfb86", @@ -4564,6 +4346,10 @@ "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" }, + { + "dest-uuid": "04b73cf2-33f4-4206-be9e-c80c4c9b54e8", + "type": "used-by" + }, { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" @@ -4691,10 +4477,6 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" - }, - { - "dest-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", - "type": "similar" } ], "uuid": "98d89476-63ec-4baf-b2b3-86c52170f5d8", @@ -4707,7 +4489,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5089", + "software_attack_id": "S3201", "source": "Tidal Cyber", "tags": [ "96bff827-e51f-47de-bde6-d2eec0f99767", @@ -4734,7 +4516,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5090", + "software_attack_id": "S3202", "source": "Tidal Cyber", "tags": [ "4c8f8830-0b2c-4c79-b1db-8659ede492f0", @@ -4756,7 +4538,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5091", + "software_attack_id": "S3203", "source": "Tidal Cyber", "tags": [ "65938118-2f00-48a1-856e-d1a75a08e3c6", @@ -4789,12 +4571,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "0c242cc5-58d3-4fe3-a866-b00a4b6fb817", - "type": "similar" - } - ], + "related": [], "uuid": "fbd3f71a-e123-5527-908c-9e7ea0d646e8", "value": "COATHANGER" }, @@ -4834,6 +4611,10 @@ "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", "type": "used-by" }, + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, { "dest-uuid": "b8a349a6-cde1-4d95-b20f-44c62bbfc786", "type": "used-by" @@ -4977,10 +4758,6 @@ { "dest-uuid": "713e2963-fbf4-406f-a8cf-6a4489d90439", "type": "used-by" - }, - { - "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", - "type": "similar" } ], "uuid": "9b6bcbba-3ab4-4a4c-a233-cd12254823f6", @@ -4995,7 +4772,7 @@ "macOS", "Windows" ], - "software_attack_id": "S5057", + "software_attack_id": "S3080", "source": "Tidal Cyber", "tags": [ "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", @@ -5029,12 +4806,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "aa1462a1-d065-416c-b354-bedd04998c7f", - "type": "similar" - } - ], + "related": [], "uuid": "d4e6f9f7-7f4d-47c2-be24-b267d9317303", "value": "Cobian RAT" }, @@ -5045,7 +4817,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5185", + "software_attack_id": "S3306", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -5071,12 +4843,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "d1531eaa-9e17-473e-a680-3298469662c3", - "type": "similar" - } - ], + "related": [], "uuid": "b0d9b31a-072b-4744-8d2f-3a63256a932f", "value": "CoinTicker" }, @@ -5087,7 +4854,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5092", + "software_attack_id": "S3204", "source": "Tidal Cyber", "tags": [ "884eb1b1-aede-4db0-8443-ba50624682e1", @@ -5114,12 +4881,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e", - "type": "similar" - } - ], + "related": [], "uuid": "341fc709-4908-4e41-8df3-554dae6d72b0", "value": "Comnie" }, @@ -5142,10 +4904,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565", - "type": "similar" } ], "uuid": "300c5997-a486-4a61-8213-93a180c22849", @@ -5158,7 +4916,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5202", + "software_attack_id": "S3323", "source": "Tidal Cyber", "tags": [ "758c3085-2f79-40a8-ab95-f8a684737927", @@ -5203,12 +4961,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "58eddbaf-7416-419a-ad7b-e65b9d4c3b55", - "type": "similar" - } - ], + "related": [], "uuid": "ef33f1fa-18a3-4b30-b359-17b7930f43a7", "value": "Conficker" }, @@ -5219,7 +4972,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5093", + "software_attack_id": "S3205", "source": "Tidal Cyber", "tags": [ "d99039e1-e677-4226-8b63-e698d6642535", @@ -5241,7 +4994,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5094", + "software_attack_id": "S3206", "source": "Tidal Cyber", "tags": [ "ea54037d-e07b-42b0-afe6-33576ec36f44", @@ -5287,6 +5040,18 @@ ] }, "related": [ + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, + { + "dest-uuid": "7a28cff6-80df-49e1-8457-a0305e736897", + "type": "used-by" + }, + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, { "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", "type": "used-by" @@ -5310,10 +5075,6 @@ { "dest-uuid": "b4d068ac-9b68-4cd8-bf0c-019f910ef8e3", "type": "used-by" - }, - { - "dest-uuid": "842976c7-f9c8-41b2-8371-41dc64fbe261", - "type": "similar" } ], "uuid": "6f9bb24d-cce2-49de-bedd-1849d9bde7a0", @@ -5328,6 +5089,7 @@ "software_attack_id": "S0575", "source": "MITRE", "tags": [ + "a3d78265-f5b3-4254-8af5-c629dbb795d4", "64d3f7d8-30b7-4b03-bee2-a6029672216c", "375983b3-6e87-4281-99e2-1561519dd17b", "3ed2343c-a29c-42e2-8259-410381164c6a", @@ -5359,10 +5121,6 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" - }, - { - "dest-uuid": "4dea7d8e-af94-4bfb-afe4-7ff54f59308b", - "type": "similar" } ], "uuid": "8e995c29-2759-4aeb-9a0f-bb7cd97b06e5", @@ -5375,7 +5133,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5095", + "software_attack_id": "S3207", "source": "Tidal Cyber", "tags": [ "53ac2b35-d302-4bdd-9931-5b6c6cb31b96", @@ -5402,12 +5160,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "eedc01d5-95e6-4d21-bcd4-1121b1df4586", - "type": "similar" - } - ], + "related": [], "uuid": "6e2c4aef-2f69-4507-9ee3-55432d76341e", "value": "CookieMiner" }, @@ -5430,10 +5183,6 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" - }, - { - "dest-uuid": "8ab98e25-1672-4b5f-a2fb-e60f08a5ea9e", - "type": "similar" } ], "uuid": "f13c8455-d615-4f8d-9d9c-5b31e593cd8a", @@ -5446,7 +5195,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5209", + "software_attack_id": "S3330", "source": "Tidal Cyber", "tags": [ "a19a158e-aec4-410a-8c3e-e9080b111183", @@ -5480,15 +5229,36 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", - "type": "similar" } ], "uuid": "3b193f62-2b49-4eff-bdf4-501fb8a28274", "value": "CORESHELL" }, + { + "description": "Corona is a suspected variant of the popular Mirai botnet, which has been observed since at least 2020 (its name likely relates to the COVID-19 pandemic).[[Akamai Corona Zero-Day August 28 2024](/references/140284f8-075c-4225-99dd-519ba5cebabe)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Linux" + ], + "software_attack_id": "S3167", + "source": "Tidal Cyber", + "tags": [ + "55cb344a-cbd5-4fd1-a1e9-30bbc956527e", + "f925e659-1120-4b76-92b6-071a7fb757d6", + "06236145-e9d6-461c-b7e4-284b3de5f561", + "a98d7a43-f227-478e-81de-e7299639a355", + "33d35d5e-f0cf-4c66-9be3-a3ffe6610b1a", + "e809d252-12cc-494d-94f5-954c49eb87ce" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "e4e37a06-ee31-44bf-a818-efa236ada136", + "value": "Corona (Mirai Botnet Variant)" + }, { "description": "[CosmicDuke](https://app.tidalcyber.com/software/43b317c6-5b4f-47b8-b7b4-15cd6f455091) is malware that was used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) from 2010 to 2015. [[F-Secure The Dukes](https://app.tidalcyber.com/references/cc0dc623-ceb5-4ac6-bfbb-4f8514d45a27)]", "meta": { @@ -5508,10 +5278,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "type": "similar" } ], "uuid": "43b317c6-5b4f-47b8-b7b4-15cd6f455091", @@ -5529,12 +5295,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "5d342981-5194-41e7-b33f-8e91998d7d88", - "type": "similar" - } - ], + "related": [], "uuid": "ea9e2d19-89fe-4039-a1e0-467b14554c6f", "value": "CostaBricks" }, @@ -5557,10 +5318,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", - "type": "similar" } ], "uuid": "c2353daa-fd4c-44e1-8013-55400439965a", @@ -5575,6 +5332,12 @@ "software_attack_id": "S0488", "source": "MITRE", "tags": [ + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "d8f7e071-fbfd-46f8-b431-e241bb1513ac", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", "e1af18e3-3224-4e4c-9d0f-533768474508", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "e81ba503-60b0-4b64-8f20-ef93e7783796" @@ -5603,10 +5366,6 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" - }, - { - "dest-uuid": "c4810609-7da6-48ec-8057-1b70a7814db0", - "type": "similar" } ], "uuid": "47e710b4-1397-47cf-a979-20891192f313", @@ -5619,7 +5378,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5210", + "software_attack_id": "S3331", "source": "Tidal Cyber", "tags": [ "7beee233-2b65-4593-88e6-a5c0c02c6a08", @@ -5641,7 +5400,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5074", + "software_attack_id": "S3099", "source": "Tidal Cyber", "tags": [ "904ad11a-20ca-479c-ad72-74bd5d9dc7e4", @@ -5682,10 +5441,6 @@ { "dest-uuid": "7fbd7514-76e9-4696-8c66-9f95546e3315", "type": "used-by" - }, - { - "dest-uuid": "750eb92a-7fdf-451e-9592-1d42357018f1", - "type": "similar" } ], "uuid": "7f7f05c3-fbb1-475e-b672-2113709065c8", @@ -5707,10 +5462,6 @@ { "dest-uuid": "7fbd7514-76e9-4696-8c66-9f95546e3315", "type": "used-by" - }, - { - "dest-uuid": "d23de441-f9cf-4802-b1ff-f588a11a896b", - "type": "similar" } ], "uuid": "11ce380c-481b-4c9b-b44e-06f1a91c01c1", @@ -5735,10 +5486,6 @@ { "dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25", "type": "used-by" - }, - { - "dest-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", - "type": "similar" } ], "uuid": "3b3f296f-20a6-459a-98c5-62ebdee3701f", @@ -5762,10 +5509,6 @@ { "dest-uuid": "7ad94dbf-9909-42dd-8b62-a435481bdb14", "type": "used-by" - }, - { - "dest-uuid": "a5e91d50-24fa-44ec-9894-39a88f658cea", - "type": "similar" } ], "uuid": "38811c3b-f548-43fa-ab26-c7243b84a055", @@ -5787,10 +5530,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "925a6c52-5cf0-4fec-99de-b0d6917d8593", - "type": "similar" } ], "uuid": "e1ad229b-d750-4148-a1f3-36e767b03cd1", @@ -5812,10 +5551,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "a04d9a4c-bb52-40bf-98ec-e350c2d6a862", - "type": "similar" } ], "uuid": "12ce6d04-ebe5-440e-b342-0283b7c8a0c8", @@ -5828,7 +5563,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5096", + "software_attack_id": "S3208", "source": "Tidal Cyber", "tags": [ "2ee25dd6-256c-4659-b1b6-f5afc943ccc1", @@ -5855,7 +5590,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5097", + "software_attack_id": "S3209", "source": "Tidal Cyber", "tags": [ "7cae5f59-dbbf-406f-928d-118430d2bdd0", @@ -5877,7 +5612,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5211", + "software_attack_id": "S3332", "source": "Tidal Cyber", "tags": [ "86bb7f3c-652c-4f77-af2a-34677ff42315", @@ -5908,10 +5643,6 @@ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" - }, - { - "dest-uuid": "5256c0f8-9108-4c92-8b09-482dfacdcd94", - "type": "similar" } ], "uuid": "eb481db6-d7ba-4873-a171-76a228c9eb97", @@ -5955,10 +5686,6 @@ { "dest-uuid": "c2015888-72c0-4367-b2cf-df85688a56b7", "type": "used-by" - }, - { - "dest-uuid": "6cd07296-14aa-403d-9229-6343d03d4752", - "type": "similar" } ], "uuid": "095064c6-144e-4935-b878-f82151bc08e4", @@ -5971,7 +5698,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5098", + "software_attack_id": "S3210", "source": "Tidal Cyber", "tags": [ "536c3d51-9fc4-445e-9723-e11b69f0d6d5", @@ -6006,10 +5733,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "b350b47f-88fe-4921-8538-6d9c59bac84e", - "type": "similar" } ], "uuid": "68792756-7dbf-41fd-8d48-ac3cc2b52712", @@ -6033,10 +5756,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", - "type": "similar" } ], "uuid": "9d521c18-09f0-47be-bfe5-e1bf26f7b928", @@ -6061,10 +5780,6 @@ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" - }, - { - "dest-uuid": "b8d48deb-450c-44f6-a934-ac8765aa89cb", - "type": "similar" } ], "uuid": "131c0eb2-9191-4ccd-a2d6-5f36046a8f2f", @@ -6097,10 +5812,6 @@ { "dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25", "type": "used-by" - }, - { - "dest-uuid": "53ab35c2-d00e-491a-8753-41d35ae7e547", - "type": "similar" } ], "uuid": "74f88899-56d0-4de8-97de-539b3590ab90", @@ -6115,6 +5826,7 @@ "software_attack_id": "S1111", "source": "MITRE", "tags": [ + "7b774e30-5065-41bd-85e2-e02d09e419ed", "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ @@ -6125,10 +5837,6 @@ { "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", "type": "used-by" - }, - { - "dest-uuid": "6f6f67c9-556d-4459-95c2-78d272190e52", - "type": "similar" } ], "uuid": "39d81c48-8f7c-54cb-8fac-485598e31a55", @@ -6171,12 +5879,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "5faaf81a-aa5b-4a4b-bae5-522439e068f8", - "type": "similar" - } - ], + "related": [], "uuid": "35abcb6b-3259-57c1-94fc-50cfd5bde786", "value": "DarkTortilla" }, @@ -6195,12 +5898,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "63686509-069b-4143-99ea-4e59cad6cb2a", - "type": "similar" - } - ], + "related": [], "uuid": "740a0327-4caf-4d90-8b51-f3f9a4d59b37", "value": "DarkWatchman" }, @@ -6220,10 +5918,6 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" - }, - { - "dest-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", - "type": "similar" } ], "uuid": "fad65026-57c4-4d4f-8803-87178dd4b887", @@ -6236,7 +5930,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5099", + "software_attack_id": "S3211", "source": "Tidal Cyber", "tags": [ "0576be43-65c6-4d1a-8a06-ed8232ca0120", @@ -6258,7 +5952,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5287", + "software_attack_id": "S3002", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -6293,10 +5987,6 @@ { "dest-uuid": "a41725c5-eb3a-4772-8d1e-17c3bbade79c", "type": "used-by" - }, - { - "dest-uuid": "5633ffd3-81ef-4f98-8f93-4896b03998f0", - "type": "similar" } ], "uuid": "26ae3cd1-6710-4807-b674-957bd67d3e76", @@ -6315,10 +6005,6 @@ { "dest-uuid": "021b3c71-6467-4e46-a413-8b726f066f2c", "type": "used-by" - }, - { - "dest-uuid": "d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb", - "type": "similar" } ], "uuid": "0657b804-a889-400a-97d7-a4989809a623", @@ -6339,12 +6025,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "c46eb8e6-bf29-4696-8008-3ddb0b4ca470", - "type": "similar" - } - ], + "related": [], "uuid": "e9533664-90c5-5b40-a40e-a69a2eda8bc9", "value": "DEADEYE" }, @@ -6367,10 +6048,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "8f460983-1bbb-4e7e-8094-f0b5e720f658", - "type": "similar" } ], "uuid": "64dc5d44-2304-4875-b517-316ab98512c2", @@ -6392,12 +6069,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "6de9cad1-eed2-4e27-b0b5-39fa29349ea0", - "type": "similar" - } - ], + "related": [], "uuid": "832f5ab1-1267-40c9-84ef-f32d6373be4e", "value": "DEATHRANSOM" }, @@ -6408,7 +6080,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5212", + "software_attack_id": "S3333", "source": "Tidal Cyber", "tags": [ "4f7be515-680e-4375-81f6-c71c83dd440d", @@ -6430,7 +6102,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5029", + "software_attack_id": "S3031", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -6477,10 +6149,6 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" - }, - { - "dest-uuid": "f25aab1a-0cef-4910-a85d-bb38b32ea41a", - "type": "similar" } ], "uuid": "df4002d2-f557-4f95-af7a-9a4582fb7068", @@ -6493,7 +6161,7 @@ "platforms": [ "IaaS" ], - "software_attack_id": "S5313", + "software_attack_id": "S3126", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -6541,10 +6209,6 @@ { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" - }, - { - "dest-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "type": "similar" } ], "uuid": "9222aa77-922e-43c7-89ad-71067c428fb2", @@ -6557,7 +6221,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5188", + "software_attack_id": "S3309", "source": "Tidal Cyber", "tags": [ "7ad2b1d5-c228-4bf5-bf8e-c80a8fef0079", @@ -6579,7 +6243,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5100", + "software_attack_id": "S3212", "source": "Tidal Cyber", "tags": [ "acc0e091-a071-4e83-b0b1-4f3adebeafa3", @@ -6601,7 +6265,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5101", + "software_attack_id": "S3213", "source": "Tidal Cyber", "tags": [ "2a08c2eb-e90e-4bdb-a2dd-9da06de7ed25", @@ -6623,7 +6287,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5213", + "software_attack_id": "S3334", "source": "Tidal Cyber", "tags": [ "bb814941-0155-49b1-8f93-39626d4f0ddd", @@ -6645,7 +6309,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5214", + "software_attack_id": "S3335", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -6666,7 +6330,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5252", + "software_attack_id": "S3373", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -6687,7 +6351,7 @@ "platforms": [ "Linux" ], - "software_attack_id": "S5021", + "software_attack_id": "S3059", "source": "Tidal Cyber", "tags": [ "a98d7a43-f227-478e-81de-e7299639a355", @@ -6708,7 +6372,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5189", + "software_attack_id": "S3310", "source": "Tidal Cyber", "tags": [ "91fd24c3-f371-4c3b-b997-cd85e25c0967", @@ -6730,7 +6394,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5102", + "software_attack_id": "S3214", "source": "Tidal Cyber", "tags": [ "18d6d91d-7df0-44c8-88fe-986d9ba00b8d", @@ -6752,7 +6416,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5103", + "software_attack_id": "S3215", "source": "Tidal Cyber", "tags": [ "96f9b39f-0c59-48a0-9702-01920c1293a7", @@ -6787,10 +6451,6 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" - }, - { - "dest-uuid": "4e9bdf9a-4957-47f6-87b3-c76898d3f623", - "type": "similar" } ], "uuid": "d057b6e7-1de4-4f2f-b374-7e879caecd67", @@ -6812,10 +6472,6 @@ { "dest-uuid": "f036b992-4c3f-47b7-a458-94ac133bce74", "type": "used-by" - }, - { - "dest-uuid": "e170995d-4f61-4f17-b60e-04f9a06ee517", - "type": "similar" } ], "uuid": "226ee563-4d49-48c2-aa91-82999f43ce30", @@ -6837,10 +6493,6 @@ { "dest-uuid": "f31df12e-66ea-5a49-87bc-2bc1756a89fc", "type": "used-by" - }, - { - "dest-uuid": "e1445afd-c359-45ed-8f27-626dc4d5e157", - "type": "similar" } ], "uuid": "194314e3-4edc-5346-96b6-d2d7bf5d830a", @@ -6853,7 +6505,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5104", + "software_attack_id": "S3216", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -6874,7 +6526,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5016", + "software_attack_id": "S3217", "source": "Tidal Cyber", "tags": [ "a45f9597-09c4-4e70-a7d3-d8235d2451a3", @@ -6919,10 +6571,6 @@ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" - }, - { - "dest-uuid": "8a2867f9-e8fc-4bf1-a860-ef6e46311900", - "type": "similar" } ], "uuid": "e69a913d-4ddc-4d69-9961-25a31cae5899", @@ -6935,7 +6583,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5215", + "software_attack_id": "S3336", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -6968,10 +6616,6 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" - }, - { - "dest-uuid": "0852567d-7958-4f4b-8947-4f840ec8d57d", - "type": "similar" } ], "uuid": "81ce23c0-f505-4d75-9928-4fbd627d3bc2", @@ -6989,12 +6633,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "f36b2598-515f-4345-84e5-5ccde253edbe", - "type": "similar" - } - ], + "related": [], "uuid": "dfa14314-3c64-4a10-9889-0423b884f7aa", "value": "Dok" }, @@ -7014,12 +6653,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "4f1c389e-a80e-4a3e-9b0e-9be8c91df64f", - "type": "similar" - } - ], + "related": [], "uuid": "e6160c55-1868-47bd-bec6-7becbf236bbb", "value": "Doki" }, @@ -7043,10 +6677,6 @@ { "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", "type": "used-by" - }, - { - "dest-uuid": "a7b5df47-73bb-4d47-b701-869f185633a6", - "type": "similar" } ], "uuid": "40d25a38-91f4-4e07-bb97-8866bed8e44f", @@ -7059,7 +6689,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5216", + "software_attack_id": "S3337", "source": "Tidal Cyber", "tags": [ "09c24b93-bf06-4cbb-acb0-d7b9657a41dc", @@ -7074,6 +6704,33 @@ "uuid": "1bcd9c93-0944-4671-ab01-cabc5ffe30bf", "value": "Dotnet" }, + { + "description": "DOWNBAIT is a downloader, one of a series of software associated with China-based espionage actor Earth Preta (aka Mustang Panda) reported by researchers in September 2024.[[Trend Micro September 9 2024](/references/0fdc9ee2-5be2-43e0-afb9-c9a94fde3867)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3177", + "source": "Tidal Cyber", + "tags": [ + "84615fe0-c2a5-4e07-8957-78ebc29b4635", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", + "type": "used-by" + } + ], + "uuid": "bd55fa7c-7747-4d3d-8176-e6c56870b2a3", + "value": "DOWNBAIT" + }, { "description": "[Downdelph](https://app.tidalcyber.com/software/f7b64b81-f9e7-46bf-8f63-6d7520da832c) is a first-stage downloader written in Delphi that has been used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) in rare instances between 2013 and 2015. [[ESET Sednit Part 3](https://app.tidalcyber.com/references/7c2be444-a947-49bc-b5f6-8f6bec870c6a)]", "meta": { @@ -7093,10 +6750,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519", - "type": "similar" } ], "uuid": "f7b64b81-f9e7-46bf-8f63-6d7520da832c", @@ -7121,10 +6774,6 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" - }, - { - "dest-uuid": "8be7c69e-d8e3-4970-9668-61de08e508cc", - "type": "similar" } ], "uuid": "20b796cf-6c90-4928-999e-88107078e15e", @@ -7138,6 +6787,9 @@ ], "software_attack_id": "S0186", "source": "MITRE", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" + ], "type": [ "malware" ] @@ -7146,10 +6798,6 @@ { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" - }, - { - "dest-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", - "type": "similar" } ], "uuid": "fc433c9d-a7fe-4915-8aa0-06b58f288249", @@ -7167,12 +6815,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "56aa3c82-ed40-4b5a-84bf-7231356d9e96", - "type": "similar" - } - ], + "related": [], "uuid": "c6c79fc5-e4b1-4f6c-a71d-d22d699d5caf", "value": "DRATzarus" }, @@ -7199,10 +6842,6 @@ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" - }, - { - "dest-uuid": "f01e2711-4b48-4192-a2e8-5f56c945ca19", - "type": "similar" } ], "uuid": "e3cd4405-b698-41d9-88e4-fff29e7a19e2", @@ -7224,10 +6863,6 @@ { "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "type": "used-by" - }, - { - "dest-uuid": "3ae6097d-d700-46c6-8b21-42fc0bcb48fa", - "type": "similar" } ], "uuid": "9c44d3f9-7a7b-4716-9cfa-640b36548ab0", @@ -7254,10 +6889,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "99164b38-1775-40bc-b77b-a2373b14540a", - "type": "similar" } ], "uuid": "bb7f7c19-ffb5-4bfe-99b1-ead3525c5e7b", @@ -7270,7 +6901,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5217", + "software_attack_id": "S3338", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -7310,10 +6941,6 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" - }, - { - "dest-uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe", - "type": "similar" } ], "uuid": "06402bdc-a4a1-4e4a-bfc4-09f2c159af75", @@ -7338,10 +6965,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "f8774023-8021-4ece-9aca-383ac89d2759", - "type": "similar" } ], "uuid": "aa21462d-9653-48eb-a82e-5c93c9db5f7a", @@ -7354,7 +6977,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5218", + "software_attack_id": "S3339", "source": "Tidal Cyber", "tags": [ "0f09c7f5-ba57-4ef0-a196-e85558804496", @@ -7369,6 +6992,34 @@ "uuid": "13482336-e22b-48e9-bd49-c6e6fc6612ec", "value": "Dump64" }, + { + "description": "Dumpert is an open-source tool that provides credential dumping capabilities. It has been leveraged by adversaries including North Korean state-sponsored espionage groups.[[GitHub outflanknl Dumpert](/references/ab375812-def9-4491-a69f-62755fb26910)][[U.S. CISA Andariel July 25 2024](/references/b615953e-3c6c-4201-914c-4b75e45bb9ed)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3166", + "source": "Tidal Cyber", + "tags": [ + "bdeef9bf-b9d5-41ec-9d4c-0315709639a2", + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "27a117ce-bb19-4f79-9bc2-a851b69c5c50", + "6070668f-1cbd-4878-8066-c636d1d8659c", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c", + "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96" + ], + "type": [ + "tool" + ] + }, + "related": [], + "uuid": "0ffc1b99-5ca1-4af4-95c7-7a311a32f911", + "value": "Dumpert" + }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Dump tool part Visual Studio 2022\n\n**Author:** mr.d0x\n\n**Paths:**\n* C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Common7\\IDE\\Extensions\\TestPlatform\\Extensions\n\n**Resources:**\n* [https://twitter.com/mrd0x/status/1511415432888131586](https://twitter.com/mrd0x/status/1511415432888131586)\n\n**Detection:**\n* Sigma: [proc_creation_win_dumpminitool_execution.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml)\n* Sigma: [proc_creation_win_dumpminitool_susp_execution.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml)\n* Sigma: [proc_creation_win_devinit_lolbin_usage.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml)[[DumpMinitool.exe - LOLBAS Project](/references/4634e025-c005-46fe-b97c-5d7dda455ba0)]", "meta": { @@ -7376,7 +7027,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5219", + "software_attack_id": "S3340", "source": "Tidal Cyber", "tags": [ "3b6ad94f-83ce-47bf-b82d-b98358d23434", @@ -7406,12 +7057,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "type": "similar" - } - ], + "related": [], "uuid": "d4a664e5-9819-4f33-8b2b-e6f8e6a64999", "value": "Duqu" }, @@ -7434,10 +7080,6 @@ { "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "type": "used-by" - }, - { - "dest-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", - "type": "similar" } ], "uuid": "77506f02-104f-4aac-a4e0-9649bd7efe2e", @@ -7450,7 +7092,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5220", + "software_attack_id": "S3341", "source": "Tidal Cyber", "tags": [ "6d065f28-e32d-4e87-b315-c43ebc45532a", @@ -7481,10 +7123,6 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" - }, - { - "dest-uuid": "63c2a130-8a5b-452f-ad96-07cf0af12ffe", - "type": "similar" } ], "uuid": "38e012f7-fb3a-4250-a129-92da3a488724", @@ -7497,7 +7135,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5013", + "software_attack_id": "S3053", "source": "Tidal Cyber", "tags": [ "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", @@ -7541,10 +7179,6 @@ { "dest-uuid": "eeb69751-8c22-4a5f-8da2-239cc7d7746c", "type": "used-by" - }, - { - "dest-uuid": "d6b3fcd0-1c86-4350-96f0-965ed02fcc51", - "type": "similar" } ], "uuid": "2375465a-e6a9-40ab-b631-a5b04cf5c689", @@ -7570,10 +7204,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "e928333f-f3df-4039-9b8b-556c2add0e42", - "type": "similar" } ], "uuid": "70f703b3-0e24-4ffe-9772-f0e386ec607f", @@ -7595,10 +7225,6 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" - }, - { - "dest-uuid": "292eb0c5-b8e8-4af6-9e8f-0fda6b4528d3", - "type": "similar" } ], "uuid": "6508d3dc-eb22-468c-9122-dcf541caa69c", @@ -7611,7 +7237,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5332", + "software_attack_id": "S3147", "source": "Tidal Cyber", "tags": [ "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb", @@ -7626,11 +7252,72 @@ { "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", "type": "used-by" + }, + { + "dest-uuid": "04b73cf2-33f4-4206-be9e-c80c4c9b54e8", + "type": "used-by" } ], "uuid": "1233436f-2a00-4557-89a4-8cbc45e6f9f7", "value": "EDRKillShifter" }, + { + "description": "An open-source, multi-purpose tool with defense evasion, credential dumping, and privilege escalation capabilities, observed in use during ransomware intrusions.[[GitHub wavestone-cdt EDRSandBlast](/references/228dd3e1-1952-447c-a500-31663a2efe45)][[Morphisec September 3 2024](/references/90549699-8815-45e8-820c-4f5a7fc584b8)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3165", + "source": "Tidal Cyber", + "tags": [ + "835c9c79-3824-41ec-8d5a-1e2526e89e0b", + "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", + "7de7d799-f836-4555-97a4-0db776eb6932", + "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c", + "e1af18e3-3224-4e4c-9d0f-533768474508", + "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb" + ], + "type": [ + "tool" + ] + }, + "related": [ + { + "dest-uuid": "7a28cff6-80df-49e1-8457-a0305e736897", + "type": "used-by" + } + ], + "uuid": "fbd2d7b0-0aa8-459f-8bfa-16daae769282", + "value": "EDRSandBlast" + }, + { + "description": "A credential dumping tool associated with Iran-linked espionage group OilRig.[[ESET OilRig September 21 2023](/references/21ee3e95-ac4b-48f7-b948-249e1884bc96)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3157", + "source": "Tidal Cyber", + "tags": [ + "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "type": "used-by" + } + ], + "uuid": "d1279b84-11f4-4804-9e5e-05c650960aac", + "value": "Edumper" + }, { "description": "[Egregor](https://app.tidalcyber.com/software/0e36b62f-a6e2-4406-b3d9-e05204e14a66) is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Researchers have noted code similarities between [Egregor](https://app.tidalcyber.com/software/0e36b62f-a6e2-4406-b3d9-e05204e14a66) and Sekhmet ransomware, as well as [Maze](https://app.tidalcyber.com/software/3c206491-45c0-4ff7-9f40-45f9aae4de64) ransomware.[[NHS Digital Egregor Nov 2020](https://app.tidalcyber.com/references/92f74037-2a20-4667-820d-2ccc0e4dbd3d)][[Cyble Egregor Oct 2020](https://app.tidalcyber.com/references/545a131d-88fc-4b34-923c-0b759b45fc7f)][[Security Boulevard Egregor Oct 2020](https://app.tidalcyber.com/references/cd37a000-9e15-45a3-a7c9-bb508c10e55d)]", "meta": { @@ -7650,12 +7337,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "cc4c1287-9c86-4447-810c-744f3880ec37", - "type": "similar" - } - ], + "related": [], "uuid": "0e36b62f-a6e2-4406-b3d9-e05204e14a66", "value": "Egregor" }, @@ -7676,12 +7358,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "00e7d565-9883-4ee5-b642-8fd17fd6a3f5", - "type": "similar" - } - ], + "related": [], "uuid": "cd7821cb-32f3-4d81-a5d1-0cdee94a15c4", "value": "EKANS" }, @@ -7693,7 +7370,7 @@ "Linux", "Windows" ], - "software_attack_id": "S5330", + "software_attack_id": "S3145", "source": "Tidal Cyber", "tags": [ "a2e000da-8181-4327-bacd-32013dbd3654", @@ -7735,10 +7412,6 @@ { "dest-uuid": "2849455a-cf39-4a9f-bd89-c2b3c1e5dd52", "type": "used-by" - }, - { - "dest-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "type": "similar" } ], "uuid": "fd5efee9-8710-4536-861f-c88d882f4d24", @@ -7760,10 +7433,6 @@ { "dest-uuid": "06a05175-0812-44f5-a529-30eba07d1762", "type": "used-by" - }, - { - "dest-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", - "type": "similar" } ], "uuid": "6a3ca97e-6dd6-44e5-a5f0-7225099ab474", @@ -7785,10 +7454,6 @@ { "dest-uuid": "2849455a-cf39-4a9f-bd89-c2b3c1e5dd52", "type": "used-by" - }, - { - "dest-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "type": "similar" } ], "uuid": "fd95d38d-83f9-4b31-8292-ba2b04275b36", @@ -7823,10 +7488,6 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" - }, - { - "dest-uuid": "32066e94-3112-48ca-b9eb-ba2b59d2f023", - "type": "similar" } ], "uuid": "c987d255-a351-4736-913f-91e2f28d0654", @@ -7926,10 +7587,6 @@ { "dest-uuid": "345e553a-164d-4c9d-8bf9-19fcf8a51533", "type": "used-by" - }, - { - "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", - "type": "similar" } ], "uuid": "fea655ac-558f-4dd0-867f-9a5553626207", @@ -7944,6 +7601,7 @@ "software_attack_id": "S0634", "source": "MITRE", "tags": [ + "542316f4-baf4-4cf7-929b-b1deed09d23b", "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ @@ -7954,10 +7612,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "2f8229dc-da94-41c6-89ba-b5b6c32f6b7d", - "type": "similar" } ], "uuid": "8da6fbf0-a18d-49a0-9235-101300d49d5e", @@ -7982,10 +7636,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "6b62e336-176f-417b-856a-8552dd8c44e1", - "type": "similar" } ], "uuid": "a7e71387-b276-413c-a0de-4cf07e39b158", @@ -8016,10 +7666,6 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" - }, - { - "dest-uuid": "c256da91-6dd5-40b2-beeb-ee3b22ab3d27", - "type": "similar" } ], "uuid": "a7589733-6b04-4215-a4e7-4b62cd4610fa", @@ -8032,7 +7678,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5105", + "software_attack_id": "S3219", "source": "Tidal Cyber", "tags": [ "59d03fb8-0620-468a-951c-069473cb86bc", @@ -8059,12 +7705,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "a8a778f5-0035-4870-bb25-53dc05029586", - "type": "similar" - } - ], + "related": [], "uuid": "300e8176-e7ee-44ef-8d10-dff96502f6c6", "value": "EvilBunny" }, @@ -8075,7 +7716,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5078", + "software_attack_id": "S3103", "source": "Tidal Cyber", "tags": [ "fe28cf32-a15c-44cf-892c-faa0360d6109", @@ -8119,10 +7760,6 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" - }, - { - "dest-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", - "type": "similar" } ], "uuid": "e862419c-d6b6-4433-a02a-c1cc98ea6f9e", @@ -8147,10 +7784,6 @@ { "dest-uuid": "4bdc62c9-af6a-4377-8431-58a6f39235dd", "type": "used-by" - }, - { - "dest-uuid": "7cdfccda-2950-4167-981a-60872ff5d0db", - "type": "similar" } ], "uuid": "e0eaae6d-5137-4053-bf37-ff90bf5767a9", @@ -8172,10 +7805,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "11194d8b-fdce-45d2-8047-df15bb8f16bd", - "type": "similar" } ], "uuid": "c773f709-b5fe-4514-9d88-24ceb0dd8063", @@ -8197,10 +7826,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "051eaca1-958f-4091-9e5f-a9acd8f820b5", - "type": "similar" } ], "uuid": "21569dfb-c9f1-468e-903e-348f19dbae1f", @@ -8213,7 +7838,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5221", + "software_attack_id": "S3342", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -8234,7 +7859,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5054", + "software_attack_id": "S3077", "source": "Tidal Cyber", "tags": [ "8bf128ad-288b-41bc-904f-093f4fdde745" @@ -8269,12 +7894,7 @@ "tool" ] }, - "related": [ - { - "dest-uuid": "ca656c25-44f1-471b-9d9f-e2a3bbb84973", - "type": "similar" - } - ], + "related": [], "uuid": "5d7a39e3-c667-45b3-987e-3b0ca49cff61", "value": "Expand" }, @@ -8285,7 +7905,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5106", + "software_attack_id": "S3221", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -8324,10 +7944,6 @@ { "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", "type": "used-by" - }, - { - "dest-uuid": "6a21e3a4-5ffe-4581-af9a-6a54c7536f44", - "type": "similar" } ], "uuid": "572eec55-2855-49ac-a82e-2c21e9aca27e", @@ -8340,7 +7956,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5107", + "software_attack_id": "S3222", "source": "Tidal Cyber", "tags": [ "5b81675a-742a-4ffd-b410-44ce3f1b0831", @@ -8362,7 +7978,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5030", + "software_attack_id": "S3032", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -8397,7 +8013,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5108", + "software_attack_id": "S3223", "source": "Tidal Cyber", "tags": [ "92092803-19a9-4288-b7fb-08e92e8ea693", @@ -8428,10 +8044,6 @@ { "dest-uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4", "type": "used-by" - }, - { - "dest-uuid": "bb3c1098-d654-4620-bf40-694386d28921", - "type": "similar" } ], "uuid": "8c64a330-1457-4c32-ab2f-12b6eb37d607", @@ -8444,7 +8056,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5321", + "software_attack_id": "S3136", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -8481,10 +8093,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", - "type": "similar" } ], "uuid": "ea47f1fd-0171-4254-8c92-92b7a5eec5e1", @@ -8509,15 +8117,38 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "54a01db0-9fab-4d5f-8209-53cef8425f4a", - "type": "similar" } ], "uuid": "997ff740-1b00-40b6-887a-ef4101e93295", "value": "FatDuke" }, + { + "description": "FDMTP is a downloader, one of a series of software associated with China-based espionage actor Earth Preta (aka Mustang Panda) reported by researchers in September 2024.[[Trend Micro September 9 2024](/references/0fdc9ee2-5be2-43e0-afb9-c9a94fde3867)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3173", + "source": "Tidal Cyber", + "tags": [ + "84615fe0-c2a5-4e07-8957-78ebc29b4635", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", + "type": "used-by" + } + ], + "uuid": "8e623e62-524f-43de-934c-3792bfd69d3f", + "value": "FDMTP" + }, { "description": "[Felismus](https://app.tidalcyber.com/software/c66ed8ab-4692-4948-820e-5ce87cc78db5) is a modular backdoor that has been used by [Sowbug](https://app.tidalcyber.com/groups/6632f07f-7c6b-4d12-8544-82edc6a7a577). [[Symantec Sowbug Nov 2017](https://app.tidalcyber.com/references/14f49074-fc46-45d3-bf7e-30c896c39c07)] [[Forcepoint Felismus Mar 2017](https://app.tidalcyber.com/references/23b94586-3856-4937-9b02-4fe184b7ba01)]", "meta": { @@ -8534,10 +8165,6 @@ { "dest-uuid": "6632f07f-7c6b-4d12-8544-82edc6a7a577", "type": "used-by" - }, - { - "dest-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", - "type": "similar" } ], "uuid": "c66ed8ab-4692-4948-820e-5ce87cc78db5", @@ -8555,12 +8182,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "cf8df906-179c-4a78-bd6e-6605e30f6624", - "type": "similar" - } - ], + "related": [], "uuid": "4b1a07cd-4c1f-4d93-a454-07fd59b3039a", "value": "FELIXROOT" }, @@ -8580,10 +8202,6 @@ { "dest-uuid": "73da066d-b25f-45ba-862b-1a69228c6baa", "type": "used-by" - }, - { - "dest-uuid": "73d08401-005f-4e1f-90b9-8f45d120879f", - "type": "similar" } ], "uuid": "3e54ba7a-fd4c-477f-9c2d-34b4f69fc091", @@ -8601,12 +8219,7 @@ "tool" ] }, - "related": [ - { - "dest-uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe", - "type": "similar" - } - ], + "related": [], "uuid": "1bbf04bb-d869-48c5-a538-70a25503de1d", "value": "Fgdump" }, @@ -8617,7 +8230,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5031", + "software_attack_id": "S3033", "source": "Tidal Cyber", "tags": [ "c5a258ce-9045-48d9-b254-ec2bf6437bb5", @@ -8676,10 +8289,6 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" - }, - { - "dest-uuid": "a2282af0-f9dd-4373-9b92-eaf9e11e0c71", - "type": "similar" } ], "uuid": "eb4dc358-e353-47fc-8207-b7cb10d580f7", @@ -8692,7 +8301,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5109", + "software_attack_id": "S3224", "source": "Tidal Cyber", "tags": [ "6ca537bb-94b6-4b12-8978-6250baa6a5cb", @@ -8733,10 +8342,6 @@ { "dest-uuid": "7ad94dbf-9909-42dd-8b62-a435481bdb14", "type": "used-by" - }, - { - "dest-uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858", - "type": "similar" } ], "uuid": "41f54ce1-842c-428a-977f-518a5b63b4d7", @@ -8749,7 +8354,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5110", + "software_attack_id": "S3225", "source": "Tidal Cyber", "tags": [ "1da4f610-4c54-46a3-b9b3-c38a002b623e", @@ -8787,10 +8392,6 @@ { "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", "type": "used-by" - }, - { - "dest-uuid": "f464354c-7103-47c6-969b-8766f0157ed2", - "type": "similar" } ], "uuid": "84187393-2fe9-4136-8720-a6893734ee8c", @@ -8815,10 +8416,6 @@ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" - }, - { - "dest-uuid": "592260fb-dd5c-4a30-8d99-106a0485be0d", - "type": "similar" } ], "uuid": "977aaf8a-2216-40f0-8682-61dd91638147", @@ -8839,12 +8436,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", - "type": "similar" - } - ], + "related": [], "uuid": "87604333-638f-4f4a-94e0-16aa825dd5b8", "value": "Flame" }, @@ -8864,10 +8456,6 @@ { "dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "type": "used-by" - }, - { - "dest-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", - "type": "similar" } ], "uuid": "44a5e62a-6de4-49d2-8f1b-e68ecdf9f332", @@ -8896,10 +8484,6 @@ { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" - }, - { - "dest-uuid": "432555de-63bf-4f2a-a3fa-f720a4561078", - "type": "similar" } ], "uuid": "308dbe77-3d58-40bb-b0a5-cd00f152dc60", @@ -8914,6 +8498,7 @@ "software_attack_id": "S0383", "source": "MITRE", "tags": [ + "ede6e717-5e5f-4321-9ddd-d0d7ab315a89", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "84615fe0-c2a5-4e07-8957-78ebc29b4635", @@ -8935,10 +8520,6 @@ { "dest-uuid": "eb10ed9e-ea8d-4b61-bfc3-5994d30970df", "type": "used-by" - }, - { - "dest-uuid": "43155329-3edf-47a6-9a14-7dac899b01e4", - "type": "similar" } ], "uuid": "c558e948-c817-4494-a95d-ad3207f10e26", @@ -8951,7 +8532,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5056", + "software_attack_id": "S3079", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -8991,10 +8572,6 @@ { "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", "type": "used-by" - }, - { - "dest-uuid": "0e18b800-906c-4e44-a143-b11c72b3448b", - "type": "similar" } ], "uuid": "18002747-ddcc-42c1-b0ca-1e598a9f1919", @@ -9007,7 +8584,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5111", + "software_attack_id": "S3226", "source": "Tidal Cyber", "tags": [ "49bbb074-2406-4f27-ad77-d2e433ba1ccb", @@ -9041,10 +8618,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "72911fe3-f085-40f7-b4f2-f25a4221fe44", - "type": "similar" } ], "uuid": "bc11844e-0348-4eed-a48a-0554d68db38c", @@ -9057,7 +8630,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5331", + "software_attack_id": "S3146", "source": "Tidal Cyber", "tags": [ "562e535e-19f5-4d6c-81ed-ce2aec544f09", @@ -9101,10 +8674,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "90ec2b22-7061-4469-b539-0989ec4f96c2", - "type": "similar" } ], "uuid": "c6dc67a6-587d-4700-a7de-bee043a0031a", @@ -9117,7 +8686,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5288", + "software_attack_id": "S3003", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -9144,12 +8713,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "bcaae558-9697-47a2-9ec7-c75000ddf58c", - "type": "similar" - } - ], + "related": [], "uuid": "83721b89-df58-50bf-be2a-0b696fb0da78", "value": "FRAMESTING" }, @@ -9166,10 +8730,6 @@ { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" - }, - { - "dest-uuid": "1cdbbcab-903a-414d-8eb0-439a97343737", - "type": "similar" } ], "uuid": "aef7cbbc-5163-419c-8e4b-3f73bed50474", @@ -9182,7 +8742,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5032", + "software_attack_id": "S3034", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -9222,12 +8782,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "4a98e44a-bd52-461e-af1e-a4457de87a36", - "type": "similar" - } - ], + "related": [], "uuid": "3a05085e-5a1f-4a74-b489-d679b80e2c18", "value": "FruitFly" }, @@ -9238,7 +8793,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5222", + "software_attack_id": "S3343", "source": "Tidal Cyber", "tags": [ "7a4b56fa-5419-411b-86fe-68c9b0ddd3c5", @@ -9269,7 +8824,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5223", + "software_attack_id": "S3344", "source": "Tidal Cyber", "tags": [ "c5d1a687-8a36-4995-b8cb-415f33661821", @@ -9291,7 +8846,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5112", + "software_attack_id": "S3228", "source": "Tidal Cyber", "tags": [ "76bb7541-94da-4d66-9a57-77f788330287", @@ -9346,10 +8901,6 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" - }, - { - "dest-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565", - "type": "similar" } ], "uuid": "062deac9-8f05-44e2-b347-96b59ba166ca", @@ -9370,12 +8921,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "be25c1c0-1590-4219-a3d5-6f31799d1d1b", - "type": "similar" - } - ], + "related": [], "uuid": "d0490e1d-8287-44d3-8342-944d1203b237", "value": "FunnyDream" }, @@ -9395,10 +8941,6 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" - }, - { - "dest-uuid": "434ba392-ebdc-488b-b1ef-518deea65774", - "type": "similar" } ], "uuid": "be9a2ae5-373a-4dee-9c1e-b54235dafed0", @@ -9423,15 +8965,35 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "50d6688b-0985-4f3d-8cbe-0c796b30703b", - "type": "similar" } ], "uuid": "317a7647-aee7-4ce1-a8f8-33a61190f55d", "value": "Fysbis" }, + { + "description": "Gamarue is a longstanding family of malicious software which can provide backdoor access to a system. Researchers have observed Gamarue variants with worm-like redistribution capabilities. Gamarue is often observed being delivered via exploit kits, as an attachment to a spam email, or via USB or other removable media.[[microsoft.com April 2 2012](/references/de44abcc-9467-4c63-b0c4-c3a3b282ae39)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S5282", + "source": "Tidal Cyber", + "tags": [ + "ca440076-2a36-405a-bf4c-d4529e91b641", + "e809d252-12cc-494d-94f5-954c49eb87ce", + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "cac54152-17ad-4bb9-a412-53a35af1e95a", + "value": "Gamarue" + }, { "description": "[Gazer](https://app.tidalcyber.com/software/7a60b984-b0c8-4acc-be24-841f4b652872) is a backdoor used by [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) since at least 2016. [[ESET Gazer Aug 2017](https://app.tidalcyber.com/references/9d1c40af-d4bc-4d4a-b667-a17378942685)]", "meta": { @@ -9451,10 +9013,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "type": "similar" } ], "uuid": "7a60b984-b0c8-4acc-be24-841f4b652872", @@ -9472,12 +9030,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "efa7c4d6-8e30-41d9-a8fd-26dc337f4a1b", - "type": "similar" - } - ], + "related": [], "uuid": "9a117508-1d22-4fea-aa65-db670c13a5c9", "value": "Gelsemium" }, @@ -9497,10 +9050,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", - "type": "similar" } ], "uuid": "97f32f68-dcd2-4f80-9967-cc87305dc342", @@ -9525,10 +9074,6 @@ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" - }, - { - "dest-uuid": "099ecff2-41b8-436d-843c-038a9aa9aa69", - "type": "similar" } ], "uuid": "a997aaaf-edfc-4489-80a9-3f8d64545de1", @@ -9541,7 +9086,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5186", + "software_attack_id": "S3307", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -9611,10 +9156,6 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" - }, - { - "dest-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", - "type": "similar" } ], "uuid": "269ef8f5-35c8-44ba-afe4-63f4c6431427", @@ -9632,12 +9173,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "554e010d-726b-439d-9a1a-f60fff0cc109", - "type": "similar" - } - ], + "related": [], "uuid": "5c1a1ce5-927c-5c79-8a14-2789756d41ee", "value": "GLASSTOKEN" }, @@ -9657,10 +9193,6 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" - }, - { - "dest-uuid": "f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2", - "type": "similar" } ], "uuid": "09fdec78-5253-433d-8680-294ba6847be9", @@ -9673,9 +9205,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5033", + "software_attack_id": "S3035", "source": "Tidal Cyber", "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", @@ -9693,6 +9226,10 @@ ] }, "related": [ + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -9725,10 +9262,6 @@ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" - }, - { - "dest-uuid": "b9799466-9dd7-4098-b2d6-f999ce50b9a8", - "type": "similar" } ], "uuid": "348fdeb5-6a74-4803-ac6e-e0133ecd7263", @@ -9749,12 +9282,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "b9704a7d-feef-4af9-8898-5280f1686326", - "type": "similar" - } - ], + "related": [], "uuid": "1b135393-c799-4698-a880-c6a86782adee", "value": "GoldenSpy" }, @@ -9774,10 +9302,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "b7010785-699f-412f-ba49-524da6033c76", - "type": "similar" } ], "uuid": "4e8c58c5-443e-4f73-91e9-89146f04e307", @@ -9803,10 +9327,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "5c747acd-47f0-4c5a-b9e5-213541fc01e0", - "type": "similar" } ], "uuid": "b05a9763-4288-4656-bf4e-ba02bb8b35d6", @@ -9831,10 +9351,6 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" - }, - { - "dest-uuid": "eac3d77f-2b7b-4599-ba74-948dc16633ad", - "type": "similar" } ], "uuid": "a75855fd-2b6b-43d8-99a5-2be03b544f34", @@ -9847,7 +9363,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5318", + "software_attack_id": "S3131", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -9875,9 +9391,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5289", + "software_attack_id": "S3004", "source": "Tidal Cyber", "tags": [ + "870fdd22-b373-4cb2-8a00-0acfa4aac897", "e551ae97-d1b4-484e-9267-89f33829ec2c", "15787198-6c8b-4f79-bf50-258d55072fee", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -9904,7 +9421,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5113", + "software_attack_id": "S3230", "source": "Tidal Cyber", "tags": [ "2ca5c5e4-ee7f-4698-84ec-ce04d2c1e9cc", @@ -9934,12 +9451,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "958b5d06-8bb0-4c5b-a2e7-0130fe654ac7", - "type": "similar" - } - ], + "related": [], "uuid": "61d277f2-abdc-4f2b-b50a-10d0fe91e588", "value": "Grandoreiro" }, @@ -9950,7 +9462,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5077", + "software_attack_id": "S3102", "source": "Tidal Cyber", "type": [ "malware" @@ -9977,12 +9489,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "1d1fce2f-0db5-402b-9843-4278a0694637", - "type": "similar" - } - ], + "related": [], "uuid": "08cb425d-7b7a-41dc-a897-9057ce57fea9", "value": "GravityRAT" }, @@ -10001,12 +9508,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "59c8a28c-200c-4565-9af1-cbdb24870ba0", - "type": "similar" - } - ], + "related": [], "uuid": "f5691425-6690-4e5e-8304-3ede9d2f5a90", "value": "Green Lambert" }, @@ -10026,10 +9528,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "308b3d68-a084-4dfb-885a-3125e1a9c1e8", - "type": "similar" } ], "uuid": "f646e7f9-4d09-46f6-9831-54668fa20483", @@ -10054,10 +9552,6 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" - }, - { - "dest-uuid": "04fc1842-f9e4-47cf-8cb8-5c61becad142", - "type": "similar" } ], "uuid": "ad358082-d83a-4c22-81a1-6c34dd67af26", @@ -10086,10 +9580,6 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" - }, - { - "dest-uuid": "c9b99d03-ff11-4a48-95f0-82660d582c25", - "type": "similar" } ], "uuid": "c40a71d4-8592-4f82-8af5-18f763e52caf", @@ -10102,7 +9592,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5079", + "software_attack_id": "S3064", "source": "Tidal Cyber", "tags": [ "4d767e87-4cf6-438a-927a-43d2d0beaab7" @@ -10155,10 +9645,6 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" - }, - { - "dest-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", - "type": "similar" } ], "uuid": "5ffe662f-9da1-4b6f-ad3a-f296383e828c", @@ -10173,20 +9659,13 @@ "software_attack_id": "S0561", "source": "MITRE", "tags": [ - "c6e1f516-1a18-4ff9-b563-e6ac8103b104", - "2feda37d-5579-4102-a073-aa02e82cb49f", "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ "malware" ] }, - "related": [ - { - "dest-uuid": "45c759ac-b490-48bb-80d4-c8eee3431027", - "type": "similar" - } - ], + "related": [], "uuid": "03e985d6-870b-4533-af13-08b1e0511444", "value": "GuLoader" }, @@ -10202,12 +9681,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", - "type": "similar" - } - ], + "related": [], "uuid": "5f1602fe-a4ce-4932-9cf9-ec842f2c58f1", "value": "H1N1" }, @@ -10220,12 +9694,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "4b62ab58-c23b-4704-9c15-edd568cd59f8", - "type": "similar" - } - ], + "related": [], "uuid": "75db2ac3-901e-4b1f-9a0d-bac6562d57a3", "value": "Hacking Team UEFI Rootkit" }, @@ -10242,10 +9711,6 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" - }, - { - "dest-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", - "type": "similar" } ], "uuid": "5edf0ef7-a960-4500-8a89-8c8b4fdf8824", @@ -10270,10 +9735,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", - "type": "similar" } ], "uuid": "cc07f03f-9919-4856-9b30-f4d88940b0ec", @@ -10294,12 +9755,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "ef2247bf-8062-404b-894f-d65d00564817", - "type": "similar" - } - ], + "related": [], "uuid": "4eee3272-07fa-48ee-a7b9-9dfee3e4550a", "value": "Hancitor" }, @@ -10316,10 +9772,6 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" - }, - { - "dest-uuid": "211cfe9f-2676-4e1c-a5f5-2c8091da2a68", - "type": "similar" } ], "uuid": "c2c31b2e-5da6-4feb-80e3-14ea6d0ea7e8", @@ -10341,10 +9793,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "bd0536d7-b081-43ae-a773-cfb057c5b988", - "type": "similar" } ], "uuid": "ad0ae3b7-88aa-48b3-86ca-6a5d8b5309a7", @@ -10363,10 +9811,6 @@ { "dest-uuid": "e38bcb42-12c1-4202-a794-ec26cd830caa", "type": "used-by" - }, - { - "dest-uuid": "fbd727ea-c0dc-42a9-8448-9e12962d1ab5", - "type": "similar" } ], "uuid": "8bd36306-bd4b-4a76-8842-44acb0cedbcc", @@ -10384,12 +9828,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "12a7450d-b03e-4990-a5b8-b405ab9c803b", - "type": "similar" - } - ], + "related": [], "uuid": "392c5a32-53b5-4ce8-a946-226cb533cc4e", "value": "HAWKBALL" }, @@ -10409,10 +9848,6 @@ { "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", "type": "used-by" - }, - { - "dest-uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e", - "type": "similar" } ], "uuid": "a7ffe1bd-45ca-4ca4-94da-3b6c583a868d", @@ -10434,10 +9869,6 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" - }, - { - "dest-uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b", - "type": "similar" } ], "uuid": "f155b6f9-258d-4446-8867-fe5ee26d8c72", @@ -10467,10 +9898,6 @@ { "dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44", "type": "used-by" - }, - { - "dest-uuid": "5d11d418-95dd-4377-b782-23160dfa17b4", - "type": "similar" } ], "uuid": "813a4ca1-84fe-42dc-89de-5873d028f98d", @@ -10495,10 +9922,6 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" - }, - { - "dest-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "type": "similar" } ], "uuid": "d6560c81-1e7e-4d01-9814-4be4fb43e655", @@ -10519,12 +9942,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "a0ab8a96-40c9-4483-8a54-3fafa6d6007a", - "type": "similar" - } - ], + "related": [], "uuid": "f0456f14-4913-4861-b4ad-5e7f3960040e", "value": "HermeticWiper" }, @@ -10543,12 +9961,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "ff7ed9c1-dca3-4e62-9da6-72c5d388b8fa", - "type": "similar" - } - ], + "related": [], "uuid": "36ddc8cd-8f80-489e-a702-c682936b5393", "value": "HermeticWizard" }, @@ -10571,10 +9984,6 @@ { "dest-uuid": "454402a3-0503-45bf-b2e0-177fa2e2d412", "type": "used-by" - }, - { - "dest-uuid": "dff90475-9f72-41a6-84ed-1fbefd3874c0", - "type": "similar" } ], "uuid": "1841a6e8-6c23-46a1-9c81-783746083764", @@ -10587,7 +9996,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5114", + "software_attack_id": "S3231", "source": "Tidal Cyber", "tags": [ "7d028d1e-7a95-47f0-9367-55517f9ef170", @@ -10614,12 +10023,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "fc774af4-533b-4724-96d2-ac1026316794", - "type": "similar" - } - ], + "related": [], "uuid": "ec02fb9c-bf9f-404d-bc54-819f2b3fb040", "value": "HiddenWasp" }, @@ -10642,10 +10046,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4", - "type": "similar" } ], "uuid": "ce1af464-0b14-4fe9-8591-a6fe58aa96c7", @@ -10667,10 +10067,6 @@ { "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", "type": "used-by" - }, - { - "dest-uuid": "95047f03-4811-4300-922e-1ba937d53a61", - "type": "similar" } ], "uuid": "8046c80c-4339-4cfb-8bfd-464801db2bfe", @@ -10698,15 +10094,38 @@ { "dest-uuid": "325c11be-e1ee-47db-afa6-44ac5d16f0e7", "type": "used-by" - }, - { - "dest-uuid": "40a1b8ec-7295-416c-a6b1-68181d86f120", - "type": "similar" } ], "uuid": "7ef8cd3a-33cf-43bb-a3b8-a78fc844ce0c", "value": "Hildegard" }, + { + "description": "HIUPAN is a worm, one of a series of software associated with China-based espionage actor Earth Preta (aka Mustang Panda) reported by researchers in September 2024.[[Trend Micro September 9 2024](/references/0fdc9ee2-5be2-43e0-afb9-c9a94fde3867)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3174", + "source": "Tidal Cyber", + "tags": [ + "e809d252-12cc-494d-94f5-954c49eb87ce", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", + "type": "used-by" + } + ], + "uuid": "d4f74243-0d2d-4095-b66a-6d8291019125", + "value": "HIUPAN" + }, { "description": "[Hi-Zor](https://app.tidalcyber.com/software/286184d9-f28a-4d5a-a9dd-2216b3c47809) is a remote access tool (RAT) that has characteristics similar to [Sakula](https://app.tidalcyber.com/software/a316c704-144a-4d14-8e4e-685bb6ae391c). It was used in a campaign named INOCNATION. [[Fidelis Hi-Zor](https://app.tidalcyber.com/references/0c9ff201-283a-4527-8cb8-6f0d05a4f724)]", "meta": { @@ -10722,12 +10141,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", - "type": "similar" - } - ], + "related": [], "uuid": "286184d9-f28a-4d5a-a9dd-2216b3c47809", "value": "Hi-Zor" }, @@ -10747,10 +10161,6 @@ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" - }, - { - "dest-uuid": "7451bcf9-e6e6-4a70-bc3d-1599173d0035", - "type": "similar" } ], "uuid": "16db13f2-f350-4323-96cb-c5f4ac36c3e0", @@ -10776,10 +10186,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "454fe82d-6fd2-4ac6-91ab-28a33fe01369", - "type": "similar" } ], "uuid": "4d94594c-2224-46ca-8bc3-28b12ed139f9", @@ -10801,10 +10207,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "aad11e34-02ca-4220-91cd-2ed420af4db3", - "type": "similar" } ], "uuid": "a00e7fcc-b4e8-4f64-83d2-f9db64f0f3fe", @@ -10834,10 +10236,6 @@ { "dest-uuid": "225314a7-8f40-48d4-9cff-3ec39b177762", "type": "used-by" - }, - { - "dest-uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e", - "type": "similar" } ], "uuid": "b98d9fe7-9aa3-409a-bf5c-eadb01bac948", @@ -10863,10 +10261,6 @@ { "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", "type": "used-by" - }, - { - "dest-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", - "type": "similar" } ], "uuid": "c4fe23f7-f18c-40f6-b431-0b104b497eaa", @@ -10888,10 +10282,6 @@ { "dest-uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c", "type": "used-by" - }, - { - "dest-uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0", - "type": "similar" } ], "uuid": "bf19eba4-7ea1-4c24-95c6-6bcfb44f4c49", @@ -10917,10 +10307,6 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" - }, - { - "dest-uuid": "54089fba-8662-4f37-9a44-6ad25a5f630a", - "type": "similar" } ], "uuid": "2df88e4e-5a89-5535-ae1a-4c68b19d9078", @@ -10950,10 +10336,6 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" - }, - { - "dest-uuid": "73a4793a-ce55-4159-b2a6-208ef29b326f", - "type": "similar" } ], "uuid": "4ffbca79-358a-4ba5-bfbb-dc1694c45646", @@ -10968,6 +10350,7 @@ "software_attack_id": "S0398", "source": "MITRE", "tags": [ + "84e6dbc1-98c7-4619-b796-a8c8d562ea7b", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ @@ -10978,10 +10361,6 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" - }, - { - "dest-uuid": "5e814485-012d-423d-b769-026bfed0f451", - "type": "similar" } ], "uuid": "57cec527-26fb-44a1-b1a9-506a3af2c9f2", @@ -11003,10 +10382,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "2cf7dec3-66fc-423f-b2c7-58f1de243b4e", - "type": "similar" } ], "uuid": "ba3236e9-c86b-4b5d-89ed-7f71940a0588", @@ -11024,12 +10399,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "dd889a55-fb2c-4ec7-8e9f-c399939a49e1", - "type": "similar" - } - ], + "related": [], "uuid": "5a73defd-6a1a-4132-8427-cec649e8267a", "value": "IceApple" }, @@ -11042,6 +10412,7 @@ "software_attack_id": "S0483", "source": "MITRE", "tags": [ + "7d2804e4-a4e4-4ef7-acd5-2fca9cc92556", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ @@ -11060,15 +10431,38 @@ { "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", "type": "used-by" - }, - { - "dest-uuid": "5147ef15-1cae-4707-8ea1-bee8d98b7f1d", - "type": "similar" } ], "uuid": "7f59bb7c-5fa9-497d-9d8e-ba9349fd9433", "value": "IcedID" }, + { + "description": "A credential dumping tool associated with Iran-linked espionage group OilRig.[[ESET OilRig September 21 2023](/references/21ee3e95-ac4b-48f7-b948-249e1884bc96)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3159", + "source": "Tidal Cyber", + "tags": [ + "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "type": "used-by" + } + ], + "uuid": "1c0ab9a0-eb02-4428-a319-83a504e1b22b", + "value": "Idumper" + }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Executes commands from a specially prepared ie4uinit.inf file.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* c:\\windows\\system32\\ie4uinit.exe\n* c:\\windows\\sysWOW64\\ie4uinit.exe\n* c:\\windows\\system32\\ieuinit.inf\n* c:\\windows\\sysWOW64\\ieuinit.inf\n\n**Resources:**\n* [https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/](https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/)\n\n**Detection:**\n* IOC: ie4uinit.exe copied outside of %windir%\n* IOC: ie4uinit.exe loading an inf file (ieuinit.inf) from outside %windir%\n* Sigma: [proc_creation_win_lolbin_ie4uinit.yml](https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml)[[Ie4uinit.exe - LOLBAS Project](/references/01f9a368-5933-47a1-85a9-e5883a5ca266)]", "meta": { @@ -11076,7 +10470,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5116", + "software_attack_id": "S3233", "source": "Tidal Cyber", "tags": [ "f32f1513-7277-4257-9c35-c8ab3da17c84", @@ -11098,7 +10492,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5190", + "software_attack_id": "S3311", "source": "Tidal Cyber", "tags": [ "e794994d-c38a-44d9-9253-53191ca9e56b", @@ -11120,7 +10514,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5117", + "software_attack_id": "S3234", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -11141,7 +10535,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5118", + "software_attack_id": "S3235", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -11162,7 +10556,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5191", + "software_attack_id": "S3312", "source": "Tidal Cyber", "tags": [ "fc23fb85-8c48-4f0b-aeb6-b78fd6e25e0a", @@ -11186,12 +10580,7 @@ "tool" ] }, - "related": [ - { - "dest-uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5", - "type": "similar" - } - ], + "related": [], "uuid": "93ab16d1-625e-4b1c-bb28-28974c269c47", "value": "ifconfig" }, @@ -11207,12 +10596,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "2cfe8a26-5be7-4a09-8915-ea3d9e787513", - "type": "similar" - } - ], + "related": [], "uuid": "71098f6e-a2c0-434f-b991-6c079fd3e82d", "value": "iKitten" }, @@ -11223,7 +10607,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5119", + "software_attack_id": "S3236", "source": "Tidal Cyber", "tags": [ "8bcce456-e1dc-4dd0-99a9-8334fd6f2847", @@ -11245,7 +10629,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5308", + "software_attack_id": "S3088", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -11272,7 +10656,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5115", + "software_attack_id": "S3232", "source": "Tidal Cyber", "tags": [ "796962fe-56d7-4816-9193-153da0be7c10", @@ -11310,10 +10694,6 @@ { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" - }, - { - "dest-uuid": "8f8cd191-902c-4e83-bf20-b57c8c4640e9", - "type": "similar" } ], "uuid": "925fc0db-9315-4703-9353-1d0e9ecb1439", @@ -11357,6 +10737,10 @@ "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" }, + { + "dest-uuid": "04b73cf2-33f4-4206-be9e-c80c4c9b54e8", + "type": "used-by" + }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" @@ -11436,15 +10820,40 @@ { "dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4", "type": "used-by" - }, - { - "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", - "type": "similar" } ], "uuid": "cf2c5666-e8ad-49c1-ac8f-30ed65f9e52c", "value": "Impacket" }, + { + "description": "INC is a ransomware operation that emerged in July 2023. Operators of INC ransomware typically publicly extort their victims.[[SentinelOne September 21 2023](/references/7e793738-c132-47bf-90aa-1f0659564d16)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Linux", + "Windows" + ], + "software_attack_id": "S3189", + "source": "Tidal Cyber", + "tags": [ + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", + "type": "used-by" + } + ], + "uuid": "41b71db3-9779-445e-a0b5-7cd7174a7026", + "value": "INC Ransomware" + }, { "description": "[Industroyer](https://app.tidalcyber.com/software/09398a7c-aee5-44af-b99d-f73d3b39c299) is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.[[ESET Industroyer](https://app.tidalcyber.com/references/9197f712-3c53-4746-9722-30e248511611)] [Industroyer](https://app.tidalcyber.com/software/09398a7c-aee5-44af-b99d-f73d3b39c299) was used in the attacks on the Ukrainian power grid in December 2016.[[Dragos Crashoverride 2017](https://app.tidalcyber.com/references/c8f624e3-2ba2-4564-bd1c-f06b9a6a8bce)] This is the first publicly known malware specifically designed to target and impact operations in the electric grid.[[Dragos Crashoverride 2018](https://app.tidalcyber.com/references/d14442d5-2557-4a92-9a29-b15a20752f56)]", "meta": { @@ -11465,10 +10874,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "e401d4fe-f0c9-44f0-98e6-f93487678808", - "type": "similar" } ], "uuid": "09398a7c-aee5-44af-b99d-f73d3b39c299", @@ -11491,10 +10896,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", - "type": "similar" } ], "uuid": "53c5fb76-a690-55c3-9e02-39577990da2a", @@ -11507,7 +10908,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5120", + "software_attack_id": "S3237", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -11533,12 +10934,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "c8b6cc43-ce61-42ae-87f3-a5f10526f952", - "type": "similar" - } - ], + "related": [], "uuid": "e42bf572-1e70-4467-a4b7-5e22c776c758", "value": "InnaputRAT" }, @@ -11549,7 +10945,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5121", + "software_attack_id": "S3238", "source": "Tidal Cyber", "tags": [ "a3f84674-3813-4993-9e34-39cdaa19cbd1", @@ -11571,7 +10967,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5049", + "software_attack_id": "S3073", "source": "Tidal Cyber", "tags": [ "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", @@ -11592,7 +10988,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5272", + "software_attack_id": "S3113", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -11619,12 +11015,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "47afe41c-4c08-485e-b062-c3bd209a1cce", - "type": "similar" - } - ], + "related": [], "uuid": "3ee4c49d-2f2c-4677-b193-69f16f2851a4", "value": "InvisiMole" }, @@ -11641,10 +11032,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "b52d6583-14a2-4ddc-8527-87fd2142558f", - "type": "similar" } ], "uuid": "2200a647-3312-44c0-9691-4a26153febbb", @@ -11657,7 +11044,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5080", + "software_attack_id": "S3104", "source": "Tidal Cyber", "tags": [ "d819ae1a-e385-49fd-88d5-f66660729ecb", @@ -11776,10 +11163,6 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" - }, - { - "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", - "type": "similar" } ], "uuid": "4f519002-0576-4f8e-8add-73ebac9a86e6", @@ -11804,10 +11187,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "b1595ddd-a783-482a-90e1-8afc8d48467e", - "type": "similar" } ], "uuid": "9ca96281-8ff9-4619-a79d-16c5a9594eae", @@ -11832,10 +11211,6 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" - }, - { - "dest-uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324", - "type": "similar" } ], "uuid": "752ab0fc-7fa1-4e54-bd9a-7a280a38ed77", @@ -11857,10 +11232,6 @@ { "dest-uuid": "225314a7-8f40-48d4-9cff-3ec39b177762", "type": "used-by" - }, - { - "dest-uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06", - "type": "similar" } ], "uuid": "6dbf31cf-0ba0-48b4-be82-38889450845c", @@ -11873,7 +11244,7 @@ "platforms": [ "Network" ], - "software_attack_id": "S5061", + "software_attack_id": "S3067", "source": "Tidal Cyber", "tags": [ "b20e7912-6a8d-46e3-8e13-9a3fc4813852", @@ -11907,12 +11278,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "234e7770-99b0-4f65-b983-d3230f76a60b", - "type": "similar" - } - ], + "related": [], "uuid": "a4debf1f-8a37-4c89-8ebc-31de71d33f79", "value": "Janicab" }, @@ -11928,12 +11294,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "64122557-5940-4271-9123-25bfc0c693db", - "type": "similar" - } - ], + "related": [], "uuid": "853d3d18-d746-4650-a9bd-c36a0e86dd02", "value": "Javali" }, @@ -11950,12 +11311,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "aaf3fa65-8b27-4e68-91de-2b7738fe4c82", - "type": "similar" - } - ], + "related": [], "uuid": "41ec0bbc-65ca-4913-a763-1638215d7b2f", "value": "JCry" }, @@ -11978,10 +11334,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "type": "similar" } ], "uuid": "d50ef3fc-7d1c-4a82-b1cf-2319d83da3ae", @@ -12003,10 +11355,6 @@ { "dest-uuid": "f036b992-4c3f-47b7-a458-94ac133bce74", "type": "used-by" - }, - { - "dest-uuid": "de6cb631-52f6-4169-a73b-7965390b0c30", - "type": "similar" } ], "uuid": "c96fce69-6b9c-4bbc-bb42-f6a8fb6eb88f", @@ -12034,10 +11382,6 @@ { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" - }, - { - "dest-uuid": "efece7e8-e40b-49c2-9f84-c55c5c93d05c", - "type": "similar" } ], "uuid": "42fe9795-5cf6-4ad7-b56e-2aa655377992", @@ -12050,7 +11394,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5122", + "software_attack_id": "S3239", "source": "Tidal Cyber", "tags": [ "ee16a0c7-b3cf-4303-9681-b3076da9bff0", @@ -12085,10 +11429,6 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" - }, - { - "dest-uuid": "f559f945-eb8b-48b1-904c-68568deebed3", - "type": "similar" } ], "uuid": "c67f3029-a26c-4752-b7f1-8e3369c2f79d", @@ -12101,9 +11441,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5303", + "software_attack_id": "S3069", "source": "Tidal Cyber", "tags": [ + "4ac8deac-b33f-4276-b9ee-2d810138aedc", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "2feda37d-5579-4102-a073-aa02e82cb49f" @@ -12137,10 +11478,6 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" - }, - { - "dest-uuid": "3c02fb1f-cbdb-48f5-abaf-8c81d6e0c322", - "type": "similar" } ], "uuid": "ca883d21-97ca-420d-a66b-ef19a8355467", @@ -12161,12 +11498,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", - "type": "similar" - } - ], + "related": [], "uuid": "1896b9c9-a93e-4220-b4c2-6c4c9c5ca297", "value": "Kasidet" }, @@ -12190,10 +11522,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "536be338-e2ef-4a6b-afb6-8d5568b91eb2", - "type": "similar" } ], "uuid": "e93990a0-4841-4867-8b74-ac2806d787bf", @@ -12218,10 +11546,6 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" - }, - { - "dest-uuid": "8c1d01ff-fdc0-4586-99bd-c248e0761af5", - "type": "similar" } ], "uuid": "17c28e46-1005-4737-8567-d4ad9f1aefd1", @@ -12239,12 +11563,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "c984b414-b766-44c5-814a-2fe96c913c12", - "type": "similar" - } - ], + "related": [], "uuid": "32f1e0d3-753f-4b51-aec5-cfaa393cedc3", "value": "Kessel" }, @@ -12264,10 +11583,6 @@ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" - }, - { - "dest-uuid": "e7863f5d-cb6a-4f81-8804-0a635eec160a", - "type": "similar" } ], "uuid": "b9730d7c-aa57-4d6f-9125-57dcb65b02e0", @@ -12289,10 +11604,6 @@ { "dest-uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b", "type": "used-by" - }, - { - "dest-uuid": "5dd649c0-bca4-488b-bd85-b180474ec62e", - "type": "similar" } ], "uuid": "6ec39371-d50b-43b6-937c-52de00491eab", @@ -12310,12 +11621,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "4b072c90-bc7a-432b-940e-016fc1c01761", - "type": "similar" - } - ], + "related": [], "uuid": "aefbe6ff-7ce4-479e-916d-e8f0259d81f6", "value": "Keydnap" }, @@ -12335,10 +11641,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "11e36d5b-6a92-4bf9-8eb7-85eb24f59e22", - "type": "similar" } ], "uuid": "a644f61e-6a9b-41ab-beca-72518351c27f", @@ -12361,10 +11663,6 @@ { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" - }, - { - "dest-uuid": "6c575670-d14c-4c7f-9b9d-fd1b363e255d", - "type": "similar" } ], "uuid": "ba9e56b9-7904-5ec8-bb39-7f82f7b2e89a", @@ -12386,10 +11684,6 @@ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" - }, - { - "dest-uuid": "8bdfe255-e658-4ddd-a11c-b854762e451d", - "type": "similar" } ], "uuid": "c1e1ab6a-d5ce-4520-98c5-c6df41005fd9", @@ -12421,10 +11715,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "e221eb77-1502-4129-af1d-fe1ad55e7ec6", - "type": "similar" } ], "uuid": "b5532e91-d267-4819-a05d-8c5358995add", @@ -12447,12 +11737,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "d6e55656-e43f-411f-a7af-45df650471c5", - "type": "similar" - } - ], + "related": [], "uuid": "7b4f157c-4b34-4f55-9c20-ff787495e9ba", "value": "Kinsing" }, @@ -12472,10 +11757,6 @@ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" - }, - { - "dest-uuid": "b2d134a1-7bd5-4293-94d4-8fc978cb1cd7", - "type": "similar" } ], "uuid": "673ed346-9562-4997-80b2-e701b1a99a58", @@ -12509,10 +11790,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "c8655260-9f4b-44e3-85e1-6538a5f6e4f4", - "type": "similar" } ], "uuid": "5e981594-d00a-4c7f-8ed0-3d4a60cc3fcd", @@ -12530,12 +11807,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "9abdda30-08e0-4ab1-9cf0-d447654c6de9", - "type": "similar" - } - ], + "related": [], "uuid": "bf918663-90bd-489e-91e7-6951a18a25fd", "value": "Kobalos" }, @@ -12555,10 +11827,6 @@ { "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", "type": "used-by" - }, - { - "dest-uuid": "df9b350b-d4f9-4e79-a826-75cc75fbc1eb", - "type": "similar" } ], "uuid": "3e13d07d-d9e1-4456-bec3-b2375e404753", @@ -12580,10 +11848,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "f108215f-3487-489d-be8b-80e346d32518", - "type": "similar" } ], "uuid": "2cf1be0d-2fba-4fd0-ab2f-3695716d1735", @@ -12605,10 +11869,6 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" - }, - { - "dest-uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a", - "type": "similar" } ], "uuid": "3067f148-2e2b-4aac-9652-59823b3ad4f1", @@ -12629,12 +11889,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "86b92f6c-9c05-4c51-b361-4c7bb13e21a1", - "type": "similar" - } - ], + "related": [], "uuid": "d381de2a-30cb-4d50-bbce-fd1e489c4889", "value": "KONNI" }, @@ -12654,10 +11909,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "09fcc02f-f9d4-43fa-8609-5e5e186b7103", - "type": "similar" } ], "uuid": "d09c4459-1aa3-547d-99f4-7ac73b8043f0", @@ -12679,10 +11930,6 @@ { "dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e", "type": "used-by" - }, - { - "dest-uuid": "c2417bab-3189-4d4d-9d60-96de2cdaf0ab", - "type": "similar" } ], "uuid": "35ac4018-8506-4025-a9e3-bd017700b3b3", @@ -12695,7 +11942,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5258", + "software_attack_id": "S3379", "source": "Tidal Cyber", "tags": [ "5be0da70-9249-44fa-8c3b-7394ef26b2e0", @@ -12742,6 +11989,10 @@ ] }, "related": [ + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, { "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", "type": "used-by" @@ -12809,10 +12060,6 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" - }, - { - "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", - "type": "similar" } ], "uuid": "f5558af4-e3e2-47c2-b8fe-72850bd30f37", @@ -12825,7 +12072,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5017", + "software_attack_id": "S3240", "source": "Tidal Cyber", "tags": [ "cea43301-9f7a-46a5-be3a-3a09f0f3c09e", @@ -12861,7 +12108,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5020", + "software_attack_id": "S3022", "source": "Tidal Cyber", "tags": [ "15787198-6c8b-4f79-bf50-258d55072fee", @@ -12889,7 +12136,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5067", + "software_attack_id": "S3092", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -12930,10 +12177,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb", - "type": "similar" } ], "uuid": "c9d2f023-d54b-4d08-9598-a42fb92b3161", @@ -12951,12 +12194,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "5dc9e8ec-9917-4de7-b8ab-16007899dd80", - "type": "similar" - } - ], + "related": [], "uuid": "1b3af76f-f9a1-58ce-8c7d-aec535f8d0c0", "value": "LIGHTWIRE" }, @@ -12967,7 +12205,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5034", + "software_attack_id": "S3036", "source": "Tidal Cyber", "tags": [ "e551ae97-d1b4-484e-9267-89f33829ec2c", @@ -12992,6 +12230,10 @@ "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" }, + { + "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -13011,7 +12253,7 @@ "platforms": [ "Network" ], - "software_attack_id": "S5284", + "software_attack_id": "S3132", "source": "Tidal Cyber", "tags": [ "a159c91c-5258-49ea-af7d-e803008d97d3", @@ -13036,7 +12278,7 @@ "platforms": [ "Network" ], - "software_attack_id": "S5285", + "software_attack_id": "S3133", "source": "Tidal Cyber", "tags": [ "a159c91c-5258-49ea-af7d-e803008d97d3", @@ -13071,10 +12313,6 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" - }, - { - "dest-uuid": "e9e9bfe2-76f4-4870-a2a1-b7af89808613", - "type": "similar" } ], "uuid": "925975f8-e8ff-411f-a40e-f799968046f7", @@ -13096,12 +12334,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "0efefea5-78da-4022-92bc-d726139e8883", - "type": "similar" - } - ], + "related": [], "uuid": "d017e133-fce9-4982-a2df-6867a80089e7", "value": "Linux Rabbit" }, @@ -13124,10 +12357,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "95e2cbae-d82c-4f7b-b63c-16462015d35d", - "type": "similar" } ], "uuid": "71e4028c-9ca1-45ce-bc44-98209ae9f6bd", @@ -13149,10 +12378,6 @@ { "dest-uuid": "73da066d-b25f-45ba-862b-1a69228c6baa", "type": "used-by" - }, - { - "dest-uuid": "9020f5c7-efde-4125-a4f1-1b70f1274ddd", - "type": "similar" } ], "uuid": "cc568409-71ff-468b-9c38-d0dd9020e409", @@ -13170,12 +12395,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "19256855-65e9-48f2-8b74-9f3d0a994428", - "type": "similar" - } - ], + "related": [], "uuid": "c9c5e7ad-6e95-5d53-b4db-f6b51c7167ca", "value": "LITTLELAMB.WOOLTEA" }, @@ -13205,10 +12425,6 @@ { "dest-uuid": "393da13e-016c-41a3-9d89-b33173adecbf", "type": "used-by" - }, - { - "dest-uuid": "f74a5069-015d-4404-83ad-5ca01056c0dc", - "type": "similar" } ], "uuid": "65d46aab-b3ce-4f5b-b1fc-871db2573fa1", @@ -13221,9 +12437,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5047", + "software_attack_id": "S3015", "source": "Tidal Cyber", "tags": [ + "ba2210ad-0cf7-4a28-8d40-c1dbec5fb202", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "fdd53e62-5bf1-41f1-8bd6-b970a866c39d", "d431939f-2dc0-410b-83f7-86c458125444", @@ -13271,10 +12488,6 @@ { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" - }, - { - "dest-uuid": "5af7a825-2d9f-400d-931a-e00eb9e27f48", - "type": "similar" } ], "uuid": "65bc8e81-0a08-49f6-9d04-a2d63d512342", @@ -13296,10 +12509,6 @@ { "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" - }, - { - "dest-uuid": "452da2d9-706c-4185-ad6f-f5edaf4b9f48", - "type": "similar" } ], "uuid": "d28c3706-df25-59e2-939f-131abaf8a1eb", @@ -13312,7 +12521,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5073", + "software_attack_id": "S3098", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -13361,10 +12570,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "b865dded-0553-4962-a44b-6fe7863effed", - "type": "similar" } ], "uuid": "039f34e9-f379-4a24-a53f-b28ba579854c", @@ -13389,10 +12594,6 @@ { "dest-uuid": "e47ae2a7-d34d-4528-ba67-c9c07daa91ba", "type": "used-by" - }, - { - "dest-uuid": "cb741463-f0fe-42e0-8d45-bc7e8335f5ae", - "type": "similar" } ], "uuid": "4fead65c-499d-4f44-8879-2c35b24dac68", @@ -13410,12 +12611,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "c9ccc4df-1f56-49e7-ad57-b383e1451688", - "type": "similar" - } - ], + "related": [], "uuid": "bfd2a077-5000-4500-82c4-5c85fb98dd5a", "value": "LookBack" }, @@ -13426,7 +12622,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5035", + "software_attack_id": "S3037", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -13470,12 +12666,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "f99f3dcc-683f-4936-8791-075ac5e58f10", - "type": "similar" - } - ], + "related": [], "uuid": "f503535b-406c-4e24-8123-0e22fec995bb", "value": "LoudMiner" }, @@ -13495,10 +12686,6 @@ { "dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e", "type": "used-by" - }, - { - "dest-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", - "type": "similar" } ], "uuid": "fce1117a-e699-4aef-b1fc-04c3967acc33", @@ -13523,10 +12710,6 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" - }, - { - "dest-uuid": "2fab555f-7664-4623-b4e0-1675ae38190b", - "type": "similar" } ], "uuid": "37a5ae23-3da5-4cbc-a21a-a7ef98a3b7cc", @@ -13544,12 +12727,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "54a73038-1937-4d71-a253-316e76d5413c", - "type": "similar" - } - ], + "related": [], "uuid": "723d9a27-74fd-4333-a8db-63df2a8b4dd4", "value": "Lucifer" }, @@ -13569,15 +12747,34 @@ { "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", "type": "used-by" - }, - { - "dest-uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad", - "type": "similar" } ], "uuid": "0cc9e24b-d458-4782-a332-4e4fd68c057b", "value": "Lurid" }, + { + "description": "Lynx is a Windows-focused ransomware that was identified in July 2024. Rapid7 researchers note potential code similarities between Lynx and INC ransomware.[[Rapid7 Blog September 12 2024](/references/21d393ae-d135-4c5a-8c6d-1baa8c0a1e08)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3169", + "source": "Tidal Cyber", + "tags": [ + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "f5d55fa5-afb8-46ff-b5b5-c792060fd7d3", + "value": "Lynx Ransomware" + }, { "description": "[Machete](https://app.tidalcyber.com/software/be8a1630-9562-41ad-a621-65989f961a10) is a cyber espionage toolset used by [Machete](https://app.tidalcyber.com/groups/a3be79a2-3d4f-4697-a8a1-83f0884220af). It is a Python-based backdoor targeting Windows machines that was first observed in 2010.[[ESET Machete July 2019](https://app.tidalcyber.com/references/408d5e33-fcb6-4d21-8be9-7aa5a8bd3385)][[Securelist Machete Aug 2014](https://app.tidalcyber.com/references/fc7be240-bd15-4ec4-bc01-f8891d7210d9)][[360 Machete Sep 2020](https://app.tidalcyber.com/references/682c843d-1bb8-4f30-9d2e-35e8d41b1976)]", "meta": { @@ -13594,10 +12791,6 @@ { "dest-uuid": "a3be79a2-3d4f-4697-a8a1-83f0884220af", "type": "used-by" - }, - { - "dest-uuid": "35cd1d01-1ede-44d2-b073-a264d727bc04", - "type": "similar" } ], "uuid": "be8a1630-9562-41ad-a621-65989f961a10", @@ -13615,12 +12808,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "bdee9574-7479-4073-a7dc-e86d8acd073a", - "type": "similar" - } - ], + "related": [], "uuid": "7e5a643d-ebfd-4ec6-9fdc-79d6f47fafdb", "value": "MacMa" }, @@ -13636,12 +12824,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "2a59a237-1530-4d55-91f9-2aebf961cc37", - "type": "similar" - } - ], + "related": [], "uuid": "74feb557-21bc-40fb-8ab5-45d3af84c380", "value": "macOS.OSAMiner" }, @@ -13657,12 +12840,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "f72251cb-2be5-421f-a081-99c29a1209e7", - "type": "similar" - } - ], + "related": [], "uuid": "e5e67c67-e658-45b5-850b-044312be4258", "value": "MacSpy" }, @@ -13682,10 +12860,6 @@ { "dest-uuid": "a3a3a1d3-7fe7-5578-8c5f-9c0f2f68079b", "type": "used-by" - }, - { - "dest-uuid": "3be1fb7a-0f7e-415e-8e3a-74a80d596e68", - "type": "similar" } ], "uuid": "7506616c-b808-54fb-9982-072a0dcf8a04", @@ -13713,10 +12887,6 @@ { "dest-uuid": "b5c28235-d441-40d9-8da2-d49ba2f2568b", "type": "used-by" - }, - { - "dest-uuid": "999c4e6e-b8dc-4b4f-8d6e-1b829f29997e", - "type": "similar" } ], "uuid": "d762974a-ca7e-45ee-bc1d-f5218bf46c84", @@ -13729,7 +12899,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5123", + "software_attack_id": "S3241", "source": "Tidal Cyber", "tags": [ "758c3085-2f79-40a8-ab95-f8a684737927", @@ -13765,7 +12935,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5259", + "software_attack_id": "S3380", "source": "Tidal Cyber", "tags": [ "ff10869f-fed4-4f21-b83a-9939e7381d6e", @@ -13780,6 +12950,33 @@ "uuid": "9b6b705e-55ae-4d9e-9c57-baf1358cc324", "value": "Manage-bde" }, + { + "description": "A backdoor capability associated with Iran-linked espionage group OilRig.[[ESET OilRig September 21 2023](/references/21ee3e95-ac4b-48f7-b948-249e1884bc96)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3162", + "source": "Tidal Cyber", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "type": "used-by" + } + ], + "uuid": "9702e486-e5b9-486f-84f3-289c599d3d72", + "value": "Mango" + }, { "description": "[MarkiRAT](https://app.tidalcyber.com/software/40806539-1496-4a64-b740-66f6a1467f40) is a remote access Trojan (RAT) compiled with Visual Studio that has been used by [Ferocious Kitten](https://app.tidalcyber.com/groups/275ca7b0-3b21-4c3a-8b6f-57b6f0ffb6fb) since at least 2015.[[Kaspersky Ferocious Kitten Jun 2021](https://app.tidalcyber.com/references/b8f8020d-3f5c-4b5e-8761-6ecdd63fcd50)]", "meta": { @@ -13799,10 +12996,6 @@ { "dest-uuid": "275ca7b0-3b21-4c3a-8b6f-57b6f0ffb6fb", "type": "used-by" - }, - { - "dest-uuid": "532c6004-b1e8-415b-9516-f7c14ba783b1", - "type": "similar" } ], "uuid": "40806539-1496-4a64-b740-66f6a1467f40", @@ -13817,7 +13010,7 @@ "macOS", "Windows" ], - "software_attack_id": "S5282", + "software_attack_id": "S3121", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -13858,10 +13051,6 @@ { "dest-uuid": "6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b", "type": "used-by" - }, - { - "dest-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", - "type": "similar" } ], "uuid": "eeb700ea-2819-46f4-936d-f7592f20dedc", @@ -13874,7 +13063,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5124", + "software_attack_id": "S3242", "source": "Tidal Cyber", "tags": [ "724c3509-ad5e-46a3-a72c-6f3807b13793", @@ -13898,6 +13087,7 @@ "software_attack_id": "S0449", "source": "MITRE", "tags": [ + "5b4ce6cb-0929-4f74-a3b2-bd1afa916d36", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "3c3f9078-5d1e-4c29-a5eb-28f237bbd1ad", "1cc90752-70a3-4a17-b370-e1473a212f79", @@ -13920,10 +13110,6 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" - }, - { - "dest-uuid": "d9f7383c-95ec-4080-bbce-121c9384457b", - "type": "similar" } ], "uuid": "3c206491-45c0-4ff7-9f40-45f9aae4de64", @@ -13936,7 +13122,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5297", + "software_attack_id": "S3020", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -13972,10 +13158,6 @@ { "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "type": "used-by" - }, - { - "dest-uuid": "975737f1-b10d-476f-8bda-3ec26ea57172", - "type": "similar" } ], "uuid": "939cbe39-5b63-4651-b0c0-85ac39cb9f0e", @@ -13997,10 +13179,6 @@ { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" - }, - { - "dest-uuid": "dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2", - "type": "similar" } ], "uuid": "31cbe3c8-be88-4a4f-891d-04c3bb7ed482", @@ -14013,9 +13191,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5022", + "software_attack_id": "S3066", "source": "Tidal Cyber", "tags": [ + "0512bbd3-0596-4426-9ee6-d2bfeb8fd219", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" @@ -14054,10 +13233,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830", - "type": "similar" } ], "uuid": "6c3bbcae-3217-43c7-b709-5c54bc7636b1", @@ -14072,7 +13247,7 @@ "Linux", "Windows" ], - "software_attack_id": "S5328", + "software_attack_id": "S3143", "source": "Tidal Cyber", "tags": [ "8bf128ad-288b-41bc-904f-093f4fdde745", @@ -14111,12 +13286,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "909617c3-6d87-4330-8f32-bd3af38c3b92", - "type": "similar" - } - ], + "related": [], "uuid": "d8a4a817-2914-47b0-867c-ad8eeb7efd10", "value": "MegaCortex" }, @@ -14129,7 +13299,7 @@ "macOS", "Windows" ], - "software_attack_id": "S5005", + "software_attack_id": "S3021", "source": "Tidal Cyber", "tags": [ "c5a258ce-9045-48d9-b254-ec2bf6437bb5", @@ -14153,6 +13323,10 @@ ] }, "related": [ + { + "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", + "type": "used-by" + }, { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" @@ -14201,12 +13375,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "d3105fb5-c494-4fd1-a7be-414eab9e0c96", - "type": "similar" - } - ], + "related": [], "uuid": "aa844e6b-feda-4928-8c6d-c59f7be88da0", "value": "Melcoz" }, @@ -14226,10 +13395,6 @@ { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" - }, - { - "dest-uuid": "9b19d6b4-cfcb-492f-8ca8-8449e7331573", - "type": "similar" } ], "uuid": "15d7e478-349d-42e6-802d-f16302b98319", @@ -14251,10 +13416,6 @@ { "dest-uuid": "a3a3a1d3-7fe7-5578-8c5f-9c0f2f68079b", "type": "used-by" - }, - { - "dest-uuid": "df350889-4de9-44e5-8cb3-888b8343e97c", - "type": "similar" } ], "uuid": "0a9874bf-4f02-5fab-8ab6-d0f42c6bc71d", @@ -14275,12 +13436,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "81c57a96-fc8c-4f91-af8e-63e24c2927c2", - "type": "similar" - } - ], + "related": [], "uuid": "ca607087-25ad-4a91-af83-608646cccbcb", "value": "Metamorfo" }, @@ -14293,9 +13449,12 @@ "macOS", "Windows" ], - "software_attack_id": "S5050", + "software_attack_id": "S3068", "source": "Tidal Cyber", "tags": [ + "677c5953-3cc8-44bb-89bc-d9a31f9d170c", + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "d819ae1a-e385-49fd-88d5-f66660729ecb", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "2feda37d-5579-4102-a073-aa02e82cb49f", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", @@ -14307,6 +13466,10 @@ ] }, "related": [ + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" @@ -14326,7 +13489,7 @@ "platforms": [ "macOS" ], - "software_attack_id": "S5315", + "software_attack_id": "S3128", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -14348,16 +13511,14 @@ ], "software_attack_id": "S0688", "source": "MITRE", + "tags": [ + "f68659fd-4d2f-4c9c-959d-b9f7ef91c228" + ], "type": [ "malware" ] }, - "related": [ - { - "dest-uuid": "d79e7a60-5de9-448e-a074-f95d2d80f8d0", - "type": "similar" - } - ], + "related": [], "uuid": "ee07030e-ff50-404b-ad27-ab999fc1a23a", "value": "Meteor" }, @@ -14368,7 +13529,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5224", + "software_attack_id": "S3345", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -14401,10 +13562,6 @@ { "dest-uuid": "e3c5164e-49cf-5bb1-955d-6775585abb14", "type": "used-by" - }, - { - "dest-uuid": "8c050cea-86e1-4b63-bf21-7af4fa483349", - "type": "similar" } ], "uuid": "5879efc1-f122-43ec-a80d-e25aa449594d", @@ -14417,7 +13574,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5225", + "software_attack_id": "S3346", "source": "Tidal Cyber", "tags": [ "eb75bfce-e0d6-41b3-a3f0-df34e6e9b476", @@ -14439,7 +13596,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5125", + "software_attack_id": "S3243", "source": "Tidal Cyber", "tags": [ "b48e3fa8-25b4-42be-97e7-086068a150c5", @@ -14473,10 +13630,6 @@ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" - }, - { - "dest-uuid": "aea6d6b8-d832-4c90-a1bb-f52c6684db6c", - "type": "similar" } ], "uuid": "57545dbc-c72a-409d-a373-bc35e25160cd", @@ -14526,6 +13679,10 @@ "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" @@ -14761,10 +13918,6 @@ { "dest-uuid": "570198e3-b59c-5772-b1ee-15d7ea14d48a", "type": "used-by" - }, - { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "type": "similar" } ], "uuid": "b8e7c0b4-49e4-4e8d-9467-b17f305ddf16", @@ -14789,10 +13942,6 @@ { "dest-uuid": "325c11be-e1ee-47db-afa6-44ac5d16f0e7", "type": "used-by" - }, - { - "dest-uuid": "5a33468d-844d-4b1f-98c9-0e786c556b27", - "type": "similar" } ], "uuid": "42350632-b59a-4cc5-995e-d95d8c608553", @@ -14807,12 +13956,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "17dec760-9c8f-4f1b-9b4b-0ac47a453234", - "type": "similar" - } - ], + "related": [], "uuid": "c0dea9db-1551-4f6c-8a19-182efc34093a", "value": "Miner-C" }, @@ -14835,10 +13979,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", - "type": "similar" } ], "uuid": "2bb16809-6bc3-46c3-b28a-39cb49410340", @@ -14863,10 +14003,6 @@ { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" - }, - { - "dest-uuid": "e3cedcfe-6515-4348-af65-7f2c4157bf0d", - "type": "similar" } ], "uuid": "535f1b97-7a70-4d18-be4e-3a9f74ccf78a", @@ -14884,12 +14020,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", - "type": "similar" - } - ], + "related": [], "uuid": "4048afa2-79c8-4d38-8219-2207adddd884", "value": "Misdat" }, @@ -14912,10 +14043,6 @@ { "dest-uuid": "803f8018-6e45-5b0f-978f-1fe96b217120", "type": "used-by" - }, - { - "dest-uuid": "4e6464d2-69df-4e56-8d4c-1973f84d7b80", - "type": "similar" } ], "uuid": "758e5226-6015-5cc7-af4b-20fa35c9bac1", @@ -14933,12 +14060,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", - "type": "similar" - } - ], + "related": [], "uuid": "fe554d2e-f974-41d6-8e7a-701bd758355d", "value": "Mis-Type" }, @@ -14958,15 +14080,38 @@ { "dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", "type": "used-by" - }, - { - "dest-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", - "type": "similar" } ], "uuid": "f603ea32-91c3-4b62-a60f-57670433b080", "value": "Mivast" }, + { + "description": "A credential dumping tool associated with Iran-linked espionage group OilRig.[[ESET OilRig September 21 2023](/references/21ee3e95-ac4b-48f7-b948-249e1884bc96)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3160", + "source": "Tidal Cyber", + "tags": [ + "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "type": "used-by" + } + ], + "uuid": "7bded42d-ad82-4b00-88c7-c1129c11894d", + "value": "MKG" + }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Load snap-ins to locally and remotely manage Windows systems\n\n**Author:** @bohops\n\n**Paths:**\n* C:\\Windows\\System32\\mmc.exe\n* C:\\Windows\\SysWOW64\\mmc.exe\n\n**Resources:**\n* [https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/](https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/)\n* [https://offsec.almond.consulting/UAC-bypass-dotnet.html](https://offsec.almond.consulting/UAC-bypass-dotnet.html)\n\n**Detection:**\n* Sigma: [proc_creation_win_mmc_susp_child_process.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml)\n* Sigma: [file_event_win_uac_bypass_dotnet_profiler.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml)[[Mmc.exe - LOLBAS Project](/references/490b6769-e386-4a3d-972e-5a919cb2f6f5)]", "meta": { @@ -14974,7 +14119,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5126", + "software_attack_id": "S3244", "source": "Tidal Cyber", "tags": [ "f9e6382f-e41e-438e-bd7e-57a57046d9e6", @@ -15002,10 +14147,6 @@ { "dest-uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4", "type": "used-by" - }, - { - "dest-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", - "type": "similar" } ], "uuid": "116f913c-0d5e-43d1-ba0d-3a12127af8f6", @@ -15030,10 +14171,6 @@ { "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "type": "used-by" - }, - { - "dest-uuid": "8a59f456-79a0-4151-9f56-9b1a67332af2", - "type": "similar" } ], "uuid": "7ca5debb-f813-4e06-98f8-d1186552e5d2", @@ -15058,15 +14195,35 @@ { "dest-uuid": "454402a3-0503-45bf-b2e0-177fa2e2d412", "type": "used-by" - }, - { - "dest-uuid": "6fb36c6f-bb3d-4ed6-9471-cb9933e5c154", - "type": "similar" } ], "uuid": "7f5355b3-e819-4c82-a0fa-b80fda8fd6e6", "value": "Mongall" }, + { + "description": "Monti is a ransomware identified in June 2022. Researchers have drawn comparisons between Monti and Conti ransomware, whose source code was leaked earlier that year. Windows and Linux variants of Monti have been identified.[[Trend Micro August 14 2023](/references/12d2fbc5-f9cb-41b5-96a6-1cd100b5a173)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Linux", + "Windows" + ], + "software_attack_id": "S3170", + "source": "Tidal Cyber", + "tags": [ + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "7d7905f9-22cf-4b30-bb8f-5b5da52d1036", + "value": "Monti Ransomware" + }, { "description": "[MoonWind](https://app.tidalcyber.com/software/a699f32f-6596-4060-8fcd-42587a844b80) is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand. [[Palo Alto MoonWind March 2017](https://app.tidalcyber.com/references/4f3d7a08-2cf5-49ed-8bcd-6df180f3d194)]", "meta": { @@ -15079,12 +14236,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "type": "similar" - } - ], + "related": [], "uuid": "a699f32f-6596-4060-8fcd-42587a844b80", "value": "MoonWind" }, @@ -15115,10 +14267,6 @@ { "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" - }, - { - "dest-uuid": "bfd2738c-8b43-43c3-bc9f-d523c8e88bf4", - "type": "similar" } ], "uuid": "69f202e7-4bc9-4f4f-943f-330c053ae977", @@ -15132,6 +14280,9 @@ ], "software_attack_id": "S1047", "source": "MITRE", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" + ], "type": [ "malware" ] @@ -15140,10 +14291,6 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" - }, - { - "dest-uuid": "7e100ca4-e639-48d9-9a9d-8ad84aa7b448", - "type": "similar" } ], "uuid": "385e1eaf-9ba8-4381-981a-3c7af718a77d", @@ -15168,10 +14315,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "92b55426-109f-4d93-899f-1833ce91ff90", - "type": "similar" } ], "uuid": "c3939dad-d728-4ddb-804e-cf1e3743a55d", @@ -15184,7 +14327,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5127", + "software_attack_id": "S3245", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -15205,7 +14348,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5128", + "software_attack_id": "S3246", "source": "Tidal Cyber", "tags": [ "dfda978e-e0a0-4e1a-85c7-d9ab2cd7ccc5", @@ -15227,7 +14370,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5129", + "software_attack_id": "S3247", "source": "Tidal Cyber", "tags": [ "7e20fe4e-6883-457d-81f9-b4010e739f89", @@ -15249,7 +14392,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5226", + "software_attack_id": "S3347", "source": "Tidal Cyber", "tags": [ "11452158-b8d2-4a33-952a-8896f961a2f5", @@ -15271,7 +14414,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5130", + "software_attack_id": "S3248", "source": "Tidal Cyber", "tags": [ "8c30b46b-3651-4ccd-9d91-34fe89bc6843", @@ -15293,7 +14436,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5131", + "software_attack_id": "S3249", "source": "Tidal Cyber", "tags": [ "5bd3af6b-cb96-4d96-9576-26521dd76513", @@ -15315,7 +14458,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5182", + "software_attack_id": "S3303", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -15336,7 +14479,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5183", + "software_attack_id": "S3304", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -15357,7 +14500,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5132", + "software_attack_id": "S3250", "source": "Tidal Cyber", "tags": [ "d819ae1a-e385-49fd-88d5-f66660729ecb", @@ -15444,7 +14587,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5192", + "software_attack_id": "S3313", "source": "Tidal Cyber", "tags": [ "46338353-52ee-4f8d-9f18-f1b32644dd76", @@ -15466,7 +14609,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5133", + "software_attack_id": "S3251", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -15510,7 +14653,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5227", + "software_attack_id": "S3348", "source": "Tidal Cyber", "tags": [ "874c053b-d6b8-42c2-accc-cd256bb4d350", @@ -15532,7 +14675,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5228", + "software_attack_id": "S3349", "source": "Tidal Cyber", "tags": [ "a523dcb0-9181-4170-a113-126df84594ca", @@ -15554,7 +14697,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5229", + "software_attack_id": "S3350", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -15589,10 +14732,6 @@ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" - }, - { - "dest-uuid": "049ff071-0b3c-4712-95d2-d21c6aa54501", - "type": "similar" } ], "uuid": "768111f9-0948-474b-82a6-cd5455079513", @@ -15616,12 +14755,7 @@ "tool" ] }, - "related": [ - { - "dest-uuid": "d505fc8b-2e64-46eb-96d6-9ef7ffca5b66", - "type": "similar" - } - ], + "related": [], "uuid": "f1398367-a0af-4a89-b240-50cae4985ed9", "value": "Mythic" }, @@ -15644,10 +14778,6 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" - }, - { - "dest-uuid": "48523614-309e-43bf-a2b8-705c2b45d7b2", - "type": "similar" } ], "uuid": "5cfd6135-c53b-4234-a17e-759494b2101f", @@ -15669,10 +14799,6 @@ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" - }, - { - "dest-uuid": "705f0783-5f7d-4491-b6b7-9628e6e006d2", - "type": "similar" } ], "uuid": "0e28dfc9-8948-4c08-b7d8-9e80e19cc464", @@ -15710,10 +14836,6 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" - }, - { - "dest-uuid": "b4d80f8b-d2b9-4448-8844-4bef777ed676", - "type": "similar" } ], "uuid": "db05dbaa-eb3a-4303-b37e-18d67e7e85a1", @@ -15738,10 +14860,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "b4783be3-35d9-4a56-ac8d-1f3e1c9d9a84", - "type": "similar" } ], "uuid": "a814fd1d-8c2c-41b3-bb3a-30c4318c74c0", @@ -15766,10 +14884,6 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" - }, - { - "dest-uuid": "53a42597-1974-4b8e-84fd-3675e8992053", - "type": "similar" } ], "uuid": "b410d30c-4db6-4239-950e-9b0e0521f0d2", @@ -15821,10 +14935,6 @@ { "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" - }, - { - "dest-uuid": "b63970b7-ddfb-4aee-97b1-80d335e033a8", - "type": "similar" } ], "uuid": "950f13e6-3ae3-411e-a2b2-4ba1afe6cb76", @@ -15843,10 +14953,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "b35068ec-107a-4266-bda8-eb7036267aea", - "type": "similar" } ], "uuid": "81c2fc9b-8c2c-40f6-a327-dcdd64b70a7e", @@ -15868,10 +14974,6 @@ { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" - }, - { - "dest-uuid": "d1183cb9-258e-4f2f-8415-50ac8252c49e", - "type": "similar" } ], "uuid": "6d42e6c5-3056-4ff1-8d5d-a736807ec84c", @@ -15893,10 +14995,6 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" - }, - { - "dest-uuid": "22b17791-45bf-45c0-9322-ff1a0af5cf2b", - "type": "similar" } ], "uuid": "38510bab-aece-4d7b-b621-7594c2c4fe14", @@ -15921,10 +15019,6 @@ { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" - }, - { - "dest-uuid": "4d7bf2ac-f953-4907-b114-be44dc174d67", - "type": "similar" } ], "uuid": "8662e29e-5766-4311-894e-5ca52515ccbe", @@ -15946,10 +15040,6 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" - }, - { - "dest-uuid": "c251e4a5-9a2e-4166-8e42-442af75c3b9a", - "type": "similar" } ], "uuid": "de8b18c9-ebab-4126-96a9-282fa8829877", @@ -16134,10 +15224,6 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" - }, - { - "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "type": "similar" } ], "uuid": "c9b8522f-126d-40ff-b44e-1f46098bd8cc", @@ -16159,10 +15245,6 @@ { "dest-uuid": "c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07", "type": "used-by" - }, - { - "dest-uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704", - "type": "similar" } ], "uuid": "947c6212-4da8-48dd-9da9-ce4b077dd759", @@ -16187,10 +15269,6 @@ { "dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "type": "used-by" - }, - { - "dest-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", - "type": "similar" } ], "uuid": "852c300d-9313-442d-9b49-9883522c3f4b", @@ -16264,10 +15342,6 @@ { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" - }, - { - "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", - "type": "similar" } ], "uuid": "803192b8-747b-4108-ae15-2d7481d39162", @@ -16338,10 +15412,6 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" - }, - { - "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", - "type": "similar" } ], "uuid": "132fb908-9f13-4bcf-aa64-74cbc72f5491", @@ -16356,9 +15426,10 @@ "Linux", "Windows" ], - "software_attack_id": "S5320", + "software_attack_id": "S3135", "source": "Tidal Cyber", "tags": [ + "6307a146-7a64-41a7-b765-8ea935027895", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "e1af18e3-3224-4e4c-9d0f-533768474508", "e727eaa6-ef41-4965-b93a-8ad0c51d0236", @@ -16370,6 +15441,10 @@ ] }, "related": [ + { + "dest-uuid": "54a13c54-a1d5-46e9-b155-56d981a5ad8f", + "type": "used-by" + }, { "dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0", "type": "used-by" @@ -16401,10 +15476,6 @@ { "dest-uuid": "e343c1f1-458c-467b-bc4a-c1b97b2127e3", "type": "used-by" - }, - { - "dest-uuid": "cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e", - "type": "similar" } ], "uuid": "1b8f9cf9-db8f-437d-800e-5ddd090fe30d", @@ -16419,6 +15490,7 @@ "software_attack_id": "S0457", "source": "MITRE", "tags": [ + "24f88c63-2917-4895-b0ea-e3a5556b85c1", "89c5b94b-ecf4-4d53-9b74-3465086d4565", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "242bc007-5ac5-4d96-8638-699a06d06d24", @@ -16434,12 +15506,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "754effde-613c-4244-a83e-fb659b2a4d06", - "type": "similar" - } - ], + "related": [], "uuid": "5b4b395f-f61a-4bd6-94c1-fb45ed3cd13d", "value": "Netwalker" }, @@ -16454,6 +15521,7 @@ "software_attack_id": "S0198", "source": "MITRE", "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", "6c6c0125-9631-4c2c-90ab-cfef374d5198" ], "type": [ @@ -16476,10 +15544,6 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" - }, - { - "dest-uuid": "2a70812b-f1ef-44db-8578-a496a227aef2", - "type": "similar" } ], "uuid": "c7d0e881-80a1-49ea-9c1f-b6e53cf399a8", @@ -16492,7 +15556,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5278", + "software_attack_id": "S3118", "source": "Tidal Cyber", "tags": [ "d819ae1a-e385-49fd-88d5-f66660729ecb", @@ -16526,12 +15590,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "72b5f07f-5448-4e00-9ff2-08bc193a7b77", - "type": "similar" - } - ], + "related": [], "uuid": "48b161fe-3ae1-5551-9f26-d6f2d6b5afb9", "value": "NGLite" }, @@ -16610,10 +15669,6 @@ { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" - }, - { - "dest-uuid": "2f7f03bb-f367-4a5a-ad9b-310a12a48906", - "type": "similar" } ], "uuid": "316ecd9d-ac0b-58c7-8083-5d9214c770f6", @@ -16626,7 +15681,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5333", + "software_attack_id": "S3148", "source": "Tidal Cyber", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", @@ -16662,10 +15717,6 @@ { "dest-uuid": "06549082-ff70-43bf-985e-88c695c7113c", "type": "used-by" - }, - { - "dest-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe", - "type": "similar" } ], "uuid": "3ae9acd7-39f8-45c6-b557-c7d9a40eed2c", @@ -16687,10 +15738,6 @@ { "dest-uuid": "f31df12e-66ea-5a49-87bc-2bc1756a89fc", "type": "used-by" - }, - { - "dest-uuid": "91c57ed3-7c32-4c68-b388-7db00cb8dac6", - "type": "similar" } ], "uuid": "b1963876-dbdc-5beb-ace3-acb6d7705543", @@ -16712,10 +15759,6 @@ { "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" - }, - { - "dest-uuid": "023254de-caaf-4a05-b2c7-e4e2f283f7a5", - "type": "similar" } ], "uuid": "2dd26ff0-22d6-591b-9054-78e84fa3e05c", @@ -16728,7 +15771,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5271", + "software_attack_id": "S3112", "source": "Tidal Cyber", "tags": [ "d819ae1a-e385-49fd-88d5-f66660729ecb", @@ -16800,10 +15843,6 @@ { "dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25", "type": "used-by" - }, - { - "dest-uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", - "type": "similar" } ], "uuid": "82996f6f-0575-45cd-8f7c-ba1b063d5b9f", @@ -16823,12 +15862,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "bd2ebee8-7c38-408a-871d-221012104222", - "type": "similar" - } - ], + "related": [], "uuid": "e26988e0-e755-54a4-8234-e8f961266d82", "value": "NKAbuse" }, @@ -16894,10 +15928,6 @@ { "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", "type": "used-by" - }, - { - "dest-uuid": "981acc4c-2ede-4b56-be6e-fa1a75f37acf", - "type": "similar" } ], "uuid": "fbb1546a-f288-4e43-9e5c-14c94423c4f6", @@ -16910,9 +15940,12 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5051", + "software_attack_id": "S3074", "source": "Tidal Cyber", "tags": [ + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "d819ae1a-e385-49fd-88d5-f66660729ecb", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207", "96d58ca1-ab18-4e53-8891-d8ba62a47e5d", "6070668f-1cbd-4878-8066-c636d1d8659c", @@ -16932,6 +15965,10 @@ ] }, "related": [ + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, { "dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937", "type": "used-by" @@ -16971,10 +16008,6 @@ { "dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1", "type": "used-by" - }, - { - "dest-uuid": "071d5d65-83ec-4a55-acfa-be7d5f28ba9a", - "type": "similar" } ], "uuid": "31aa0433-fb6b-4290-8af5-a0d0c6c18548", @@ -17004,10 +16037,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "5719af9d-6b16-46f9-9b28-fb019541ddbb", - "type": "similar" } ], "uuid": "2538e0fe-1290-4ae1-aef9-e55d83c9eb23", @@ -17020,7 +16049,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5052", + "software_attack_id": "S3075", "source": "Tidal Cyber", "tags": [ "15787198-6c8b-4f79-bf50-258d55072fee", @@ -17041,7 +16070,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5018", + "software_attack_id": "S3057", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -17114,10 +16143,6 @@ { "dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25", "type": "used-by" - }, - { - "dest-uuid": "5864e59f-eb4c-43ad-83b2-b5e4fae056c9", - "type": "similar" } ], "uuid": "97e8148c-e146-444c-9de5-6e2fdbda2f9f", @@ -17135,12 +16160,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "288fa242-e894-4c7e-ac86-856deedf5cea", - "type": "similar" - } - ], + "related": [], "uuid": "f1723994-058b-4525-8e11-2f0c80d8f3a4", "value": "OceanSalt" }, @@ -17160,15 +16180,39 @@ { "dest-uuid": "5f8c6ee0-f302-403b-b712-f1e3df064c0c", "type": "used-by" - }, - { - "dest-uuid": "e2031fd5-02c2-43d4-85e2-b64f474530c2", - "type": "similar" } ], "uuid": "8f04e609-8773-4529-b247-d32f530cc453", "value": "Octopus" }, + { + "description": "This is one of a series of malicious downloaders attributed to Iran-linked espionage actor OilRig, which were found to rely on legitimate cloud service providers for command and control purposes.[[ESET OilRig December 14 2023](/references/f96b74d5-ff75-47c6-a9a2-b2f43db351bc)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3155", + "source": "Tidal Cyber", + "tags": [ + "15f2277a-a17e-4d85-8acd-480bf84f16b4", + "84615fe0-c2a5-4e07-8957-78ebc29b4635", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "type": "used-by" + } + ], + "uuid": "0dd8fad0-9f4a-487d-b3f7-570bd2046e8a", + "value": "ODAgent" + }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used in Windows for managing ODBC connections\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\odbcconf.exe\n* C:\\Windows\\SysWOW64\\odbcconf.exe\n\n**Resources:**\n* [https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b](https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b)\n* [https://github.com/woanware/application-restriction-bypasses](https://github.com/woanware/application-restriction-bypasses)\n* [https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/](https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/)\n\n**Detection:**\n* Sigma: [proc_creation_win_odbcconf_response_file.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml)\n* Sigma: [proc_creation_win_odbcconf_response_file_susp.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml)\n* Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)[[LOLBAS Odbcconf](/references/febcaaec-b535-4347-a4c7-b3284b251897)]", "meta": { @@ -17176,7 +16220,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5134", + "software_attack_id": "S3253", "source": "Tidal Cyber", "tags": [ "64825d12-3cd6-4446-a93c-ff7d8ec13dc8", @@ -17203,7 +16247,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5135", + "software_attack_id": "S3254", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -17217,6 +16261,62 @@ "uuid": "8bc7c62a-110d-451b-9ca6-bc48a13e72d4", "value": "OfflineScannerShell" }, + { + "description": "This is one of a series of malicious downloaders attributed to Iran-linked espionage actor OilRig, which were found to rely on legitimate cloud service providers for command and control purposes.[[ESET OilRig December 14 2023](/references/f96b74d5-ff75-47c6-a9a2-b2f43db351bc)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3153", + "source": "Tidal Cyber", + "tags": [ + "15f2277a-a17e-4d85-8acd-480bf84f16b4", + "84615fe0-c2a5-4e07-8957-78ebc29b4635", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "type": "used-by" + } + ], + "uuid": "01f8ef57-5c22-4dad-9300-12c0b0d63c1f", + "value": "OilBooster" + }, + { + "description": "This is one of a series of malicious downloaders attributed to Iran-linked espionage actor OilRig, which were found to rely on legitimate cloud service providers for command and control purposes.[[ESET OilRig December 14 2023](/references/f96b74d5-ff75-47c6-a9a2-b2f43db351bc)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3154", + "source": "Tidal Cyber", + "tags": [ + "15f2277a-a17e-4d85-8acd-480bf84f16b4", + "84615fe0-c2a5-4e07-8957-78ebc29b4635", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "type": "used-by" + } + ], + "uuid": "f41dcc5a-017d-4e79-86c1-c7055bd3b513", + "value": "OilCheck" + }, { "description": "[Okrum](https://app.tidalcyber.com/software/f9bcf0a1-f287-44ec-8f53-6859d41e041c) is a Windows backdoor that has been seen in use since December 2016 with strong links to [Ke3chang](https://app.tidalcyber.com/groups/26c0925f-1a3c-4df6-b27a-62b9731299b8).[[ESET Okrum July 2019](https://app.tidalcyber.com/references/197163a8-1a38-4edd-ba73-f44e7a329f41)]", "meta": { @@ -17236,10 +16336,6 @@ { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" - }, - { - "dest-uuid": "4b6ec280-7bbb-48ff-ae59-b189520ebe83", - "type": "similar" } ], "uuid": "f9bcf0a1-f287-44ec-8f53-6859d41e041c", @@ -17264,10 +16360,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", - "type": "similar" } ], "uuid": "479814e2-2656-4ea2-9e79-fcdb818f703e", @@ -17292,10 +16384,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "3249e92a-870b-426d-8790-ba311c1abfb4", - "type": "similar" } ], "uuid": "073b5288-11d6-4db0-9f2c-a1816847d15c", @@ -17308,7 +16396,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5136", + "software_attack_id": "S3255", "source": "Tidal Cyber", "tags": [ "b6116080-8fbf-4e9f-9206-20b025f2cf23", @@ -17342,10 +16430,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "b136d088-a829-432c-ac26-5529c26d4c7e", - "type": "similar" } ], "uuid": "6056bf36-fb45-498d-a285-5f98ae08b090", @@ -17370,10 +16454,6 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" - }, - { - "dest-uuid": "8e101fdd-9f7f-4916-bb04-6bd9e94c129c", - "type": "similar" } ], "uuid": "4f1894d4-d085-4348-af50-dfda257a9e18", @@ -17386,7 +16466,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5230", + "software_attack_id": "S3351", "source": "Tidal Cyber", "tags": [ "1dd2d703-fed1-41d2-9843-7b276ef3d6f2", @@ -17408,7 +16488,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5273", + "software_attack_id": "S3017", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -17470,10 +16550,6 @@ { "dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871", "type": "used-by" - }, - { - "dest-uuid": "06d735e7-1db1-4dbe-ab4b-acbe419f902b", - "type": "similar" } ], "uuid": "45a52a29-00c0-458a-b705-1040e06a43f2", @@ -17495,10 +16571,6 @@ { "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", "type": "used-by" - }, - { - "dest-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", - "type": "similar" } ], "uuid": "fa1e13b8-2fb7-42e8-b630-25f0edfbca65", @@ -17523,10 +16595,6 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" - }, - { - "dest-uuid": "b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29", - "type": "similar" } ], "uuid": "a45904b5-0ada-4567-be4c-947146c7f574", @@ -17544,12 +16612,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "f1314e75-ada8-49f4-b281-b1fb8b48f2a7", - "type": "similar" - } - ], + "related": [], "uuid": "4d91d625-21d8-484a-b63f-0a3daa4ed434", "value": "OSX/Shlayer" }, @@ -17569,10 +16632,6 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" - }, - { - "dest-uuid": "80c815bb-b24a-4b9c-9d73-ff4c075a278d", - "type": "similar" } ], "uuid": "273b1e8d-a23d-4c22-8493-80f3d6639352", @@ -17598,10 +16657,6 @@ { "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", "type": "used-by" - }, - { - "dest-uuid": "c113230f-f044-423b-af63-9b63c802f5ae", - "type": "similar" } ], "uuid": "042fe42b-f60e-45e1-b47d-a913e0677976", @@ -17619,12 +16674,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", - "type": "similar" - } - ], + "related": [], "uuid": "6d8a8510-e6f1-49a7-b3a5-bd4664937147", "value": "OwaAuth" }, @@ -17640,12 +16690,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "b2c5d3ca-b43a-4888-ad8d-e2d43497bf85", - "type": "similar" - } - ], + "related": [], "uuid": "916f8a7c-e487-4446-b6ee-c8da712a9569", "value": "P2P ZeuS" }, @@ -17665,10 +16710,6 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" - }, - { - "dest-uuid": "7c58fff0-d206-4db1-96b1-e3a9e0e320b9", - "type": "similar" } ], "uuid": "1933ad3d-3085-4b1b-82b9-ac51b440e2bf", @@ -17691,10 +16732,6 @@ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" - }, - { - "dest-uuid": "647215dd-29a6-4528-b354-ca8b5e08fca1", - "type": "similar" } ], "uuid": "13856c51-d81c-5d75-bb6a-0bbdcc857cdd", @@ -17727,10 +16764,6 @@ { "dest-uuid": "788ffbf6-1a36-481a-a504-bbcd9f907886", "type": "used-by" - }, - { - "dest-uuid": "1b3b8f96-43b1-4460-8e02-1f53d7802fb9", - "type": "similar" } ], "uuid": "e90eb529-1665-5fd7-a44e-695715e4081b", @@ -17759,10 +16792,6 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" - }, - { - "dest-uuid": "a545456a-f9a7-47ad-9ea6-8b017def38d1", - "type": "similar" } ], "uuid": "320b0784-4f0f-46ea-99e9-c34bfcca1c2e", @@ -17784,10 +16813,6 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" - }, - { - "dest-uuid": "e811ff6a-4cef-4856-a6ae-a7daf9ed39ae", - "type": "similar" } ], "uuid": "3f018e73-d09b-4c8d-815b-8b2c8faf7055", @@ -17806,10 +16831,6 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" - }, - { - "dest-uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69", - "type": "similar" } ], "uuid": "8d007d52-8898-494c-8d72-354abd93da1e", @@ -17822,7 +16843,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5037", + "software_attack_id": "S3039", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -17870,10 +16891,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "4800d0f9-00aa-47cd-a4d2-92198585b8fd", - "type": "similar" } ], "uuid": "4d79530c-2fd9-4438-a8da-74f42119695a", @@ -17900,10 +16917,6 @@ { "dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d", "type": "used-by" - }, - { - "dest-uuid": "77ca1aa3-280c-4b67-abaa-e8fb891a8f83", - "type": "similar" } ], "uuid": "9aa21e50-726e-4002-8b7b-75697a03eb2b", @@ -17916,7 +16929,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5137", + "software_attack_id": "S3256", "source": "Tidal Cyber", "tags": [ "074533ec-e14a-4dc3-98ae-c029904e3d6d", @@ -17947,10 +16960,6 @@ { "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" - }, - { - "dest-uuid": "e4feffc2-53d1-45c9-904e-adb9faca0d15", - "type": "similar" } ], "uuid": "873ede85-548b-5fc0-a29e-80bd5afc5bf4", @@ -17963,7 +16972,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5038", + "software_attack_id": "S3040", "source": "Tidal Cyber", "tags": [ "c5a258ce-9045-48d9-b254-ec2bf6437bb5", @@ -18021,10 +17030,6 @@ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" - }, - { - "dest-uuid": "3a53b207-aba2-4a2b-9cdb-273d633669e7", - "type": "similar" } ], "uuid": "71eb2211-39aa-4b89-bd51-9dcabd363149", @@ -18037,7 +17042,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5138", + "software_attack_id": "S3257", "source": "Tidal Cyber", "tags": [ "62496b72-7820-4512-b3f9-188464bb8161", @@ -18059,7 +17064,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5193", + "software_attack_id": "S3314", "source": "Tidal Cyber", "tags": [ "ff5c357e-6b9b-4ef3-a7ed-e5d4c0091c0c", @@ -18099,10 +17104,6 @@ { "dest-uuid": "788ffbf6-1a36-481a-a504-bbcd9f907886", "type": "used-by" - }, - { - "dest-uuid": "79dd477a-8226-4b3d-ad15-28623675f221", - "type": "similar" } ], "uuid": "52a19c73-2454-4893-8f84-8d05c37a9472", @@ -18124,10 +17125,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "d18cb958-f4ad-4fb3-bb4f-e8994d206550", - "type": "similar" } ], "uuid": "951fad62-f636-4c01-b924-bb0ce87f5b20", @@ -18149,10 +17146,6 @@ { "dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25", "type": "used-by" - }, - { - "dest-uuid": "6c2550d5-a01a-4bbb-a004-6ead348ba623", - "type": "similar" } ], "uuid": "1f080577-c002-4b49-a342-fa70983c1d58", @@ -18165,7 +17158,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5264", + "software_attack_id": "S3385", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -18186,9 +17179,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5279", + "software_attack_id": "S3119", "source": "Tidal Cyber", "tags": [ + "288f845a-9683-4bd7-a7a7-b25cbf297532", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "d819ae1a-e385-49fd-88d5-f66660729ecb", "e551ae97-d1b4-484e-9267-89f33829ec2c", @@ -18216,7 +17210,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5307", + "software_attack_id": "S3086", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -18256,10 +17250,6 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" - }, - { - "dest-uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e", - "type": "similar" } ], "uuid": "fd63cec1-9f72-4ed0-9926-2dbbb3d9cead", @@ -18272,9 +17262,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5265", + "software_attack_id": "S3106", "source": "Tidal Cyber", "tags": [ + "ac70a2da-0b1a-40bd-9d1b-21b9ac789832", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], @@ -18310,10 +17301,6 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" - }, - { - "dest-uuid": "bd7a9e13-69fa-4243-a5e5-04326a63f9f2", - "type": "similar" } ], "uuid": "db5d718b-1344-4aa2-8e6a-54e68d8adfb1", @@ -18338,10 +17325,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", - "type": "similar" } ], "uuid": "ba2208c8-5e1e-46cd-bef1-ffa7a2be3be4", @@ -18423,10 +17406,6 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" - }, - { - "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", - "type": "similar" } ], "uuid": "4ea12106-c0a1-4546-bb64-a1675d9f5dc7", @@ -18439,7 +17418,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5003", + "software_attack_id": "S3012", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -18489,10 +17468,6 @@ { "dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572", "type": "used-by" - }, - { - "dest-uuid": "3a0f6128-0a01-421d-8eca-e57d8671b1f1", - "type": "similar" } ], "uuid": "4360cc62-7263-48b2-bd2a-a7737563545c", @@ -18514,10 +17489,6 @@ { "dest-uuid": "6932662a-53a7-4e43-877f-6e940e2d744b", "type": "used-by" - }, - { - "dest-uuid": "8393dac0-0583-456a-9372-fd81691bca20", - "type": "similar" } ], "uuid": "92744f7b-9f1a-472c-bae0-2d4a7ce68bb4", @@ -18539,10 +17510,6 @@ { "dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7", "type": "used-by" - }, - { - "dest-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", - "type": "similar" } ], "uuid": "14e65c5d-5164-41a3-92de-67fdd1d529d2", @@ -18560,12 +17527,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "d79b1800-3b5d-4a4f-8863-8251eca793e2", - "type": "similar" - } - ], + "related": [], "uuid": "c0e56f14-9768-5547-abcb-aa3f220d0e40", "value": "PITSTOP" }, @@ -18576,7 +17538,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5139", + "software_attack_id": "S3258", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -18606,10 +17568,6 @@ { "dest-uuid": "021b3c71-6467-4e46-a413-8b726f066f2c", "type": "used-by" - }, - { - "dest-uuid": "21c0b55b-5ff3-4654-a05e-e3fc1ee1ce1b", - "type": "similar" } ], "uuid": "9445f18a-a796-447a-a35f-94a9fb72411c", @@ -18622,9 +17580,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5300", + "software_attack_id": "S3062", "source": "Tidal Cyber", "tags": [ + "8208249d-1f4c-4781-ba14-b591f74c081c", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", @@ -18664,10 +17623,6 @@ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" - }, - { - "dest-uuid": "b57f419e-8b12-49d3-886b-145383725dcd", - "type": "similar" } ], "uuid": "9a890a85-afbe-4c35-a3e7-1adad481bdf7", @@ -18680,7 +17635,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5041", + "software_attack_id": "S3043", "source": "Tidal Cyber", "tags": [ "27a117ce-bb19-4f79-9bc2-a851b69c5c50", @@ -18797,10 +17752,6 @@ { "dest-uuid": "6932662a-53a7-4e43-877f-6e940e2d744b", "type": "used-by" - }, - { - "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "type": "similar" } ], "uuid": "070b56f4-7810-4dad-b85f-bdfce9c08c10", @@ -18822,10 +17773,6 @@ { "dest-uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c", "type": "used-by" - }, - { - "dest-uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d", - "type": "similar" } ], "uuid": "95c273d2-3081-4cb5-8d41-37eb4e90264d", @@ -18838,7 +17785,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5140", + "software_attack_id": "S3259", "source": "Tidal Cyber", "tags": [ "6d924d43-5de3-45de-8466-a8c47a5b9e68", @@ -18865,12 +17812,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c", - "type": "similar" - } - ], + "related": [], "uuid": "79b4f277-3b18-4aa7-9f96-44b35b23166b", "value": "PoetRAT" }, @@ -18949,10 +17891,6 @@ { "dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446", "type": "used-by" - }, - { - "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", - "type": "similar" } ], "uuid": "1d87a695-7989-49ae-ac1a-b6601db565c3", @@ -18977,10 +17915,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "3d57dcc4-be99-4613-9482-d5218f5ec13e", - "type": "similar" } ], "uuid": "3b7179fa-7b8b-4068-b224-d8d9c642964d", @@ -19001,12 +17935,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "222ba512-32d9-49ac-aefd-50ce981ce2ce", - "type": "similar" - } - ], + "related": [], "uuid": "555b612e-3f0d-421d-b2a7-63eb2d1ece5f", "value": "Pony" }, @@ -19026,10 +17955,6 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" - }, - { - "dest-uuid": "53d47b09-09c2-4015-8d37-6633ecd53f79", - "type": "similar" } ], "uuid": "1353d695-5bae-4593-988f-9bd07a6fd1bb", @@ -19042,7 +17967,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5336", + "software_attack_id": "S3151", "source": "Tidal Cyber", "tags": [ "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb", @@ -19103,10 +18028,6 @@ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" - }, - { - "dest-uuid": "4b57c098-f043-4da2-83ef-7588a6d426bc", - "type": "similar" } ], "uuid": "a3a03835-79bf-4558-8e80-7983aeb842fb", @@ -19131,10 +18052,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", - "type": "similar" } ], "uuid": "b92f28c4-cbc8-4721-ac79-2d8bdf5247e5", @@ -19159,10 +18076,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "type": "similar" } ], "uuid": "d9e4f4a1-dd41-424e-986a-b9a39ebea805", @@ -19176,6 +18089,9 @@ ], "software_attack_id": "S1012", "source": "MITRE", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" + ], "type": [ "malware" ] @@ -19184,10 +18100,6 @@ { "dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4", "type": "used-by" - }, - { - "dest-uuid": "35ee9bf3-264b-4411-8a8f-b58cec8f35e4", - "type": "similar" } ], "uuid": "8b9159c1-db48-472b-9897-34325da5dca7", @@ -19202,12 +18114,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3", - "type": "similar" - } - ], + "related": [], "uuid": "018ee1d9-35af-49dc-a667-11b77cd76f46", "value": "Power Loader" }, @@ -19218,7 +18125,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5231", + "software_attack_id": "S3352", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -19251,10 +18158,6 @@ { "dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", "type": "used-by" - }, - { - "dest-uuid": "d52291b4-bb23-45a8-aef0-3dc7e986ba15", - "type": "similar" } ], "uuid": "e7cdaf70-5e28-442a-b34d-894484788dc5", @@ -19276,10 +18179,6 @@ { "dest-uuid": "d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6", "type": "used-by" - }, - { - "dest-uuid": "53486bc7-7748-4716-8190-e4f1fde04c53", - "type": "similar" } ], "uuid": "2ca245de-77a9-4857-ba93-fd0d6988df9d", @@ -19304,10 +18203,6 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" - }, - { - "dest-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", - "type": "similar" } ], "uuid": "a4700431-6578-489f-9782-52e394277296", @@ -19374,10 +18269,6 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" - }, - { - "dest-uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", - "type": "similar" } ], "uuid": "82fad10d-c921-4a87-a533-49def83d002b", @@ -19402,10 +18293,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "dcac85c1-6485-4790-84f6-de5e6f6b91dd", - "type": "similar" } ], "uuid": "837bcf97-37a7-4001-a466-306574fd7890", @@ -19430,10 +18317,6 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" - }, - { - "dest-uuid": "e8545794-b98c-492b-a5b3-4b5a02682e37", - "type": "similar" } ], "uuid": "39fc59c6-f1aa-4c93-8e43-1f41563e9d9e", @@ -19447,6 +18330,9 @@ ], "software_attack_id": "S0371", "source": "MITRE", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" + ], "type": [ "malware" ] @@ -19455,10 +18341,6 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" - }, - { - "dest-uuid": "e85cae1a-bce3-4ac4-b36b-b00acac0567b", - "type": "similar" } ], "uuid": "b3c28750-3825-4e4d-ab92-f39a6b0827dd", @@ -19471,7 +18353,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5039", + "software_attack_id": "S3041", "source": "Tidal Cyber", "tags": [ "c5a258ce-9045-48d9-b254-ec2bf6437bb5", @@ -19495,6 +18377,10 @@ ] }, "related": [ + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" @@ -19526,7 +18412,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5294", + "software_attack_id": "S3016", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -19565,10 +18451,6 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" - }, - { - "dest-uuid": "c19d19ae-dd58-4584-8469-966bbeaa80e3", - "type": "similar" } ], "uuid": "7ed984bb-d098-4d0a-90fd-b03e68842479", @@ -19593,10 +18475,6 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" - }, - { - "dest-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "type": "similar" } ], "uuid": "67cdb7a6-5142-43fa-8b8d-d9bdd2a4dae4", @@ -19609,7 +18487,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5141", + "software_attack_id": "S3260", "source": "Tidal Cyber", "tags": [ "0661bf1f-76ec-490c-937a-efa3f02bc59b", @@ -19633,6 +18511,7 @@ "software_attack_id": "S1058", "source": "MITRE", "tags": [ + "92ce4726-c01f-4e51-a36d-f72fcfa77d79", "5e7433ad-a894-4489-93bc-41e90da90019", "7e7b0c67-bb85-4996-a289-da0e792d7172" ], @@ -19644,10 +18523,6 @@ { "dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666", "type": "used-by" - }, - { - "dest-uuid": "1da748a5-875d-4212-9222-b4c23ab861be", - "type": "similar" } ], "uuid": "4fb5b109-5a5c-5441-a0f9-f639ead5405e", @@ -19668,12 +18543,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "type": "similar" - } - ], + "related": [], "uuid": "1da989a8-41cc-4e89-a435-a88acb72ae0d", "value": "Prikormka" }, @@ -19684,7 +18554,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5142", + "software_attack_id": "S3261", "source": "Tidal Cyber", "tags": [ "01aca077-8cfb-4d1d-9b83-3678cd26f050", @@ -19706,7 +18576,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5143", + "software_attack_id": "S3262", "source": "Tidal Cyber", "tags": [ "37a70ca8-a027-458c-9a48-7e0d307462be", @@ -19728,7 +18598,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5036", + "software_attack_id": "S3038", "source": "Tidal Cyber", "tags": [ "27a117ce-bb19-4f79-9bc2-a851b69c5c50", @@ -19771,7 +18641,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5040", + "software_attack_id": "S3042", "source": "Tidal Cyber", "tags": [ "d819ae1a-e385-49fd-88d5-f66660729ecb", @@ -19829,12 +18699,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "471d0e9f-2c8a-4e4b-8f3b-f85d2407806e", - "type": "similar" - } - ], + "related": [], "uuid": "c8af096e-c71e-4751-b203-70c285b7a7bd", "value": "ProLock" }, @@ -19845,7 +18710,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5232", + "software_attack_id": "S3353", "source": "Tidal Cyber", "tags": [ "77131d00-b8b2-42ef-afbd-1fbfc12729df", @@ -19872,12 +18737,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "c541efb4-e7b1-4ad6-9da8-b4e113f5dd42", - "type": "similar" - } - ], + "related": [], "uuid": "d3bcdbc4-5998-4e50-bd45-cba6a3278427", "value": "Proton" }, @@ -19888,7 +18748,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5144", + "software_attack_id": "S3263", "source": "Tidal Cyber", "tags": [ "9e5ec91c-0d0f-4e40-846d-d7b7eb941e17", @@ -19903,6 +18763,34 @@ "uuid": "83e1ac24-3928-40ba-b701-d72549a9430c", "value": "Provlaunch" }, + { + "description": "According to joint Cybersecurity Advisory AA24-249A (September 2024), ProxyChains is \"a tool used to route internal traffic through a series of proxies\". It has been abused by adversaries including Unit 29155 Russian military cyber actors.[[U.S. CISA Unit 29155 September 5 2024](/references/9631a46d-3e0a-4f25-962b-0b2501c47926)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "macOS", + "Linux" + ], + "software_attack_id": "S3168", + "source": "Tidal Cyber", + "tags": [ + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "d8f7e071-fbfd-46f8-b431-e241bb1513ac", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", + "be319849-fb2c-4b5f-8055-0bde562c280b" + ], + "type": [ + "tool" + ] + }, + "related": [], + "uuid": "b62c13d5-729c-46a8-ae4d-98bc1ab919cb", + "value": "ProxyChains" + }, { "description": "[Proxysvc](https://app.tidalcyber.com/software/94f43629-243e-49dc-8c2b-cdf4fc15cf83) is a malicious DLL used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of [Proxysvc](https://app.tidalcyber.com/software/94f43629-243e-49dc-8c2b-cdf4fc15cf83) is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process. [[McAfee GhostSecret](https://app.tidalcyber.com/references/d1cd4f5b-253c-4833-8905-49fb58e7c016)]", "meta": { @@ -19919,10 +18807,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "069af411-9b24-4e85-b26c-623d035bbe84", - "type": "similar" } ], "uuid": "94f43629-243e-49dc-8c2b-cdf4fc15cf83", @@ -19940,12 +18824,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "13183cdf-280b-46be-913a-5c6df47831e7", - "type": "similar" - } - ], + "related": [], "uuid": "8cd401ac-a233-4395-a8ae-d75db9d5b845", "value": "PS1" }, @@ -19958,6 +18837,8 @@ "software_attack_id": "S0029", "source": "MITRE", "tags": [ + "d8f7e071-fbfd-46f8-b431-e241bb1513ac", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "d903e38b-600d-4736-9e3b-cf1a6e436481", "e551ae97-d1b4-484e-9267-89f33829ec2c", "d819ae1a-e385-49fd-88d5-f66660729ecb", @@ -19985,6 +18866,10 @@ "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" @@ -20160,10 +19045,6 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" - }, - { - "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", - "type": "similar" } ], "uuid": "73eb32af-4bd3-4e21-8048-355edc55a9c6", @@ -20176,7 +19057,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5145", + "software_attack_id": "S3264", "source": "Tidal Cyber", "tags": [ "08f4ef8d-94bb-42f7-b76d-71bcc809bcc9", @@ -20207,10 +19088,6 @@ { "dest-uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4", "type": "used-by" - }, - { - "dest-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", - "type": "similar" } ], "uuid": "8c35d349-2f70-4edb-8668-e1cc2b67e4a0", @@ -20235,15 +19112,65 @@ { "dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", "type": "used-by" - }, - { - "dest-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", - "type": "similar" } ], "uuid": "7fed4276-807e-4656-95f5-90878b6e2dbb", "value": "Pteranodon" }, + { + "description": "PTSOCKET is an exfiltration tool, one of a series of software associated with China-based espionage actor Earth Preta (aka Mustang Panda) reported by researchers in September 2024.[[Trend Micro September 9 2024](/references/0fdc9ee2-5be2-43e0-afb9-c9a94fde3867)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3175", + "source": "Tidal Cyber", + "tags": [ + "8bf128ad-288b-41bc-904f-093f4fdde745", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", + "type": "used-by" + } + ], + "uuid": "c1215fe3-95e4-49e1-9cb2-54d1827df0aa", + "value": "PTSOCKET" + }, + { + "description": "PUBLOAD is a multi-purpose tool primarily used to orchestrate command and control, one of a series of software associated with China-based espionage actor Earth Preta (aka Mustang Panda) reported by researchers in September 2024.[[Trend Micro September 9 2024](/references/0fdc9ee2-5be2-43e0-afb9-c9a94fde3867)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3176", + "source": "Tidal Cyber", + "tags": [ + "84615fe0-c2a5-4e07-8957-78ebc29b4635", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", + "type": "used-by" + } + ], + "uuid": "13ee9058-0902-484e-8096-670c882cb18d", + "value": "PUBLOAD" + }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Proxy execution with Pubprn.vbs\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\pubprn.vbs\n* C:\\Windows\\SysWOW64\\Printing_Admin_Scripts\\en-US\\pubprn.vbs\n\n**Resources:**\n* [https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/](https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/)\n* [https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology](https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology)\n* [https://github.com/enigma0x3/windows-operating-system-archaeology](https://github.com/enigma0x3/windows-operating-system-archaeology)\n\n**Detection:**\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* Sigma: [proc_creation_win_lolbin_pubprn.yml](https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml)[[Pubprn.vbs - LOLBAS Project](/references/d2b6b9fd-5f80-41c0-ac22-06b78c86a9e5)]", "meta": { @@ -20251,7 +19178,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5260", + "software_attack_id": "S3381", "source": "Tidal Cyber", "tags": [ "8177e8ac-f80d-477d-b0af-c2ea243ddf00", @@ -20288,10 +19215,6 @@ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" - }, - { - "dest-uuid": "9a097d18-d15f-4635-a4f1-189df7efdc40", - "type": "similar" } ], "uuid": "d777204c-f93c-54d9-b80e-41641a3d55ce", @@ -20304,7 +19227,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5068", + "software_attack_id": "S3093", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -20344,10 +19267,6 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" - }, - { - "dest-uuid": "5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", - "type": "similar" } ], "uuid": "d8999d60-3818-4d75-8756-8a55531254d8", @@ -20372,10 +19291,6 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" - }, - { - "dest-uuid": "c4de7d83-e875-4c88-8b5d-06c41e5b7e79", - "type": "similar" } ], "uuid": "1638d99b-fbcf-40ec-ac48-802ce5be520a", @@ -20404,10 +19319,6 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" - }, - { - "dest-uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4", - "type": "similar" } ], "uuid": "0a8bedc2-b404-4a9a-b4f5-ff90ff8294be", @@ -20420,7 +19331,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5291", + "software_attack_id": "S3007", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -20442,9 +19353,11 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5065", + "software_attack_id": "S3090", "source": "Tidal Cyber", "tags": [ + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "d819ae1a-e385-49fd-88d5-f66660729ecb", "af5e9be5-b86e-47af-91dd-966a5e34a186", "27a117ce-bb19-4f79-9bc2-a851b69c5c50", "6070668f-1cbd-4878-8066-c636d1d8659c", @@ -20463,6 +19376,14 @@ "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" }, + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" @@ -20484,6 +19405,7 @@ "software_attack_id": "S0006", "source": "MITRE", "tags": [ + "c1f5abc0-340f-4b93-96d7-ca6ea7942b64", "4d767e87-4cf6-438a-927a-43d2d0beaab7" ], "type": [ @@ -20514,10 +19436,6 @@ { "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", "type": "used-by" - }, - { - "dest-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", - "type": "similar" } ], "uuid": "77f629db-d971-49d8-8b73-c7c779b7de3e", @@ -20542,10 +19460,6 @@ { "dest-uuid": "a41725c5-eb3a-4772-8d1e-17c3bbade79c", "type": "used-by" - }, - { - "dest-uuid": "2ac41e8b-4865-4ced-839d-78e7852c47f3", - "type": "similar" } ], "uuid": "51b2c56e-7d64-4e15-b1bd-45a980c9c44d", @@ -20568,12 +19482,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "a19c1197-9414-46e3-986f-0f609ff4a46b", - "type": "similar" - } - ], + "related": [], "uuid": "e0d5ecce-eca0-4f01-afcc-0c8e92323016", "value": "Pysa" }, @@ -20613,10 +19522,6 @@ { "dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", "type": "used-by" - }, - { - "dest-uuid": "edc5e045-5401-42bb-ad92-52b5b2ee0de9", - "type": "similar" } ], "uuid": "9050b418-5ffd-481a-a30d-f9059b0871ea", @@ -20630,7 +19535,7 @@ "Linux", "Windows" ], - "software_attack_id": "S5326", + "software_attack_id": "S3141", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -20660,7 +19565,7 @@ "platforms": [ "Linux" ], - "software_attack_id": "S5310", + "software_attack_id": "S3123", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -20678,6 +19583,33 @@ "uuid": "01a33c16-7eb3-4494-8c05-b163f871b951", "value": "Qilin Ransomware (Linux)" }, + { + "description": "This object reflects ATT&CK Techniques associated with 7777 or Quad7, a botnet used to compromise network devices such as TP-LINK small office/home office (\"SOHO\") routers and use the infected devices to relay password spraying attacks against Microsoft 365 accounts.\n\nAdditional Techniques associated with the botnet's operators can be found in the related Group object, \"Quad7 Botnet Operators\".[[Sekoia.io Blog July 23 2024](/references/ae84e72a-56b3-4dc4-b053-d3766764ac0d)][[Sekoia.io Blog September 9 2024](/references/eb4a1888-3b04-449b-9738-d96ae26adfee)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Network" + ], + "software_attack_id": "S3171", + "source": "Tidal Cyber", + "tags": [ + "e809d252-12cc-494d-94f5-954c49eb87ce", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "bf3d1108-0bcd-47ae-8d71-4df48e3e2b43", + "type": "used-by" + } + ], + "uuid": "adcf70d6-74e0-4436-bc92-f05bc924bf80", + "value": "Quad7 Botnet" + }, { "description": "[QUADAGENT](https://app.tidalcyber.com/software/2bf68242-1dbd-405b-ac35-330eda887081) is a PowerShell backdoor used by [OilRig](https://app.tidalcyber.com/groups/d01abdb1-0378-4654-aa38-1a4a292703e2). [[Unit 42 QUADAGENT July 2018](https://app.tidalcyber.com/references/320f49df-7b0a-4a6a-8542-17b0f56c94c9)]", "meta": { @@ -20697,15 +19629,44 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" - }, - { - "dest-uuid": "7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77", - "type": "similar" } ], "uuid": "2bf68242-1dbd-405b-ac35-330eda887081", "value": "QUADAGENT" }, + { + "description": "Quantum Locker is a ransomware payload that derives from the MountLocker, AstroLocker, and XingLocker ransomware families. Actors that deploy Quantum ransomware are known to publicly extort their victims.[[Cybereason Quantum Ransomware May 9 2022](/references/19027620-216a-4921-8d78-f56377778a12)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3184", + "source": "Tidal Cyber", + "tags": [ + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", + "type": "used-by" + }, + { + "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3", + "type": "used-by" + } + ], + "uuid": "b0c18cd8-a859-4cd2-9558-33e5bcd4610c", + "value": "Quantum Locker" + }, { "description": "[QuasarRAT](https://app.tidalcyber.com/software/4bab7c2b-5ec4-467e-8df4-f2e6996e136b) is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. [QuasarRAT](https://app.tidalcyber.com/software/4bab7c2b-5ec4-467e-8df4-f2e6996e136b) is developed in the C# language.[[GitHub QuasarRAT](https://app.tidalcyber.com/references/c87e4427-af97-4e93-9596-ad5a588aa171)][[Volexity Patchwork June 2018](https://app.tidalcyber.com/references/d3ed7dd9-0941-4160-aa6a-c0244c63560f)]", "meta": { @@ -20741,10 +19702,6 @@ { "dest-uuid": "e5b0da2b-12bc-4113-9459-9c51329c9ae0", "type": "used-by" - }, - { - "dest-uuid": "da04ac30-27da-4959-a67d-450ce47d9470", - "type": "similar" } ], "uuid": "4bab7c2b-5ec4-467e-8df4-f2e6996e136b", @@ -20757,7 +19714,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5319", + "software_attack_id": "S3134", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -20795,12 +19752,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "93289ecf-4d15-4d6b-a9c3-4ab27e145ef4", - "type": "similar" - } - ], + "related": [], "uuid": "52d3515c-5184-5257-bf24-56adccb4cccd", "value": "QUIETCANARY" }, @@ -20823,10 +19775,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "4816d361-f82b-4a18-aa05-b215e7cf9200", - "type": "similar" } ], "uuid": "947ab087-7550-577f-9ae9-5e82e9910610", @@ -20851,10 +19799,6 @@ { "dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067", "type": "used-by" - }, - { - "dest-uuid": "03eb4a05-6a02-43f6-afb7-3c7835501828", - "type": "similar" } ], "uuid": "dcdb74c5-4445-49bd-9f9c-236a7ecc7904", @@ -20867,7 +19811,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5053", + "software_attack_id": "S3076", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -20908,7 +19852,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5070", + "software_attack_id": "S3095", "source": "Tidal Cyber", "tags": [ "15787198-6c8b-4f79-bf50-258d55072fee", @@ -20934,7 +19878,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5281", + "software_attack_id": "S3120", "source": "Tidal Cyber", "tags": [ "c5a258ce-9045-48d9-b254-ec2bf6437bb5", @@ -20976,8 +19920,6 @@ "software_attack_id": "S0481", "source": "MITRE", "tags": [ - "c6e1f516-1a18-4ff9-b563-e6ac8103b104", - "2feda37d-5579-4102-a073-aa02e82cb49f", "cb5803f0-8ab4-4ada-8540-7758dfc126e2", "5e7433ad-a894-4489-93bc-41e90da90019", "a2e000da-8181-4327-bacd-32013dbd3654", @@ -20991,10 +19933,6 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" - }, - { - "dest-uuid": "54895630-efd2-4608-9c24-319de972a9eb", - "type": "similar" } ], "uuid": "d25f7acd-a995-4b8b-8ffe-ccc9703cdf5f", @@ -21019,10 +19957,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "4efc3e00-72f2-466a-ab7c-8a7dc6603b19", - "type": "similar" } ], "uuid": "80295aeb-59e3-4c5d-ac39-9879158f8d23", @@ -21044,10 +19978,6 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" - }, - { - "dest-uuid": "29231689-5837-4a7a-aafc-1b65b3f50cc7", - "type": "similar" } ], "uuid": "42b775bd-0c1d-4ad3-8f7f-cbb0ba84e19e", @@ -21065,12 +19995,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "ba09b86c-1c40-4ff1-bda0-0d8c4ca35997", - "type": "similar" - } - ], + "related": [], "uuid": "dc307b3c-9bc5-4624-b0bc-4807fa1fc57b", "value": "Ramsay" }, @@ -21081,9 +20006,12 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5325", + "software_attack_id": "S3140", "source": "Tidal Cyber", "tags": [ + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "d819ae1a-e385-49fd-88d5-f66660729ecb", + "15787198-6c8b-4f79-bf50-258d55072fee", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "89c5b94b-ecf4-4d53-9b74-3465086d4565", "562e535e-19f5-4d6c-81ed-ce2aec544f09", @@ -21107,6 +20035,10 @@ { "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", "type": "used-by" + }, + { + "dest-uuid": "04b73cf2-33f4-4206-be9e-c80c4c9b54e8", + "type": "used-by" } ], "uuid": "a3044fb5-3aae-4590-b589-cc88bf0d1f34", @@ -21129,15 +20061,41 @@ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" - }, - { - "dest-uuid": "880f7b3e-ad27-4158-8b03-d44c9357950b", - "type": "similar" } ], "uuid": "129abb68-7992-554e-92fa-fa376279c0b6", "value": "RAPIDPULSE" }, + { + "description": "Raptor Train is a large botnet, linked to Chinese espionage actor Flax Typhoon, that consisted of compromised small office/home office (SOHO) and IoT devices. Raptor Train is believed to have acted as a proxy to conceal further malicious activity such as targeted compromises of U.S. and Taiwanese networks.[[Black Lotus Raptor Train September 18 2024](/references/21e26577-887b-4b8c-a3f8-4ab8868bed69)][[FBI PRC Botnet September 18 2024](/references/cfb6f191-6c43-423b-9289-02beb3d721d1)]\n\nInitial compromises typically occurred through exploit of a large number of previously disclosed vulnerabilities, a list of which is provided in a [September 2024 U.S. cybersecurity advisory](https://www.ic3.gov/Media/News/2024/240918.pdf).[[FBI PRC Botnet September 18 2024](/references/cfb6f191-6c43-423b-9289-02beb3d721d1)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Network" + ], + "software_attack_id": "S3188", + "source": "Tidal Cyber", + "tags": [ + "33d35d5e-f0cf-4c66-9be3-a3ffe6610b1a", + "a159c91c-5258-49ea-af7d-e803008d97d3", + "70dc52b0-f317-4134-8a42-71aea1443707", + "b20e7912-6a8d-46e3-8e13-9a3fc4813852", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "b39d8eae-12e3-4903-a387-4c31d16a73b2", + "type": "used-by" + } + ], + "uuid": "6d516363-4f83-4ba9-9726-1821b167e5e3", + "value": "Raptor Train" + }, { "description": "[RARSTONE](https://app.tidalcyber.com/software/a9c9fda8-c156-44f2-bc7e-1b696f3fbaa2) is malware used by the [Naikon](https://app.tidalcyber.com/groups/a80c00b2-b8b6-4780-99bb-df8fe921947d) group that has some characteristics similar to [PlugX](https://app.tidalcyber.com/software/070b56f4-7810-4dad-b85f-bdfce9c08c10). [[Aquino RARSTONE](https://app.tidalcyber.com/references/2327592e-4e8a-481e-bdf9-d548c776adee)]", "meta": { @@ -21157,10 +20115,6 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" - }, - { - "dest-uuid": "8c553311-0baa-4146-997a-f79acef3d831", - "type": "similar" } ], "uuid": "a9c9fda8-c156-44f2-bc7e-1b696f3fbaa2", @@ -21173,7 +20127,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5146", + "software_attack_id": "S3265", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -21194,9 +20148,14 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5002", + "software_attack_id": "S3011", "source": "Tidal Cyber", "tags": [ + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "d8f7e071-fbfd-46f8-b431-e241bb1513ac", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "e809d252-12cc-494d-94f5-954c49eb87ce" @@ -21230,10 +20189,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "9b325b06-35a1-457d-be46-a4ecc0b7ff0c", - "type": "similar" } ], "uuid": "40466d7d-a107-46aa-a6fc-180e0eef2c6b", @@ -21255,10 +20210,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "3ffbdc1f-d2bf-41ab-91a2-c7b857e98079", - "type": "similar" } ], "uuid": "d86a562d-d235-4481-9a3f-273fa3ebe89a", @@ -21280,10 +20231,6 @@ { "dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83", "type": "used-by" - }, - { - "dest-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", - "type": "similar" } ], "uuid": "6ea1bf95-fed8-4b94-8071-aa19a3af5e34", @@ -21300,6 +20247,8 @@ "software_attack_id": "S1040", "source": "MITRE", "tags": [ + "d8f7e071-fbfd-46f8-b431-e241bb1513ac", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", "d903e38b-600d-4736-9e3b-cf1a6e436481", "d819ae1a-e385-49fd-88d5-f66660729ecb", "c5a258ce-9045-48d9-b254-ec2bf6437bb5", @@ -21327,6 +20276,10 @@ "dest-uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7", "type": "used-by" }, + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" @@ -21374,10 +20327,6 @@ { "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", "type": "used-by" - }, - { - "dest-uuid": "59096109-a1dd-463b-87e7-a8d110fe3a79", - "type": "similar" } ], "uuid": "1f3f15fa-1b4b-494d-abc8-c7f8a227b7b4", @@ -21406,10 +20355,6 @@ { "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47", "type": "used-by" - }, - { - "dest-uuid": "03acae53-9b98-46f6-b204-16b930839055", - "type": "similar" } ], "uuid": "38c4d208-fe38-4965-871c-709fa1479ba3", @@ -21422,7 +20367,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5233", + "software_attack_id": "S3354", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -21455,10 +20400,6 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" - }, - { - "dest-uuid": "4b346d12-7f91-48d2-8f06-b26ffa0d825b", - "type": "similar" } ], "uuid": "567da30e-fd4d-4ec5-a308-bf08788f3bfb", @@ -21483,10 +20424,6 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" - }, - { - "dest-uuid": "065196de-d7e8-4888-acfb-b2134022ba1b", - "type": "similar" } ], "uuid": "ca4e973c-da15-46a9-8f3a-0b1560c9a783", @@ -21499,7 +20436,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5012", + "software_attack_id": "S3052", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -21529,7 +20466,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5147", + "software_attack_id": "S3266", "source": "Tidal Cyber", "tags": [ "9fbc403c-bd2e-458a-a202-a65b8201e973", @@ -21556,12 +20493,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", - "type": "similar" - } - ], + "related": [], "uuid": "ca544771-d43e-4747-80e5-cf0f4a4836f3", "value": "Reaver" }, @@ -21581,10 +20513,6 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" - }, - { - "dest-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "type": "similar" } ], "uuid": "5264c3ab-14e1-4ae1-854e-889ebde029b4", @@ -21654,10 +20582,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", - "type": "similar" } ], "uuid": "d796615c-fa3d-4afd-817a-1a3db8c73532", @@ -21670,7 +20594,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5148", + "software_attack_id": "S3268", "source": "Tidal Cyber", "tags": [ "7d31d8f7-375b-4fb3-a631-51b42e58d95a", @@ -21704,10 +20628,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "47124daf-44be-4530-9c63-038bc64318dd", - "type": "similar" } ], "uuid": "52dc08d8-82cc-46dc-91ae-383193d72963", @@ -21720,7 +20640,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5149", + "software_attack_id": "S3269", "source": "Tidal Cyber", "tags": [ "36affa3d-c949-4e1b-8667-299490580dd5", @@ -21747,12 +20667,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", - "type": "similar" - } - ], + "related": [], "uuid": "e88bf527-bb9c-45c3-b86b-04a07dcd91fd", "value": "Regin" }, @@ -21763,7 +20678,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5150", + "software_attack_id": "S3270", "source": "Tidal Cyber", "tags": [ "288c6e19-cf6c-451a-aff3-547f371ff4ad", @@ -21785,7 +20700,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5151", + "software_attack_id": "S3271", "source": "Tidal Cyber", "tags": [ "d379a1fb-1028-4986-ae6c-eb8cc068aa68", @@ -21807,7 +20722,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5152", + "software_attack_id": "S3272", "source": "Tidal Cyber", "tags": [ "141e4dce-00be-4bd7-9f81-6202939f0359", @@ -21829,7 +20744,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5153", + "software_attack_id": "S3273", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -21895,6 +20810,7 @@ "software_attack_id": "S0332", "source": "MITRE", "tags": [ + "db8f1478-995a-4d9e-ad48-fd8583730e0b", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ @@ -21909,10 +20825,6 @@ { "dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091", "type": "used-by" - }, - { - "dest-uuid": "7cd0bc75-055b-4098-a00e-83dc8beaff14", - "type": "similar" } ], "uuid": "2eb92fa8-514e-4018-adc4-c9fe4f082567", @@ -21934,10 +20846,6 @@ { "dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1", "type": "used-by" - }, - { - "dest-uuid": "ecc2f65a-b452-4eaf-9689-7e181f17f7a5", - "type": "similar" } ], "uuid": "82d0bb4d-4711-49e3-9fe5-c522bbe5e8bb", @@ -21950,7 +20858,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5234", + "software_attack_id": "S3355", "source": "Tidal Cyber", "tags": [ "828f1559-b13d-4426-9dcf-5f601fcb6ff0", @@ -21981,10 +20889,6 @@ { "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", "type": "used-by" - }, - { - "dest-uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26", - "type": "similar" } ], "uuid": "57fa64ea-975a-470a-a194-3428148ae9ee", @@ -22006,10 +20910,6 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" - }, - { - "dest-uuid": "03c6e0ea-96d3-4b23-9afb-05055663cf4b", - "type": "similar" } ], "uuid": "8a7fa0df-c688-46be-94bf-462fae33b788", @@ -22031,10 +20931,6 @@ { "dest-uuid": "deb573c6-071a-4b50-9e92-4aa648d8bdc1", "type": "used-by" - }, - { - "dest-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "type": "similar" } ], "uuid": "e3729cff-f25e-4c01-a7a1-e8b83e903b30", @@ -22047,7 +20943,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5154", + "software_attack_id": "S3274", "source": "Tidal Cyber", "tags": [ "accb4d24-4b40-41ce-ae2e-adcca7e80b41", @@ -22068,6 +20964,8 @@ "software_attack_id": "S0174", "source": "MITRE", "tags": [ + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "15787198-6c8b-4f79-bf50-258d55072fee", "af5e9be5-b86e-47af-91dd-966a5e34a186", "6070668f-1cbd-4878-8066-c636d1d8659c", "d8f7e071-fbfd-46f8-b431-e241bb1513ac", @@ -22087,10 +20985,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719", - "type": "similar" } ], "uuid": "2a5ea3a7-9873-4a2e-b4b5-4e27a80db305", @@ -22116,10 +21010,6 @@ { "dest-uuid": "830079fe-9824-405b-93e0-c28592155c49", "type": "used-by" - }, - { - "dest-uuid": "bdb27a1d-1844-42f1-a0c0-826027ae0326", - "type": "similar" } ], "uuid": "f99712b4-37a2-437c-92d7-fb4f94a1f892", @@ -22134,6 +21024,7 @@ "software_attack_id": "S0496", "source": "MITRE", "tags": [ + "e755f9bf-0007-411c-950d-4b66934298b4", "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "286918d5-0b48-4655-9118-907b53de0ee0", @@ -22165,10 +21056,6 @@ { "dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a", "type": "used-by" - }, - { - "dest-uuid": "ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", - "type": "similar" } ], "uuid": "9314531e-bf46-4cba-9c19-198279ccf9cd", @@ -22193,10 +21080,6 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" - }, - { - "dest-uuid": "b9eec47e-98f4-4b3c-b574-3fa8a87ebe05", - "type": "similar" } ], "uuid": "d5649d69-52d4-4198-9683-b250348dea32", @@ -22209,9 +21092,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5302", + "software_attack_id": "S3065", "source": "Tidal Cyber", "tags": [ + "abea659c-fe23-4252-afc0-17b8adaa24f7", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", @@ -22223,6 +21107,10 @@ ] }, "related": [ + { + "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", + "type": "used-by" + }, { "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", "type": "used-by" @@ -22247,10 +21135,6 @@ { "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" - }, - { - "dest-uuid": "44c75271-0e4d-496f-ae0a-a6d883a42a65", - "type": "similar" } ], "uuid": "ca5ae7c8-467a-4434-82fc-db50ce3fc671", @@ -22272,10 +21156,6 @@ { "dest-uuid": "225314a7-8f40-48d4-9cff-3ec39b177762", "type": "used-by" - }, - { - "dest-uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e", - "type": "similar" } ], "uuid": "00fa4cc2-6f99-4b18-b927-689964ef57e1", @@ -22293,12 +21173,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "56e6b6c2-e573-4969-8bab-783205cebbbf", - "type": "similar" - } - ], + "related": [], "uuid": "19b1f1c8-5ef3-4328-b605-38e0bafc084d", "value": "Rising Sun" }, @@ -22318,10 +21193,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "6dbdc657-d8e0-4f2f-909b-7251b3e72c6d", - "type": "similar" } ], "uuid": "15bc8e94-64d1-4f1f-bc99-08cfbac417dc", @@ -22344,12 +21215,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "0a607c53-df52-45da-a75d-0e53df4dad5f", - "type": "similar" - } - ], + "related": [], "uuid": "b65956ef-439a-463d-b85e-6606467f508a", "value": "RobbinHood" }, @@ -22369,10 +21235,6 @@ { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" - }, - { - "dest-uuid": "cba78a1c-186f-4112-9e6a-be1839f030f7", - "type": "similar" } ], "uuid": "cb7aa34e-312f-4210-be7b-47a1e3f5b7b5", @@ -22394,10 +21256,6 @@ { "dest-uuid": "f2b31240-0b4a-4fa4-82a4-6bb00e146e75", "type": "used-by" - }, - { - "dest-uuid": "8ec6e3b4-b06d-4805-b6aa-af916acc2122", - "type": "similar" } ], "uuid": "852cf78d-9cdc-4971-a972-405921027436", @@ -22422,10 +21280,6 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" - }, - { - "dest-uuid": "60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f", - "type": "similar" } ], "uuid": "a3479628-af0b-4088-8d2a-fafa384731dd", @@ -22438,7 +21292,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5295", + "software_attack_id": "S3018", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -22474,10 +21328,6 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" - }, - { - "dest-uuid": "08e844a8-371f-4fe3-9d1f-e056e64a7fde", - "type": "similar" } ], "uuid": "169bfcf6-544c-5824-a7cd-2d5070304b57", @@ -22500,10 +21350,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de", - "type": "similar" } ], "uuid": "3b755518-9085-474e-8bc4-4f9344d9c8af", @@ -22521,12 +21367,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", - "type": "similar" - } - ], + "related": [], "uuid": "ef38ff3e-fa36-46f2-a720-3abaca167b04", "value": "Rover" }, @@ -22539,6 +21380,7 @@ "software_attack_id": "S1073", "source": "MITRE", "tags": [ + "b05fef45-bf36-47a0-b96a-cc76ac8a4f1e", "e551ae97-d1b4-484e-9267-89f33829ec2c", "a2e000da-8181-4327-bacd-32013dbd3654", "5e7433ad-a894-4489-93bc-41e90da90019", @@ -22557,10 +21399,6 @@ { "dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5", "type": "used-by" - }, - { - "dest-uuid": "802a874d-7463-4f2a-99e3-6a1f5a919a21", - "type": "similar" } ], "uuid": "221e24cb-910f-5988-9473-578ef350870c", @@ -22573,7 +21411,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5155", + "software_attack_id": "S3275", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -22594,7 +21432,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5076", + "software_attack_id": "S3101", "source": "Tidal Cyber", "tags": [ "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96" @@ -22628,10 +21466,6 @@ { "dest-uuid": "666ab5f0-3ef1-4e74-8a10-65c60a7d1acd", "type": "used-by" - }, - { - "dest-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "type": "similar" } ], "uuid": "1836485e-a3a6-4fae-a15d-d0990788811a", @@ -22659,6 +21493,10 @@ "dest-uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7", "type": "used-by" }, + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, { "dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7", "type": "used-by" @@ -22670,10 +21508,6 @@ { "dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8", "type": "used-by" - }, - { - "dest-uuid": "e33267fe-099f-4af2-8730-63d49f8813b2", - "type": "similar" } ], "uuid": "2e54f40c-ab62-535e-bbab-3f3a835ff55a", @@ -22696,10 +21530,6 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" - }, - { - "dest-uuid": "90ac9266-68ce-46f2-b24f-5eb3b2a8ea38", - "type": "similar" } ], "uuid": "69563cbd-7dc1-4396-b576-d5886df11046", @@ -22712,7 +21542,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5156", + "software_attack_id": "S3276", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -22812,7 +21642,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5157", + "software_attack_id": "S3277", "source": "Tidal Cyber", "tags": [ "270a347d-d2e1-4d46-9b32-37e8d7264301", @@ -22839,12 +21669,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "60d50676-459a-47dd-92e9-a827a9fe9c58", - "type": "similar" - } - ], + "related": [], "uuid": "e8afda1f-fa83-4fc3-b6fb-7d5daca7173f", "value": "RunningRAT" }, @@ -22855,7 +21680,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5158", + "software_attack_id": "S3278", "source": "Tidal Cyber", "tags": [ "065db33d-c152-4ba9-8bf9-13616f78ae05", @@ -22877,7 +21702,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5159", + "software_attack_id": "S3279", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -22900,6 +21725,7 @@ "software_attack_id": "S0446", "source": "MITRE", "tags": [ + "74eb9cdd-409f-41d6-bb4f-39af6d1b3232", "89c5b94b-ecf4-4d53-9b74-3465086d4565", "3ed3f7a6-b446-4fbc-a433-ff1d63c0e647", "562e535e-19f5-4d6c-81ed-ce2aec544f09", @@ -22926,10 +21752,6 @@ { "dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c", "type": "used-by" - }, - { - "dest-uuid": "a020a61c-423f-4195-8c46-ba1d21abba37", - "type": "similar" } ], "uuid": "8ae86854-4cdc-49eb-895a-d1fa742f7974", @@ -22954,10 +21776,6 @@ { "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", "type": "used-by" - }, - { - "dest-uuid": "7724581b-06ff-4d2b-b77c-80dc8d53070b", - "type": "similar" } ], "uuid": "d66e5d18-e9f5-4091-bdf4-acdac129e2e0", @@ -22982,15 +21800,39 @@ { "dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", "type": "used-by" - }, - { - "dest-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", - "type": "similar" } ], "uuid": "a316c704-144a-4d14-8e4e-685bb6ae391c", "value": "Sakula" }, + { + "description": "This is one of a series of malicious downloaders attributed to Iran-linked espionage actor OilRig, which were found to rely on legitimate cloud service providers for command and control purposes.[[ESET OilRig December 14 2023](/references/f96b74d5-ff75-47c6-a9a2-b2f43db351bc)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3156", + "source": "Tidal Cyber", + "tags": [ + "15f2277a-a17e-4d85-8acd-480bf84f16b4", + "84615fe0-c2a5-4e07-8957-78ebc29b4635", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "type": "used-by" + } + ], + "uuid": "5276226d-5453-42db-8701-a83b2b061b5b", + "value": "SampleCheck5000" + }, { "description": "[SamSam](https://app.tidalcyber.com/software/88831e9f-453e-466f-9510-9acaa1f20368) is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.[[US-CERT SamSam 2018](https://app.tidalcyber.com/references/b9d14fea-2330-4eed-892c-b4e05a35d273)][[Talos SamSam Jan 2018](https://app.tidalcyber.com/references/0965bb64-be96-46b9-b60f-6829c43a661f)][[Sophos SamSam Apr 2018](https://app.tidalcyber.com/references/4da5e9c3-7205-4a6e-b147-be7c971380f0)][[Symantec SamSam Oct 2018](https://app.tidalcyber.com/references/c5022a91-bdf4-4187-9967-dfe6362219ea)]", "meta": { @@ -23007,12 +21849,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "4d56e6e9-1a6d-46e3-896c-dfdf3cc96e62", - "type": "similar" - } - ], + "related": [], "uuid": "88831e9f-453e-466f-9510-9acaa1f20368", "value": "SamSam" }, @@ -23032,10 +21869,6 @@ { "dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b", "type": "used-by" - }, - { - "dest-uuid": "ae91fb8f-5031-4f57-9839-e3be3ed503f0", - "type": "similar" } ], "uuid": "bd75c822-7be6-5e6f-bd2e-0512be6d38d9", @@ -23057,10 +21890,6 @@ { "dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f", "type": "used-by" - }, - { - "dest-uuid": "0c52f5bc-557d-4083-bd27-66d7cdb794bb", - "type": "similar" } ], "uuid": "9ab0d523-3496-5e64-9ca1-bb756f5e64e0", @@ -23073,7 +21902,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5160", + "software_attack_id": "S3280", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -23087,6 +21916,56 @@ "uuid": "41be663f-ecc9-4ab6-afeb-c52737f84858", "value": "Sc" }, + { + "description": "Scarab is a ransomware written in Delphi.[[WeLiveSecurity Scarab August 22 2023](/references/7cbf97fe-1809-4089-b386-a8bfd083df39)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3181", + "source": "Tidal Cyber", + "tags": [ + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "04b73cf2-33f4-4206-be9e-c80c4c9b54e8", + "type": "used-by" + } + ], + "uuid": "da077c2b-9e7a-4f35-b187-af2876496799", + "value": "Scarab Ransomware" + }, + { + "description": "ScService is a custom tool used by CosmicBeetle, mainly used as an orchestrator for other tools during the group's intrusions.[[WeLiveSecurity Scarab August 22 2023](/references/7cbf97fe-1809-4089-b386-a8bfd083df39)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3180", + "source": "Tidal Cyber", + "tags": [ + "be319849-fb2c-4b5f-8055-0bde562c280b", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "3d3f0187-d08a-468a-8956-b3502fdeaea5", + "value": "ScHackTool" + }, { "description": "[schtasks](https://app.tidalcyber.com/software/2aacbf3a-a359-41d2-9a71-76447f0545b5) is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. [[TechNet Schtasks](https://app.tidalcyber.com/references/17c03e27-222d-41b5-9fa2-34f0939e5371)]", "meta": { @@ -23151,15 +22030,39 @@ { "dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb", "type": "used-by" - }, - { - "dest-uuid": "c9703cd3-141c-43a0-a926-380082be5d04", - "type": "similar" } ], "uuid": "2aacbf3a-a359-41d2-9a71-76447f0545b5", "value": "schtasks" }, + { + "description": "ScRansom is a custom ransomware used by the CosmicBeetle group, serving as a successor to the previously used Scarab Ransomware.[[WeLiveSecurity CosmicBeetle September 10 2024](/references/8debba29-4d6d-41d2-8772-f97c7d49056b)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3178", + "source": "Tidal Cyber", + "tags": [ + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "04b73cf2-33f4-4206-be9e-c80c4c9b54e8", + "type": "used-by" + } + ], + "uuid": "34964908-7162-4bcc-ab2a-d0dc1b3b82ef", + "value": "ScRansom" + }, { "description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Execute binary through proxy binary to evade defensive counter measures\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\scriptrunner.exe\n* C:\\Windows\\SysWOW64\\scriptrunner.exe\n\n**Resources:**\n* [https://twitter.com/KyleHanslovan/status/914800377580503040](https://twitter.com/KyleHanslovan/status/914800377580503040)\n* [https://twitter.com/NickTyrer/status/914234924655312896](https://twitter.com/NickTyrer/status/914234924655312896)\n* [https://github.com/MoooKitty/Code-Execution](https://github.com/MoooKitty/Code-Execution)\n\n**Detection:**\n* Sigma: [proc_creation_win_servu_susp_child_process.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml)\n* IOC: Scriptrunner.exe should not be in use unless App-v is deployed[[Scriptrunner.exe - LOLBAS Project](/references/805d16cc-8bd0-4f80-b0ac-c5b5df51427c)]", "meta": { @@ -23167,7 +22070,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5161", + "software_attack_id": "S3282", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -23188,7 +22091,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5194", + "software_attack_id": "S3315", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -23202,6 +22105,28 @@ "uuid": "101f7867-9c5c-482e-b26e-9fdb8ff9b2c7", "value": "Scrobj" }, + { + "description": "ScService is a custom, \"simple\" backdoor used by the CosmicBeetle group.[[WeLiveSecurity Scarab August 22 2023](/references/7cbf97fe-1809-4089-b386-a8bfd083df39)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3179", + "source": "Tidal Cyber", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "f9840d08-eb55-4c19-a1af-964e10dae0d4", + "value": "ScService" + }, { "description": "[SDBbot](https://app.tidalcyber.com/software/046bbd0c-bff5-46fc-9028-cbe46a9f8ec5) is a backdoor with installer and loader components that has been used by [TA505](https://app.tidalcyber.com/groups/b3220638-6682-4a4e-ab64-e7dc4202a3f1) since at least 2019.[[Proofpoint TA505 October 2019](https://app.tidalcyber.com/references/711ea2b3-58e2-4b38-aa71-877029c12e64)][[IBM TA505 April 2020](https://app.tidalcyber.com/references/bcef8bf8-5fc2-4921-b920-74ef893b8a27)]", "meta": { @@ -23221,10 +22146,6 @@ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" - }, - { - "dest-uuid": "92b03a94-7147-4952-9d5a-b4d24da7487c", - "type": "similar" } ], "uuid": "046bbd0c-bff5-46fc-9028-cbe46a9f8ec5", @@ -23261,10 +22182,6 @@ { "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" - }, - { - "dest-uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153", - "type": "similar" } ], "uuid": "3d4be65d-231b-44bb-8d12-5038a3d48bae", @@ -23289,10 +22206,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "type": "similar" } ], "uuid": "ae30d58e-21c5-41a4-9ebb-081dc1f26863", @@ -23314,10 +22227,6 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" - }, - { - "dest-uuid": "b45747dc-87ca-4597-a245-7e16a61bc491", - "type": "similar" } ], "uuid": "3527b09b-f3f6-4716-9f90-64ea7d3b9d8a", @@ -23342,10 +22251,6 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" - }, - { - "dest-uuid": "0998045d-f96e-4284-95ce-3c8219707486", - "type": "similar" } ], "uuid": "42c8504c-8a18-46d2-a145-35b0cd8ba669", @@ -23358,7 +22263,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5042", + "software_attack_id": "S3044", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -23393,9 +22298,13 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5072", + "software_attack_id": "S3097", "source": "Tidal Cyber", "tags": [ + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "d8f7e071-fbfd-46f8-b431-e241bb1513ac", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "61b7b81d-3f98-4bed-97a9-d6c536b8969b", "35e694ec-5133-46e3-b7e1-5831867c3b55", @@ -23435,7 +22344,7 @@ "Linux", "Windows" ], - "software_attack_id": "S5329", + "software_attack_id": "S3144", "source": "Tidal Cyber", "tags": [ "96d58ca1-ab18-4e53-8891-d8ba62a47e5d", @@ -23478,10 +22387,6 @@ { "dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1", "type": "used-by" - }, - { - "dest-uuid": "aae22730-e571-4d17-b037-65f2a3e26213", - "type": "similar" } ], "uuid": "704ed49d-103c-4b33-b85c-73670cc1d719", @@ -23503,12 +22408,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "f931a0b9-0361-4b1b-bacf-955062c35746", - "type": "similar" - } - ], + "related": [], "uuid": "fb47c051-d22b-4a05-94a7-cf979419b60a", "value": "Seth-Locker" }, @@ -23519,7 +22419,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5162", + "software_attack_id": "S3283", "source": "Tidal Cyber", "tags": [ "d75511ab-cbff-46d3-8268-427e3cff134a", @@ -23541,7 +22441,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5163", + "software_attack_id": "S3284", "source": "Tidal Cyber", "tags": [ "8929bc83-9ed6-4579-b837-40236b59b383", @@ -23563,7 +22463,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5195", + "software_attack_id": "S3316", "source": "Tidal Cyber", "tags": [ "da405033-3571-4f98-9810-53d9df1ac0fb", @@ -23587,6 +22487,7 @@ "software_attack_id": "S0596", "source": "MITRE", "tags": [ + "a7346d6d-d5c9-497c-b3b3-54fb95dd4d68", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" ], "type": [ @@ -23613,10 +22514,6 @@ { "dest-uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c", "type": "used-by" - }, - { - "dest-uuid": "ec9e00dd-0313-4d5b-8105-c20aa47abffc", - "type": "similar" } ], "uuid": "5190f50d-7e54-410a-9961-79ab751ddbab", @@ -23637,12 +22534,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "type": "similar" - } - ], + "related": [], "uuid": "840db1db-e262-4d6f-b6e3-2a64696a41c5", "value": "Shamoon" }, @@ -23665,10 +22557,6 @@ { "dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735", "type": "used-by" - }, - { - "dest-uuid": "99854cc8-f202-4e03-aa0a-4f8a4af93229", - "type": "similar" } ], "uuid": "278da5e8-4d4c-4c45-ad72-8f078872fb4a", @@ -23681,7 +22569,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5075", + "software_attack_id": "S3100", "source": "Tidal Cyber", "tags": [ "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96" @@ -23715,10 +22603,6 @@ { "dest-uuid": "f31df12e-66ea-5a49-87bc-2bc1756a89fc", "type": "used-by" - }, - { - "dest-uuid": "1fefb062-feda-484a-8f10-0cebf65e20e3", - "type": "similar" } ], "uuid": "4ed1e83b-a208-5518-bed2-d07c1b289da2", @@ -23731,7 +22615,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5327", + "software_attack_id": "S3142", "source": "Tidal Cyber", "tags": [ "8bf128ad-288b-41bc-904f-093f4fdde745", @@ -23760,7 +22644,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5275", + "software_attack_id": "S3115", "source": "Tidal Cyber", "tags": [ "c5a258ce-9045-48d9-b254-ec2bf6437bb5", @@ -23801,7 +22685,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5060", + "software_attack_id": "S3083", "source": "Tidal Cyber", "tags": [ "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", @@ -23827,9 +22711,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5004", + "software_attack_id": "S3013", "source": "Tidal Cyber", "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", "e1af18e3-3224-4e4c-9d0f-533768474508", "cd1b5d44-226e-4405-8985-800492cf2865", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", @@ -23842,6 +22727,10 @@ ] }, "related": [ + { + "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", + "type": "used-by" + }, { "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd", "type": "used-by" @@ -23870,10 +22759,6 @@ { "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "type": "used-by" - }, - { - "dest-uuid": "0ba9281c-93fa-4b29-8e9e-7ef918c7b13a", - "type": "similar" } ], "uuid": "564643fd-7113-490e-9f6a-f0cc3f0e1a4c", @@ -23898,10 +22783,6 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" - }, - { - "dest-uuid": "73c4711b-407a-449d-b269-e3b1531fe7a9", - "type": "similar" } ], "uuid": "f655306f-f7b4-4eec-9bd6-ac75142fcb43", @@ -23914,7 +22795,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5196", + "software_attack_id": "S3317", "source": "Tidal Cyber", "tags": [ "2c0f0b44-9b09-49a0-8dc5-d9fdcc515825", @@ -23936,7 +22817,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5197", + "software_attack_id": "S3318", "source": "Tidal Cyber", "tags": [ "e0b9882e-b9bb-4c16-b3d9-9268866eded0", @@ -23958,7 +22839,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5198", + "software_attack_id": "S3319", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -23988,10 +22869,6 @@ { "dest-uuid": "8bc69792-c26d-4493-87e3-d8e47605fed8", "type": "used-by" - }, - { - "dest-uuid": "5763217a-05b6-4edd-9bca-057e47b5e403", - "type": "similar" } ], "uuid": "a3287231-351f-472f-96cc-24db2e3829c7", @@ -24013,10 +22890,6 @@ { "dest-uuid": "8bc69792-c26d-4493-87e3-d8e47605fed8", "type": "used-by" - }, - { - "dest-uuid": "115f88dd-0618-4389-83cb-98d33ae81848", - "type": "similar" } ], "uuid": "77d9c948-93e3-4e12-9764-4da7570d9275", @@ -24035,10 +22908,6 @@ { "dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "type": "used-by" - }, - { - "dest-uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a", - "type": "similar" } ], "uuid": "3db0b464-ec5d-4cdd-86c2-62eac9c8acd6", @@ -24060,10 +22929,6 @@ { "dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9", "type": "used-by" - }, - { - "dest-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", - "type": "similar" } ], "uuid": "49351818-579e-4298-9137-03b3dc699e22", @@ -24082,10 +22947,6 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" - }, - { - "dest-uuid": "4189a679-72ed-4a89-a57c-7f689712ecf8", - "type": "similar" } ], "uuid": "5b2d82a6-ed96-485d-bca9-2320590de890", @@ -24100,6 +22961,7 @@ "software_attack_id": "S0589", "source": "MITRE", "tags": [ + "a95bb8df-9089-4cea-9810-be32b99c3c5d", "84615fe0-c2a5-4e07-8957-78ebc29b4635" ], "type": [ @@ -24110,10 +22972,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "979adb5a-dc30-48f0-9e3d-9a26d866928c", - "type": "similar" } ], "uuid": "ea0a1282-f2bf-4ae0-a19c-d7e379c2309b", @@ -24138,10 +22996,6 @@ { "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", "type": "used-by" - }, - { - "dest-uuid": "df4cd566-ff2f-4d08-976d-8c86e95782de", - "type": "similar" } ], "uuid": "61227a76-d315-4339-803a-e024f96e089e", @@ -24159,12 +23013,7 @@ "tool" ] }, - "related": [ - { - "dest-uuid": "1244e058-fa10-48cb-b484-0bcf671107ae", - "type": "similar" - } - ], + "related": [], "uuid": "4765999f-c35e-4a9f-8284-9f10a17e6c34", "value": "SILENTTRINITY" }, @@ -24184,12 +23033,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "4fbd565b-bf55-4ac7-80b4-b183a7b64b9c", - "type": "similar" - } - ], + "related": [], "uuid": "8ea75674-cc08-40cf-824c-40eb5cd6097e", "value": "Siloscape" }, @@ -24209,10 +23053,6 @@ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" - }, - { - "dest-uuid": "89f63ae4-f229-4a5c-95ad-6f22ed2b5c49", - "type": "similar" } ], "uuid": "206453a4-a298-4cab-9fdf-f136a4e0c761", @@ -24230,12 +23070,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "4b68b5ea-2e1b-4225-845b-8632f702b9a0", - "type": "similar" - } - ], + "related": [], "uuid": "cc91d3d4-bbf5-4a9c-b43a-2ba034db4858", "value": "Skidmap" }, @@ -24256,10 +23091,6 @@ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" - }, - { - "dest-uuid": "d1008b78-960c-4b36-bdc4-39a734e1e4e3", - "type": "similar" } ], "uuid": "c8fed4fc-5721-5db2-b107-b2a9b677244e", @@ -24276,6 +23107,10 @@ "software_attack_id": "S0633", "source": "MITRE", "tags": [ + "0fa3a7df-9e1e-4540-996e-590715e8314a", + "d903e38b-600d-4736-9e3b-cf1a6e436481", + "d819ae1a-e385-49fd-88d5-f66660729ecb", + "15787198-6c8b-4f79-bf50-258d55072fee", "e81ba503-60b0-4b64-8f20-ef93e7783796" ], "type": [ @@ -24283,6 +23118,10 @@ ] }, "related": [ + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" @@ -24290,10 +23129,6 @@ { "dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c", "type": "used-by" - }, - { - "dest-uuid": "11f8d7eb-1927-4806-9267-3a11d4d4d6be", - "type": "similar" } ], "uuid": "bbd16b7b-7e35-4a11-86ff-9b19e17bdab3", @@ -24311,12 +23146,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "feb2d7bb-aacb-48df-ad04-ccf41a30cd90", - "type": "similar" - } - ], + "related": [], "uuid": "563c6534-497e-4d65-828c-420d5bb2041a", "value": "SLOTHFULMEDIA" }, @@ -24336,10 +23166,6 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" - }, - { - "dest-uuid": "414dc555-c79e-4b24-a2da-9b607f7eaf16", - "type": "similar" } ], "uuid": "7c047a54-93cf-4dfc-ab20-d905791aebb2", @@ -24361,10 +23187,6 @@ { "dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910", "type": "used-by" - }, - { - "dest-uuid": "f8fc98ac-ad6d-44db-b6e2-f0c6eb4eace4", - "type": "similar" } ], "uuid": "37e264a6-5ad3-5a79-bf2c-db725622206e", @@ -24389,10 +23211,6 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" - }, - { - "dest-uuid": "ff41b9b6-4c1d-407b-a7e2-835109c8dbc5", - "type": "similar" } ], "uuid": "c58028b9-2e79-4bc9-9b04-d24ea4dd4948", @@ -24413,12 +23231,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "7e0f8b0f-716e-494d-827e-310bd6ed709e", - "type": "similar" - } - ], + "related": [], "uuid": "9ae4154d-ee48-4aeb-b76f-6e40dbe18ff3", "value": "SMOKEDHAM" }, @@ -24448,10 +23261,6 @@ { "dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a", "type": "used-by" - }, - { - "dest-uuid": "0c824410-58ff-49b2-9cf2-1c96b182bdf0", - "type": "similar" } ], "uuid": "2244253f-a4ad-4ea9-a4bf-fa2f4d895853", @@ -24473,10 +23282,6 @@ { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" - }, - { - "dest-uuid": "4327aff5-f194-440c-b499-4d9730cc1eab", - "type": "similar" } ], "uuid": "f587dc27-92be-5894-a4a8-d6c8bbcf8ede", @@ -24498,10 +23303,6 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" - }, - { - "dest-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870", - "type": "similar" } ], "uuid": "d6c24f7c-fe79-4094-8f3c-68c4446ae4c7", @@ -24526,10 +23327,6 @@ { "dest-uuid": "0898e7cb-118e-5eeb-b856-04e56ed18182", "type": "used-by" - }, - { - "dest-uuid": "5911d2ca-64f6-49b3-b94f-29b5d185085c", - "type": "similar" } ], "uuid": "ab84f259-9b9a-51d8-a68a-2bcd7512d760", @@ -24547,12 +23344,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "e494ad79-37ee-4cd0-866b-299c521d8b94", - "type": "similar" - } - ], + "related": [], "uuid": "c1906bb6-0b5b-4916-8b29-37f7e272f6b3", "value": "Socksbot" }, @@ -24575,10 +23367,6 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" - }, - { - "dest-uuid": "94d6d788-07bb-4dcc-b62f-e02626b00108", - "type": "similar" } ], "uuid": "6ecd970c-427b-4421-a831-69f46047d22a", @@ -24593,7 +23381,7 @@ "Linux", "Windows" ], - "software_attack_id": "S5305", + "software_attack_id": "S3071", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -24620,7 +23408,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5008", + "software_attack_id": "S3045", "source": "Tidal Cyber", "tags": [ "d903e38b-600d-4736-9e3b-cf1a6e436481", @@ -24682,6 +23470,33 @@ "uuid": "4272447f-8803-4947-b66f-051eecdd3385", "value": "SoftPerfect Network Scanner" }, + { + "description": "A backdoor capability associated with Iran-linked espionage group OilRig.[[ESET OilRig September 21 2023](/references/21ee3e95-ac4b-48f7-b948-249e1884bc96)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3161", + "source": "Tidal Cyber", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "type": "used-by" + } + ], + "uuid": "07a94239-bdde-42e7-ba9c-a1d0c81e0c3b", + "value": "Solar" + }, { "description": "[SombRAT](https://app.tidalcyber.com/software/0ec24158-d5d7-4d2e-b5a5-bc862328a317) is a modular backdoor written in C++ that has been used since at least 2019 to download and execute malicious payloads, including [FIVEHANDS](https://app.tidalcyber.com/software/84187393-2fe9-4136-8720-a6893734ee8c) ransomware.[[BlackBerry CostaRicto November 2020](https://app.tidalcyber.com/references/93a23447-641c-4ee2-9fbd-64b2adea8a5f)][[FireEye FiveHands April 2021](https://app.tidalcyber.com/references/832aeb46-b248-43e8-9157-a2f56bcd1806)][[CISA AR21-126A FIVEHANDS May 2021](https://app.tidalcyber.com/references/f98604dd-2881-4024-8e43-6f5f48c6c9fa)]", "meta": { @@ -24697,12 +23512,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "425771c5-48b4-4ecd-9f95-74ed3fc9da59", - "type": "similar" - } - ], + "related": [], "uuid": "0ec24158-d5d7-4d2e-b5a5-bc862328a317", "value": "SombRAT" }, @@ -24725,10 +23535,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "e33e4603-afab-402d-b2a1-248d435b5fe0", - "type": "similar" } ], "uuid": "3e959586-14ff-407b-a0d0-4e9580546f3f", @@ -24750,10 +23556,6 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" - }, - { - "dest-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", - "type": "similar" } ], "uuid": "069538a5-3cb8-4eb4-9fbb-83867bb4d826", @@ -24775,10 +23577,6 @@ { "dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f", "type": "used-by" - }, - { - "dest-uuid": "8b880b41-5139-4807-baa9-309690218719", - "type": "similar" } ], "uuid": "0f8d0a73-9cd3-475a-b31b-d457278c921a", @@ -24803,10 +23601,6 @@ { "dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6", "type": "used-by" - }, - { - "dest-uuid": "03ea629c-517a-41e3-94f8-c7e5368cf8f4", - "type": "similar" } ], "uuid": "93f8c180-6794-4e9c-b716-6b31f42eb72d", @@ -24825,15 +23619,37 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "a5575606-9b85-4e3d-9cd2-40ef30e3672d", - "type": "similar" - } - ], + "related": [], "uuid": "b9b67878-4eb1-4a0b-9b36-a798881ed566", "value": "SpeakUp" }, + { + "description": "Spearal is a .NET-based backdoor malware linked to the OilRig Iranian espionage group, which uses DNS tunneling for command and control communication.[[Check Point Research September 11 2024](/references/53320d81-4060-4414-b5b8-21d09362bc44)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3183", + "source": "Tidal Cyber", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "type": "used-by" + } + ], + "uuid": "25c85bfb-3833-4c57-867a-b7d9ff6c5a40", + "value": "Spearal" + }, { "description": "SpectralBlur is a malware targeting macOS systems that has backdoor functionality. Researchers have linked the malware to \"TA444/Bluenoroff\" actors.[[Objective_See 1 4 2024](/references/c96535be-4859-4ae3-9ba0-d482f1195863)]", "meta": { @@ -24841,7 +23657,7 @@ "platforms": [ "macOS" ], - "software_attack_id": "S5311", + "software_attack_id": "S3124", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -24868,7 +23684,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5055", + "software_attack_id": "S3078", "source": "Tidal Cyber", "tags": [ "562e535e-19f5-4d6c-81ed-ce2aec544f09", @@ -24907,10 +23723,6 @@ { "dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331", "type": "used-by" - }, - { - "dest-uuid": "599cd7b5-37b5-4cdd-8174-2811531ce9d0", - "type": "similar" } ], "uuid": "2be9e22d-0af8-46f5-b30e-b3712ccf716d", @@ -24923,7 +23735,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5009", + "software_attack_id": "S3046", "source": "Tidal Cyber", "tags": [ "d903e38b-600d-4736-9e3b-cf1a6e436481", @@ -24986,7 +23798,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5322", + "software_attack_id": "S3137", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -25026,10 +23838,6 @@ { "dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8", "type": "used-by" - }, - { - "dest-uuid": "33b9e38f-103c-412d-bdcf-904a91fff1e4", - "type": "similar" } ], "uuid": "0fdabff3-d996-493c-af67-f3ac02e4b00b", @@ -25042,7 +23850,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5235", + "software_attack_id": "S3356", "source": "Tidal Cyber", "tags": [ "e992169d-832d-44e9-8218-0f4ab0ff72b4", @@ -25074,10 +23882,6 @@ { "dest-uuid": "e38bcb42-12c1-4202-a794-ec26cd830caa", "type": "used-by" - }, - { - "dest-uuid": "9a2640c2-9f43-46fe-b13f-bde881e55555", - "type": "similar" } ], "uuid": "96c224a6-6ca4-4ac1-9990-d863ec5a317a", @@ -25090,7 +23894,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5236", + "software_attack_id": "S3357", "source": "Tidal Cyber", "tags": [ "da7e88fd-2d71-4928-81ce-e3d455b3d418", @@ -25121,10 +23925,6 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" - }, - { - "dest-uuid": "8fc6c9e7-a162-4ca4-a488-f1819e9a7b06", - "type": "similar" } ], "uuid": "612f780a-239a-4bd0-a29f-63beadf3ed22", @@ -25137,7 +23937,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5237", + "software_attack_id": "S3358", "source": "Tidal Cyber", "tags": [ "f4867256-402a-4bcb-97d3-e071ee0993c1", @@ -25159,7 +23959,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5238", + "software_attack_id": "S3359", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -25188,12 +23988,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "3c18ad16-9eaf-4649-984e-68551bff0d47", - "type": "similar" - } - ], + "related": [], "uuid": "46943a69-0b19-4d3a-b2a3-1302e85239a3", "value": "Squirrelwaffle" }, @@ -25204,7 +23999,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5164", + "software_attack_id": "S3285", "source": "Tidal Cyber", "tags": [ "6070668f-1cbd-4878-8066-c636d1d8659c", @@ -25237,10 +24032,6 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" - }, - { - "dest-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", - "type": "similar" } ], "uuid": "3334a124-3e74-4a90-8ed1-55eea3274b19", @@ -25262,10 +24053,6 @@ { "dest-uuid": "6632f07f-7c6b-4d12-8544-82edc6a7a577", "type": "used-by" - }, - { - "dest-uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4", - "type": "similar" } ], "uuid": "fc18e220-2200-4d70-a426-0700ba14c4c0", @@ -25290,10 +24077,6 @@ { "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", "type": "used-by" - }, - { - "dest-uuid": "e355fc84-6f3c-4888-8e0a-d7fa9c378532", - "type": "similar" } ], "uuid": "764c6121-2d15-4a10-ac53-b1c431dc8b47", @@ -25311,12 +24094,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "ca0fead6-5277-427a-825b-42ff1fbe476e", - "type": "similar" - } - ], + "related": [], "uuid": "ea561f0b-b891-5735-aa99-97cc8818fbef", "value": "STEADYPULSE" }, @@ -25327,7 +24105,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5298", + "software_attack_id": "S3060", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -25349,7 +24127,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5296", + "software_attack_id": "S3019", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -25388,10 +24166,6 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" - }, - { - "dest-uuid": "8dbadf80-468c-4a62-b817-4e4d8b606887", - "type": "similar" } ], "uuid": "9eee52a2-5ac1-4561-826c-23ec7fbc7876", @@ -25404,7 +24178,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5337", + "software_attack_id": "S3152", "source": "Tidal Cyber", "tags": [ "84615fe0-c2a5-4e07-8957-78ebc29b4635", @@ -25426,7 +24200,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5165", + "software_attack_id": "S3286", "source": "Tidal Cyber", "tags": [ "f0e3d6ea-d7ea-4d73-b868-1076fac744a8", @@ -25457,10 +24231,6 @@ { "dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b", "type": "used-by" - }, - { - "dest-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", - "type": "similar" } ], "uuid": "502b490c-2067-40a4-8f73-7245d7910851", @@ -25485,10 +24255,6 @@ { "dest-uuid": "a41725c5-eb3a-4772-8d1e-17c3bbade79c", "type": "used-by" - }, - { - "dest-uuid": "fb78294a-7d7a-4d38-8ad0-92e67fddc9f0", - "type": "similar" } ], "uuid": "dd8bb0a3-6cb1-412d-adeb-cbaae98462a9", @@ -25510,10 +24276,6 @@ { "dest-uuid": "cc798766-8662-4b55-8536-6d057fbc58f0", "type": "used-by" - }, - { - "dest-uuid": "20945359-3b39-4542-85ef-08ecb4e1c174", - "type": "similar" } ], "uuid": "ed563524-235e-4e06-8c69-3f9d8ddbfd8a", @@ -25535,12 +24297,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "088f1d6e-0783-47c6-9923-9c79b2af43d4", - "type": "similar" - } - ], + "related": [], "uuid": "3fdf3833-fca9-4414-8d2e-779dabc4ee31", "value": "Stuxnet" }, @@ -25556,12 +24313,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", - "type": "similar" - } - ], + "related": [], "uuid": "b19b6c38-d38b-46f2-a535-d0bfc5790368", "value": "S-Type" }, @@ -25577,12 +24329,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "9c10cede-c0bb-4c5c-91c0-8baec30abaf6", - "type": "similar" - } - ], + "related": [], "uuid": "6ff7bf2e-286c-4b1b-92a0-1e5322870c59", "value": "SUGARDUMP" }, @@ -25598,12 +24345,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "44e2a842-415b-47f4-8549-83fbdb8a5674", - "type": "similar" - } - ], + "related": [], "uuid": "004c781a-3d7d-446b-9677-a042c8f6566e", "value": "SUGARUSH" }, @@ -25626,10 +24368,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "a8839c95-029f-44cf-8f3d-a3cf2039e927", - "type": "similar" } ], "uuid": "6b04e98e-c541-4958-a8a5-d433e575ce78", @@ -25655,10 +24393,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "bf48e7f8-752c-4ce8-bf8f-748edacd8fa6", - "type": "similar" } ], "uuid": "66966a12-3db3-4e43-a7e8-6c6836ccd8fe", @@ -25676,12 +24410,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "b2b0b946-be0a-4a7f-9c32-a2e5211d1cd9", - "type": "similar" - } - ], + "related": [], "uuid": "f02abaee-237b-4891-bb5d-30ca86dfc2c8", "value": "SUPERNOVA" }, @@ -25700,12 +24429,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "7230ded7-3b1a-4d6e-9735-d0ffd47af9f6", - "type": "similar" - } - ], + "related": [], "uuid": "a8110f81-5ee9-5819-91ce-3a57aa330dcb", "value": "SVCReady" }, @@ -25721,12 +24445,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", - "type": "similar" - } - ], + "related": [], "uuid": "ae749f9c-cf46-42ce-b0b8-f0be8660e3f3", "value": "Sykipot" }, @@ -25746,12 +24465,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "04227b24-7817-4de1-9050-b7b1b57f5866", - "type": "similar" - } - ], + "related": [], "uuid": "19ae8345-745e-4872-8a29-d56c8800d626", "value": "SynAck" }, @@ -25762,7 +24476,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5261", + "software_attack_id": "S3382", "source": "Tidal Cyber", "tags": [ "9e504206-7a84-40a5-b896-8995d82e3586", @@ -25784,7 +24498,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5166", + "software_attack_id": "S3287", "source": "Tidal Cyber", "tags": [ "acda137a-d1c9-4216-9c08-d07c8d899725", @@ -25814,12 +24528,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "84c1ecc6-e5a2-4e8a-bf4b-651a618e0053", - "type": "similar" - } - ], + "related": [], "uuid": "69ab291d-5066-4e47-9862-1f5c7bac7200", "value": "SYNful Knock" }, @@ -25839,10 +24548,6 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" - }, - { - "dest-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", - "type": "similar" } ], "uuid": "2df35a92-2295-417a-af5a-ba5c943ef40d", @@ -25863,12 +24568,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "edf5aee2-9b1c-4252-8e64-25b12f14c8b3", - "type": "similar" - } - ], + "related": [], "uuid": "ea556a8d-4959-423f-a2dd-622d0497d484", "value": "SYSCON" }, @@ -25879,7 +24579,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5199", + "software_attack_id": "S3320", "source": "Tidal Cyber", "tags": [ "9105775d-bdcb-45cc-895d-6c7bbb3d30ce", @@ -25901,7 +24601,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5058", + "software_attack_id": "S3081", "source": "Tidal Cyber", "tags": [ "e551ae97-d1b4-484e-9267-89f33829ec2c", @@ -25917,6 +24617,10 @@ "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e", "type": "used-by" }, + { + "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", + "type": "used-by" + }, { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" @@ -25999,10 +24703,6 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" - }, - { - "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", - "type": "similar" } ], "uuid": "cecea681-a753-47b5-9d77-c10a5b4403ab", @@ -26025,10 +24725,6 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" - }, - { - "dest-uuid": "c009560a-f097-45a3-8f9f-78ec1440a783", - "type": "similar" } ], "uuid": "148d587c-3b1e-4e71-bdfb-8c37005e7e77", @@ -26046,12 +24742,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", - "type": "similar" - } - ], + "related": [], "uuid": "c5647cc4-0d46-4a41-8591-9179737747a2", "value": "T9000" }, @@ -26062,7 +24753,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5066", + "software_attack_id": "S3091", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -26076,6 +24767,10 @@ ] }, "related": [ + { + "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6", + "type": "used-by" + }, { "dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337", "type": "used-by" @@ -26096,12 +24791,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "b143dfa4-e944-43ff-8429-bfffc308c517", - "type": "similar" - } - ], + "related": [], "uuid": "9334df79-9023-44bb-bc28-16c1f07b836b", "value": "Taidoor" }, @@ -26112,7 +24802,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5069", + "software_attack_id": "S3094", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -26150,10 +24840,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "7f4bbe05-1674-4087-8a16-8f1ad61b6152", - "type": "similar" } ], "uuid": "1548c94a-fb4d-43d8-9956-ea26f5cc552f", @@ -26171,12 +24857,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "b51797f7-57da-4210-b8ac-b8632ee75d70", - "type": "similar" - } - ], + "related": [], "uuid": "b1b7a8d9-6df3-4e89-8622-a6eea3da729b", "value": "TajMahal" }, @@ -26187,7 +24868,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5334", + "software_attack_id": "S3149", "source": "Tidal Cyber", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", @@ -26214,9 +24895,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5167", + "software_attack_id": "S3288", "source": "Tidal Cyber", "tags": [ + "25b4fafc-4691-4008-8baa-35dbbcce752a", "303a3675-4855-4323-b042-95bb1d907cca", "509a90c7-9ca9-4b23-bca2-cd38ef6a6207" ], @@ -26244,10 +24926,6 @@ { "dest-uuid": "1bcc9382-ccfe-4b04-91f3-ef1250df5e5b", "type": "used-by" - }, - { - "dest-uuid": "988976ff-beeb-4fb5-b07d-ca7437ea66e8", - "type": "similar" } ], "uuid": "7bb9d181-4405-4938-bafb-b13cc98b6cd8", @@ -26319,10 +24997,6 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" - }, - { - "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", - "type": "similar" } ], "uuid": "abae8f19-9497-4a71-82b6-ae6edd26ad98", @@ -26337,7 +25011,7 @@ "macOS", "Windows" ], - "software_attack_id": "S5267", + "software_attack_id": "S3108", "source": "Tidal Cyber", "tags": [ "96d58ca1-ab18-4e53-8891-d8ba62a47e5d", @@ -26369,7 +25043,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5044", + "software_attack_id": "S3047", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -26389,6 +25063,10 @@ ] }, "related": [ + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, { "dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59", "type": "used-by" @@ -26413,10 +25091,6 @@ { "dest-uuid": "6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b", "type": "used-by" - }, - { - "dest-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", - "type": "similar" } ], "uuid": "e7116740-fe7c-45e2-b98d-0c594a7dff2f", @@ -26429,7 +25103,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5239", + "software_attack_id": "S3360", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -26450,7 +25124,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5240", + "software_attack_id": "S3361", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -26471,7 +25145,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5010", + "software_attack_id": "S3048", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -26554,10 +25228,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "32f49626-87f4-4d6c-8f59-a0dca953fe26", - "type": "similar" } ], "uuid": "bae20f59-469c-451c-b4ca-70a9a04a1574", @@ -26570,7 +25240,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5011", + "software_attack_id": "S3051", "source": "Tidal Cyber", "tags": [ "1dc8fd1e-0737-405a-98a1-111dd557f1b5", @@ -26592,7 +25262,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5283", + "software_attack_id": "S3122", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -26623,7 +25293,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5241", + "software_attack_id": "S3362", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -26656,10 +25326,6 @@ { "dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff", "type": "used-by" - }, - { - "dest-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47", - "type": "similar" } ], "uuid": "49d0ae81-d51b-4534-b1e0-08371a47ef79", @@ -26682,12 +25348,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "727afb95-3d0f-4451-b297-362a43909923", - "type": "similar" - } - ], + "related": [], "uuid": "2ed5f691-68eb-49dd-b730-793dc8a7d134", "value": "ThiefQuest" }, @@ -26707,10 +25368,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "16040b1c-ed28-4850-9d8f-bb8b81c42092", - "type": "similar" } ], "uuid": "b31c7b8e-dbdd-4ad5-802e-dcdc72b7462e", @@ -26723,7 +25380,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5045", + "software_attack_id": "S3049", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -26758,7 +25415,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5335", + "software_attack_id": "S3150", "source": "Tidal Cyber", "tags": [ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", @@ -26787,7 +25444,7 @@ "macOS", "Windows" ], - "software_attack_id": "S5015", + "software_attack_id": "S3054", "source": "Tidal Cyber", "tags": [ "e551ae97-d1b4-484e-9267-89f33829ec2c", @@ -26841,10 +25498,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "2a7c1bb7-cd12-456e-810d-ab3bf8457bab", - "type": "similar" } ], "uuid": "39f0371c-b755-4655-a97e-82a572f2fae4", @@ -26866,10 +25519,6 @@ { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" - }, - { - "dest-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca", - "type": "similar" } ], "uuid": "0e009cb8-848e-427a-9581-d3a4fd9f6a87", @@ -26891,10 +25540,6 @@ { "dest-uuid": "c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07", "type": "used-by" - }, - { - "dest-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", - "type": "similar" } ], "uuid": "277290fe-51f3-4822-bb46-8b69fd1c8ae5", @@ -26912,12 +25557,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "327b3a25-9e60-4431-b3b6-93b9c64eacbc", - "type": "similar" - } - ], + "related": [], "uuid": "eff417ad-c775-4a95-9f36-a1b5a675ba82", "value": "Tomiris" }, @@ -26970,10 +25610,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68", - "type": "similar" } ], "uuid": "8c70d85b-b06d-423c-8bab-ecff18f332d6", @@ -26991,12 +25627,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "0715560d-4299-4e84-9e20-6e80ab57e4f2", - "type": "similar" - } - ], + "related": [], "uuid": "4bce135b-91ba-45ae-88f9-09e01f983a74", "value": "Torisma" }, @@ -27007,7 +25638,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5242", + "software_attack_id": "S3363", "source": "Tidal Cyber", "tags": [ "3c9b26cf-9bda-4feb-ab42-ef7865cc80fd", @@ -27041,10 +25672,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "bdad6f3b-de88-42fa-9295-d29b5271808e", - "type": "similar" } ], "uuid": "7a6ae9f8-5f8b-4e94-8716-d8ee82027197", @@ -27077,10 +25704,6 @@ { "dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800", "type": "used-by" - }, - { - "dest-uuid": "00806466-754d-44ea-ad6f-0caf59cb8556", - "type": "similar" } ], "uuid": "c2bd4213-fc7b-474f-b5a0-28145b07c51d", @@ -27102,10 +25725,6 @@ { "dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1", "type": "used-by" - }, - { - "dest-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", - "type": "similar" } ], "uuid": "b88c4891-40da-4832-ba42-6c6acd455bd1", @@ -27123,12 +25742,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "c5e9cb46-aced-466c-85ea-7db5572ad9ec", - "type": "similar" - } - ], + "related": [], "uuid": "f8a4213d-633b-4e3d-8e59-a769e852b93b", "value": "Trojan.Mebromi" }, @@ -27139,9 +25753,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5000", + "software_attack_id": "S3005", "source": "Tidal Cyber", "tags": [ + "4e00b987-cd79-4b6a-9afe-c3b291ee2938", "1dc8fd1e-0737-405a-98a1-111dd557f1b5", "15787198-6c8b-4f79-bf50-258d55072fee", "a98d7a43-f227-478e-81de-e7299639a355", @@ -27185,10 +25800,6 @@ { "dest-uuid": "cc798766-8662-4b55-8536-6d057fbc58f0", "type": "used-by" - }, - { - "dest-uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad", - "type": "similar" } ], "uuid": "50844dba-8999-42ba-ba29-511e3faf4bc3", @@ -27210,10 +25821,6 @@ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" - }, - { - "dest-uuid": "76ac7989-c5cc-42e2-93e3-d6c476f01ace", - "type": "similar" } ], "uuid": "9872ab5a-c76e-4404-91f9-5b745722443b", @@ -27228,7 +25835,7 @@ "macOS", "Windows" ], - "software_attack_id": "S5268", + "software_attack_id": "S3109", "source": "Tidal Cyber", "tags": [ "e1be4b53-7524-4e88-bf6d-358cfdf96772", @@ -27251,7 +25858,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5168", + "software_attack_id": "S3289", "source": "Tidal Cyber", "tags": [ "fc67aea7-f207-4cf5-8413-e33c76538cf6", @@ -27273,7 +25880,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5169", + "software_attack_id": "S3290", "source": "Tidal Cyber", "tags": [ "3c4e3160-4e82-49ce-b6a3-17879dd4b83c", @@ -27305,10 +25912,6 @@ { "dest-uuid": "e5b0da2b-12bc-4113-9459-9c51329c9ae0", "type": "used-by" - }, - { - "dest-uuid": "350f12cf-fd3b-4dad-b323-14b943090df4", - "type": "similar" } ], "uuid": "571a45a7-68c9-452c-99bf-1d5b5fdd08b3", @@ -27322,6 +25925,9 @@ ], "software_attack_id": "S0199", "source": "MITRE", + "tags": [ + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" + ], "type": [ "malware" ] @@ -27330,10 +25936,6 @@ { "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac", "type": "used-by" - }, - { - "dest-uuid": "db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c", - "type": "similar" } ], "uuid": "c7f10715-cf13-4360-8511-aa3f93dd7688", @@ -27358,10 +25960,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "7ba0fc46-197d-466d-8b9f-f1c64d5d81e5", - "type": "similar" } ], "uuid": "6c93d3c4-cae5-48a9-948d-bc5264230316", @@ -27373,6 +25971,7 @@ "software_attack_id": "S0116", "source": "MITRE", "tags": [ + "8450b5c7-acf1-41df-afc2-5c20e12436c0", "7de7d799-f836-4555-97a4-0db776eb6932", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96" ], @@ -27380,12 +25979,7 @@ "tool" ] }, - "related": [ - { - "dest-uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507", - "type": "similar" - } - ], + "related": [], "uuid": "5788edee-d1b7-4406-9122-bee596362236", "value": "UACMe" }, @@ -27401,12 +25995,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "518bb5f1-91f4-4ff2-b09d-5a94e1ebe95f", - "type": "similar" - } - ], + "related": [], "uuid": "5214ae01-ccd5-4e97-8f9c-14eb16e75544", "value": "UBoatRAT" }, @@ -27422,12 +26011,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "3d8e547d-9456-4f32-a895-dc86134e282f", - "type": "similar" - } - ], + "related": [], "uuid": "227c12df-8126-4e79-b9bd-0e4633fa12fa", "value": "Umbreon" }, @@ -27438,7 +26022,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5276", + "software_attack_id": "S3116", "source": "Tidal Cyber", "tags": [ "d819ae1a-e385-49fd-88d5-f66660729ecb", @@ -27477,10 +26061,6 @@ { "dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a", "type": "used-by" - }, - { - "dest-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", - "type": "similar" } ], "uuid": "846b3762-3949-4501-b781-6dca22db088f", @@ -27493,7 +26073,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5170", + "software_attack_id": "S3291", "source": "Tidal Cyber", "tags": [ "40f11d0d-09f2-4bd1-bc79-1430464a52a7", @@ -27515,7 +26095,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5243", + "software_attack_id": "S3364", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -27545,10 +26125,6 @@ { "dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322", "type": "used-by" - }, - { - "dest-uuid": "fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa", - "type": "similar" } ], "uuid": "a3c211f8-52aa-4bfd-8382-940f2194af28", @@ -27561,7 +26137,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5200", + "software_attack_id": "S3321", "source": "Tidal Cyber", "tags": [ "34505028-b7d8-4da4-8dee-9926f3dbd37a", @@ -27597,10 +26173,6 @@ { "dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2", "type": "used-by" - }, - { - "dest-uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4", - "type": "similar" } ], "uuid": "89ffc27c-b81f-473a-87d6-907cacdce61c", @@ -27615,6 +26187,7 @@ "software_attack_id": "S0386", "source": "MITRE", "tags": [ + "88f27876-7be0-413b-8d91-5fa031d469fb", "15787198-6c8b-4f79-bf50-258d55072fee", "4d767e87-4cf6-438a-927a-43d2d0beaab7", "f8669b82-2194-49a9-8e20-92e7f9ab0a6f" @@ -27639,10 +26212,6 @@ { "dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", "type": "used-by" - }, - { - "dest-uuid": "1492d0f8-7e14-4af3-9239-bc3fe10d3407", - "type": "similar" } ], "uuid": "3e501609-87e4-4c47-bd88-5054be0f1037", @@ -27664,10 +26233,6 @@ { "dest-uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b", "type": "used-by" - }, - { - "dest-uuid": "75bba379-4ba1-467e-8c60-ec2b269ee984", - "type": "similar" } ], "uuid": "26d93db8-dbc3-44b5-a393-2b219cef4f5b", @@ -27692,10 +26257,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "type": "similar" } ], "uuid": "50eab018-8d52-46f5-8252-95942c2c0a89", @@ -27708,7 +26269,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5262", + "software_attack_id": "S3383", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -27741,10 +26302,6 @@ { "dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2", "type": "used-by" - }, - { - "dest-uuid": "ade37ada-14af-4b44-b36c-210eec255d53", - "type": "similar" } ], "uuid": "b149f12f-3cf4-4547-841d-c63b7677547d", @@ -27769,10 +26326,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "96eca9b9-b37f-42f1-96dc-a2c441403194", - "type": "similar" } ], "uuid": "63940761-8dea-4362-8795-7bc0653ce1d4", @@ -27794,10 +26347,6 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" - }, - { - "dest-uuid": "f4d8a2d6-c684-453a-8a14-cf4a94f755c5", - "type": "similar" } ], "uuid": "fe116518-cd0c-4b10-8190-4f57208df4e4", @@ -27810,7 +26359,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5171", + "software_attack_id": "S3292", "source": "Tidal Cyber", "tags": [ "bc6f5172-90af-491e-817d-2eaa522f93af", @@ -27841,15 +26390,39 @@ { "dest-uuid": "d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6", "type": "used-by" - }, - { - "dest-uuid": "8caa18af-4758-4fd3-9600-e8af579e89ed", - "type": "similar" } ], "uuid": "150b6079-bb10-48a8-b570-fbe8b0e3287c", "value": "VBShower" }, + { + "description": "Veaty is a .NET-based backdoor malware linked to the OilRig Iranian espionage group, which uses emails for command and control communication.[[Check Point Research September 11 2024](/references/53320d81-4060-4414-b5b8-21d09362bc44)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3182", + "source": "Tidal Cyber", + "tags": [ + "15f2277a-a17e-4d85-8acd-480bf84f16b4", + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2", + "type": "used-by" + } + ], + "uuid": "36c06aee-5574-4094-a579-8ec7c9929040", + "value": "Veaty" + }, { "description": "A prominent ransomware family.[[HC3 Analyst Note Venus Ransomware November 2022](/references/bd6e6a59-3a73-48f6-84cd-e7c027c8671f)]", "meta": { @@ -27857,9 +26430,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5293", + "software_attack_id": "S3014", "source": "Tidal Cyber", "tags": [ + "537bb659-7c9b-4354-b1da-03989ce412c8", "c6e1f516-1a18-4ff9-b563-e6ac8103b104", "562e535e-19f5-4d6c-81ed-ce2aec544f09", "5e7433ad-a894-4489-93bc-41e90da90019", @@ -27881,7 +26455,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5172", + "software_attack_id": "S3293", "source": "Tidal Cyber", "tags": [ "4e91036d-809b-4eae-8a09-86bdc6cd1f0e", @@ -27908,12 +26482,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "5189f018-fea2-45d7-b0ed-23f9ee0a46f3", - "type": "similar" - } - ], + "related": [], "uuid": "afa4023f-aa2e-45d6-bb3c-38e61f876eac", "value": "VERMIN" }, @@ -27924,9 +26493,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5071", + "software_attack_id": "S3096", "source": "Tidal Cyber", "tags": [ + "26028765-3b6d-419c-92b5-5fbe345a26d1", "fdd53e62-5bf1-41f1-8bd6-b970a866c39d", "d431939f-2dc0-410b-83f7-86c458125444", "15787198-6c8b-4f79-bf50-258d55072fee", @@ -27952,7 +26522,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5246", + "software_attack_id": "S3367", "source": "Tidal Cyber", "tags": [ "5e096dac-47b7-4657-a57b-752ef7da0263", @@ -27967,6 +26537,30 @@ "uuid": "acfbcd12-25fd-41cd-83ef-c7af7cb59fff", "value": "VisualUiaVerifyNative" }, + { + "description": "According to Proofpoint researchers, Voldemort is a custom backdoor malware written in C. It has the ability to collect victim system information and to drop additional payloads.[[Proofpoint August 29 2024](/references/548f23b2-3ab6-4ea0-839f-8f9c8745d91d)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3163", + "source": "Tidal Cyber", + "tags": [ + "fe28cf32-a15c-44cf-892c-faa0360d6109", + "82009876-294a-4e06-8cfc-3236a429bda4", + "f8669b82-2194-49a9-8e20-92e7f9ab0a6f", + "c6e1f516-1a18-4ff9-b563-e6ac8103b104", + "2feda37d-5579-4102-a073-aa02e82cb49f" + ], + "type": [ + "malware" + ] + }, + "related": [], + "uuid": "e1dcbb6c-00ef-46f1-9da2-44b43b533256", + "value": "Voldemort" + }, { "description": "[Volgmer](https://app.tidalcyber.com/software/7fcfba45-5752-4f0c-8023-db67729ae34e) is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing. [[US-CERT Volgmer Nov 2017](https://app.tidalcyber.com/references/c48c7ac0-8d55-4b62-9606-a9ce420459b6)]", "meta": { @@ -27983,10 +26577,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", - "type": "similar" } ], "uuid": "7fcfba45-5752-4f0c-8023-db67729ae34e", @@ -27999,7 +26589,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5244", + "software_attack_id": "S3365", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -28020,7 +26610,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5247", + "software_attack_id": "S3368", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -28041,7 +26631,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5245", + "software_attack_id": "S3366", "source": "Tidal Cyber", "tags": [ "0bf195a2-c577-4317-973e-a72dde5a06e6", @@ -28063,7 +26653,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5248", + "software_attack_id": "S3369", "source": "Tidal Cyber", "tags": [ "71bc284c-bfce-4191-80e0-ef70ff4315bf", @@ -28085,7 +26675,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5253", + "software_attack_id": "S3374", "source": "Tidal Cyber", "tags": [ "375cb8ad-2b6a-49b7-8eb3-757aaaf72d8b", @@ -28107,7 +26697,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5301", + "software_attack_id": "S3063", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -28134,7 +26724,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5254", + "software_attack_id": "S3375", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -28155,7 +26745,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5173", + "software_attack_id": "S3294", "source": "Tidal Cyber", "tags": [ "a53c9f4b-6f0d-4afa-b1ac-8e2d91279210", @@ -28196,10 +26786,6 @@ { "dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08", "type": "used-by" - }, - { - "dest-uuid": "75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", - "type": "similar" } ], "uuid": "6e7d1bcf-a308-4861-8aa5-0f4c6f126b0a", @@ -28217,12 +26803,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "a5818d36-e9b0-46da-842d-b727a5e36ea6", - "type": "similar" - } - ], + "related": [], "uuid": "9a592b49-1701-5e4c-95cf-9b8c98b80527", "value": "WARPWIRE" }, @@ -28235,6 +26816,7 @@ "software_attack_id": "S0670", "source": "MITRE", "tags": [ + "b10ffa34-c6ef-4473-b951-9a05dacf68b5", "15787198-6c8b-4f79-bf50-258d55072fee" ], "type": [ @@ -28257,10 +26839,6 @@ { "dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be", "type": "used-by" - }, - { - "dest-uuid": "fde19a18-e502-467f-be14-58c71b4e7f4b", - "type": "similar" } ], "uuid": "cfebe868-15cb-4be5-b7ed-38b52f2a0722", @@ -28286,10 +26864,6 @@ { "dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87", "type": "used-by" - }, - { - "dest-uuid": "46cbafbc-8907-42d3-9002-5327c26f8927", - "type": "similar" } ], "uuid": "0ba6ee8d-2b29-4980-8e55-348ea05f00ad", @@ -28311,10 +26885,6 @@ { "dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb", "type": "used-by" - }, - { - "dest-uuid": "f3f1fbed-7e29-49cb-8579-4a378f858deb", - "type": "similar" } ], "uuid": "56872a5b-dc01-455c-85d5-06c577abb030", @@ -28339,10 +26909,6 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" - }, - { - "dest-uuid": "1d808f62-cf63-4063-9727-ff6132514c22", - "type": "similar" } ], "uuid": "f228af8f-8938-4836-9461-c6ca220ed7c5", @@ -28367,10 +26933,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "959f3b19-2dc8-48d5-8942-c66813a5101a", - "type": "similar" } ], "uuid": "b936a1b3-5493-4d6c-9b69-29addeace418", @@ -28396,10 +26958,6 @@ { "dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447", "type": "used-by" - }, - { - "dest-uuid": "3a4197ae-ec63-4162-907b-9a073d1157e4", - "type": "similar" } ], "uuid": "20725ec7-ee35-44cf-bed6-91158aa03ce4", @@ -28452,10 +27010,6 @@ { "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f", "type": "used-by" - }, - { - "dest-uuid": "f91162cc-1686-4ff8-8115-bf3f61a4cc7a", - "type": "similar" } ], "uuid": "2bcbcea6-192a-4501-aab1-1edde53875fa", @@ -28468,7 +27022,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5249", + "software_attack_id": "S3370", "source": "Tidal Cyber", "tags": [ "be621f15-1788-490f-b8bb-85511a5a8074", @@ -28492,6 +27046,13 @@ "software_attack_id": "S0689", "source": "MITRE", "tags": [ + "af5e9be5-b86e-47af-91dd-966a5e34a186", + "35e694ec-5133-46e3-b7e1-5831867c3b55", + "d8f7e071-fbfd-46f8-b431-e241bb1513ac", + "61cdbb28-cbfd-498b-9ab1-1f14337f9524", + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "768c90a8-21b2-403b-8ddc-28181bca7aca", "2e621fc5-dea4-4cb9-987e-305845986cd3" ], "type": [ @@ -28502,10 +27063,6 @@ { "dest-uuid": "407274be-1820-4a84-939e-629313f4de1d", "type": "used-by" - }, - { - "dest-uuid": "49fee0b0-390e-4bde-97f8-97ed46bd19b7", - "type": "similar" } ], "uuid": "791f0afd-c2c4-4e23-8aee-1d14462667f5", @@ -28527,10 +27084,6 @@ { "dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca", "type": "used-by" - }, - { - "dest-uuid": "039814a0-88de-46c5-a4fb-b293db21880a", - "type": "similar" } ], "uuid": "7b393608-c141-48af-ae3d-3eff13c3e01c", @@ -28579,10 +27132,6 @@ { "dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5", "type": "used-by" - }, - { - "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", - "type": "similar" } ], "uuid": "7c2c44d7-b307-4e13-b181-52352975a6f5", @@ -28601,10 +27150,6 @@ { "dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145", "type": "used-by" - }, - { - "dest-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", - "type": "similar" } ], "uuid": "ed50dcf7-e283-451e-95b1-a8485f8dd214", @@ -28626,10 +27171,6 @@ { "dest-uuid": "4e880d01-313a-4926-8470-78c48824aa82", "type": "used-by" - }, - { - "dest-uuid": "0d1f9f5b-11ea-42c3-b5f4-63cce0122541", - "type": "similar" } ], "uuid": "3afe711d-ed58-4c94-a9b6-9c847e1e8a2f", @@ -28648,10 +27189,6 @@ { "dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66", "type": "used-by" - }, - { - "dest-uuid": "49abab73-3c5c-476e-afd5-69b5c732d845", - "type": "similar" } ], "uuid": "5f994df7-55b0-4383-8ebc-506d4987292a", @@ -28678,10 +27215,6 @@ { "dest-uuid": "d428f9be-6faf-4d57-b677-4a927fea5f7e", "type": "used-by" - }, - { - "dest-uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d", - "type": "similar" } ], "uuid": "65d5b524-0e84-417d-9884-e2c501abfacd", @@ -28703,10 +27236,6 @@ { "dest-uuid": "3a660ef3-9954-4252-8946-f903f3f42d0c", "type": "used-by" - }, - { - "dest-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", - "type": "similar" } ], "uuid": "3e70078f-407e-4b03-b604-bdc05b372f37", @@ -28719,7 +27248,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5174", + "software_attack_id": "S3295", "source": "Tidal Cyber", "tags": [ "61f778ca-b2f1-4877-b0f5-fd5e87b6ddab", @@ -28750,10 +27279,6 @@ { "dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d", "type": "used-by" - }, - { - "dest-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", - "type": "similar" } ], "uuid": "e10423c2-71a7-4878-96ba-343191136c19", @@ -28779,10 +27304,6 @@ { "dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e", "type": "used-by" - }, - { - "dest-uuid": "8787e86d-8475-4f13-acea-d33eb83b6105", - "type": "similar" } ], "uuid": "e384e711-0796-4cbc-8854-8c3f939faf57", @@ -28804,10 +27325,6 @@ { "dest-uuid": "6932662a-53a7-4e43-877f-6e940e2d744b", "type": "used-by" - }, - { - "dest-uuid": "d3afa961-a80c-4043-9509-282cdf69ab21", - "type": "similar" } ], "uuid": "245c216e-41c3-4dec-8b23-bfc7c6a46d6e", @@ -28820,7 +27337,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5081", + "software_attack_id": "S3105", "source": "Tidal Cyber", "tags": [ "af5e9be5-b86e-47af-91dd-966a5e34a186", @@ -28869,7 +27386,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5263", + "software_attack_id": "S3384", "source": "Tidal Cyber", "tags": [ "2eecd309-e75d-4f7b-8f6f-e11213f48b12", @@ -28891,7 +27408,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5046", + "software_attack_id": "S3050", "source": "Tidal Cyber", "tags": [ "27a117ce-bb19-4f79-9bc2-a851b69c5c50", @@ -28923,6 +27440,10 @@ "dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46", "type": "used-by" }, + { + "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5", + "type": "used-by" + }, { "dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e", "type": "used-by" @@ -28970,7 +27491,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5250", + "software_attack_id": "S3371", "source": "Tidal Cyber", "tags": [ "e1af18e3-3224-4e4c-9d0f-533768474508", @@ -29003,12 +27524,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "a19c49aa-36fe-4c05-b817-23e1c7a7d085", - "type": "similar" - } - ], + "related": [], "uuid": "627e05c2-c02e-433e-9288-c2d78bce156f", "value": "Wiper" }, @@ -29024,12 +27540,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "c93e3079-43fb-4d8d-9e99-db63d07eadc9", - "type": "similar" - } - ], + "related": [], "uuid": "93b02819-8acc-5d7d-ad11-abb33f9309cc", "value": "WIREFIRE" }, @@ -29042,7 +27553,7 @@ "macOS", "Windows" ], - "software_attack_id": "S5269", + "software_attack_id": "S3110", "source": "Tidal Cyber", "tags": [ "dbe18a6a-c8f9-451e-837e-5a7f25dcf913", @@ -29065,7 +27576,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5175", + "software_attack_id": "S3296", "source": "Tidal Cyber", "tags": [ "ebf92004-6e43-434c-8380-3671cf3640a2", @@ -29087,7 +27598,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5176", + "software_attack_id": "S3297", "source": "Tidal Cyber", "tags": [ "d819ae1a-e385-49fd-88d5-f66660729ecb", @@ -29156,12 +27667,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "3bc7e862-5610-4c02-9c48-15b2e2dc1ddb", - "type": "similar" - } - ], + "related": [], "uuid": "1f374a54-c839-5139-b755-555c66a21c12", "value": "Woody RAT" }, @@ -29172,7 +27678,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5177", + "software_attack_id": "S3298", "source": "Tidal Cyber", "tags": [ "b5581207-a45f-4f7f-b637-14444d716ad1", @@ -29194,7 +27700,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5178", + "software_attack_id": "S3299", "source": "Tidal Cyber", "tags": [ "b4520b56-73e3-43fd-9f0d-70191132b451", @@ -29225,7 +27731,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5251", + "software_attack_id": "S3372", "source": "Tidal Cyber", "tags": [ "96ebb518-7c1f-4011-a3ec-42aa78a95e4f", @@ -29247,7 +27753,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5179", + "software_attack_id": "S3300", "source": "Tidal Cyber", "tags": [ "291fab5d-e732-4b19-83e4-ee642b2ae0f0", @@ -29269,7 +27775,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5184", + "software_attack_id": "S3305", "source": "Tidal Cyber", "tags": [ "303a3675-4855-4323-b042-95bb1d907cca", @@ -29290,7 +27796,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5180", + "software_attack_id": "S3301", "source": "Tidal Cyber", "tags": [ "03f0e493-63ae-47b5-8353-238390a895a8", @@ -29326,10 +27832,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", - "type": "similar" } ], "uuid": "6f411b69-6643-4cc7-9cbd-e15d9219e99c", @@ -29348,12 +27850,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "6a92d80f-cc65-45f6-aa66-3cdea6786b3c", - "type": "similar" - } - ], + "related": [], "uuid": "ab442140-0761-4227-bd9e-151da5d0a04f", "value": "Xbash" }, @@ -29373,10 +27870,6 @@ { "dest-uuid": "988f5312-834e-48ea-93b7-e6e01ee0938d", "type": "used-by" - }, - { - "dest-uuid": "21583311-6321-4891-8a37-3eb4e57b0fb1", - "type": "similar" } ], "uuid": "11a0dff4-1dc8-4553-8a38-90a07b01bfcd", @@ -29395,10 +27888,6 @@ { "dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f", "type": "used-by" - }, - { - "dest-uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b", - "type": "similar" } ], "uuid": "d943d3d9-3a99-464f-94f0-95aa7963d858", @@ -29411,7 +27900,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5019", + "software_attack_id": "S3058", "source": "Tidal Cyber", "tags": [ "758c3085-2f79-40a8-ab95-f8a684737927", @@ -29455,12 +27944,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "e14085cb-0e8d-4be6-92ba-e3b93ee5978f", - "type": "similar" - } - ], + "related": [], "uuid": "3672ecfa-20bf-4d69-948d-876be343563f", "value": "XCSSET" }, @@ -29471,7 +27955,7 @@ "platforms": [ "macOS" ], - "software_attack_id": "S5317", + "software_attack_id": "S3130", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -29492,9 +27976,10 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5064", + "software_attack_id": "S3089", "source": "Tidal Cyber", "tags": [ + "2a54c431-2075-4ed5-a691-fa452c11dd13", "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96", "15787198-6c8b-4f79-bf50-258d55072fee", "291c006e-f77a-4c9c-ae7e-084974c0e1eb", @@ -29526,7 +28011,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5048", + "software_attack_id": "S3072", "source": "Tidal Cyber", "tags": [ "15787198-6c8b-4f79-bf50-258d55072fee", @@ -29556,10 +28041,6 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", - "type": "similar" } ], "uuid": "133136f0-7254-4cec-8710-0ab99d5da4e5", @@ -29572,7 +28053,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5181", + "software_attack_id": "S3302", "source": "Tidal Cyber", "tags": [ "c37d2f5f-91da-43c6-869e-192bf0e0ae90", @@ -29594,7 +28075,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5290", + "software_attack_id": "S3006", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -29630,10 +28111,6 @@ { "dest-uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b", "type": "used-by" - }, - { - "dest-uuid": "cb444a16-3ea5-4a91-88c6-f329adcb8af3", - "type": "similar" } ], "uuid": "0844bc42-5c29-47c3-b1b3-6bfffbf1732a", @@ -29646,7 +28123,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5323", + "software_attack_id": "S3138", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -29681,12 +28158,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "0817aaf2-afea-4c32-9285-4dcd1df5bf14", - "type": "similar" - } - ], + "related": [], "uuid": "e0962ff7-5524-4683-9b95-0e4ba07dccb2", "value": "yty" }, @@ -29709,15 +28181,40 @@ { "dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5", "type": "used-by" - }, - { - "dest-uuid": "a4f57468-fbd5-49e4-8476-52088220b92d", - "type": "similar" } ], "uuid": "e317b8a6-1722-4017-be33-717a5a93ef1c", "value": "Zebrocy" }, + { + "description": "Zeppelin is a ransomware derived from the Vega family of Delphi-based malware. Used from 2019 through at least June 2022, Zeppelin was distributed as ransomware-as-a-service (\"RaaS\").[[U.S. CISA Zeppelin Ransomware August 11 2022](/references/42d98de2-8c9a-4cc4-b5a1-9778c0da3286)]", + "meta": { + "owner": "TidalCyberIan", + "platforms": [ + "Windows" + ], + "software_attack_id": "S3185", + "source": "Tidal Cyber", + "tags": [ + "e551ae97-d1b4-484e-9267-89f33829ec2c", + "15787198-6c8b-4f79-bf50-258d55072fee", + "562e535e-19f5-4d6c-81ed-ce2aec544f09", + "5e7433ad-a894-4489-93bc-41e90da90019", + "7e7b0c67-bb85-4996-a289-da0e792d7172" + ], + "type": [ + "malware" + ] + }, + "related": [ + { + "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f", + "type": "used-by" + } + ], + "uuid": "e8820bf1-1e70-469c-a93b-770c1f23b058", + "value": "Zeppelin Ransomware" + }, { "description": "[Zeroaccess](https://app.tidalcyber.com/software/2f52b513-5293-4833-9c4d-b120e7a84341) is a kernel-mode [Rootkit](https://app.tidalcyber.com/technique/cf2b56f6-3ebd-48ec-b9d9-835397acef89) that attempts to add victims to the ZeroAccess botnet, often for monetary gain. [[Sophos ZeroAccess](https://app.tidalcyber.com/references/41b51767-62f1-45c2-98cb-47c44c975a58)]", "meta": { @@ -29727,12 +28224,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "552462b9-ae79-49dd-855c-5973014e157f", - "type": "similar" - } - ], + "related": [], "uuid": "2f52b513-5293-4833-9c4d-b120e7a84341", "value": "Zeroaccess" }, @@ -29755,10 +28247,6 @@ { "dest-uuid": "e343c1f1-458c-467b-bc4a-c1b97b2127e3", "type": "used-by" - }, - { - "dest-uuid": "4ab44516-ad75-4e43-a280-705dc0420e2f", - "type": "similar" } ], "uuid": "f51df90e-ea1b-4eeb-9aff-ec5abf4a5dfd", @@ -29779,12 +28267,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "198db886-47af-4f4c-bff5-11b891f85946", - "type": "similar" - } - ], + "related": [], "uuid": "be8add13-40d7-495e-91eb-258d3a4711bc", "value": "Zeus Panda" }, @@ -29795,7 +28278,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5201", + "software_attack_id": "S3322", "source": "Tidal Cyber", "tags": [ "0d0098b4-e159-4502-973d-714011ba605f", @@ -29822,12 +28305,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "d9765cbd-4c88-4805-ba98-4c6ccb56b864", - "type": "similar" - } - ], + "related": [], "uuid": "976a7797-3008-5316-9e28-19c9a05959d0", "value": "ZIPLINE" }, @@ -29843,12 +28321,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", - "type": "similar" - } - ], + "related": [], "uuid": "1ac8d363-2903-43da-9c1d-2b28179638c8", "value": "ZLib" }, @@ -29859,7 +28332,7 @@ "platforms": [ "Windows" ], - "software_attack_id": "S5312", + "software_attack_id": "S3125", "source": "Tidal Cyber", "tags": [ "c6e1f516-1a18-4ff9-b563-e6ac8103b104", @@ -29896,10 +28369,6 @@ { "dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca", "type": "used-by" - }, - { - "dest-uuid": "fb28627c-d6ea-4c35-b138-ab5e96ae5445", - "type": "similar" } ], "uuid": "75dd9acb-fcff-4b0b-b45b-f943fb589d78", @@ -29920,12 +28389,7 @@ "malware" ] }, - "related": [ - { - "dest-uuid": "54e8672d-5338-4ad1-954a-a7c986bee530", - "type": "similar" - } - ], + "related": [], "uuid": "49314d4e-dc04-456f-918e-a3bedfc3192a", "value": "zwShell" }, @@ -29960,10 +28424,6 @@ { "dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9", "type": "used-by" - }, - { - "dest-uuid": "cfc75b0d-e579-40ae-ad07-a1ce00d49a6c", - "type": "similar" } ], "uuid": "eea89ff2-036d-4fa6-bbed-f89502c62318", @@ -29985,10 +28445,6 @@ { "dest-uuid": "3a02aa1b-851a-43e1-b83b-58037f3c7025", "type": "used-by" - }, - { - "dest-uuid": "97cfbdc6-504d-41e9-a46c-78a9f806ff0d", - "type": "similar" } ], "uuid": "91e1ee26-d6ae-4203-a466-93c9e5019b47", diff --git a/clusters/tool.json b/clusters/tool.json index d9d9cdb..3ac50d6 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1882,7 +1882,8 @@ "refs": [ "http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html", "https://blogs.cisco.com/security/talos/opening-zxshell", - "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox" + "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor" ], "synonyms": [ "Sensode" @@ -9208,6 +9209,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "similar" + }, + { + "dest-uuid": "6f7489f5-7edc-4693-b35a-44e79c969678", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" } ], "uuid": "97f26fab-af0e-4da9-b4c1-aec70cace22d", @@ -11075,5 +11083,5 @@ "value": "SLIVER" } ], - "version": 173 + "version": 174 }