From 8108d2b1fec4af863e42e34760b1441074e97542 Mon Sep 17 00:00:00 2001
From: Rony <49360849+r0ny123@users.noreply.github.com>
Date: Tue, 24 Sep 2024 05:06:44 +0000
Subject: [PATCH 01/42] chg: [threat-actor] add earth baxia
---
clusters/threat-actor.json | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 5dfa613..76e932d 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16688,6 +16688,20 @@
},
"uuid": "071d271a-313f-442d-9bf0-10e6eeba0a8e",
"value": "HikkI-Chan"
+ },
+ {
+ "description": "Earth Baxia is a threat actor opearting ot of China, targeting government organizations in Taiwan and potentially across the APAC region, using spear-phishing emails and exploiting the GeoServer vulnerability CVE-2024-36401 for remote code execution, deploying customized Cobalt Strike components with altered signatures, leveraging GrimResource and AppDomainManager injection techniques to deliver additional payloads, and utilizing a new backdoor named EAGLEDOOR for multi-protocol communication and payload delivery.",
+ "meta": {
+ "country": "CN",
+ "refs": [
+ "https://www.tgsoft.it/news/news_archivio.asp?id=1568",
+ "https://jp.security.ntt/tech_blog/appdomainmanager-injection",
+ "https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/i/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac/IOCs%20-%20Earth%20Baxia%20Uses%20Spear-Phishing%20and%20GeoServer%20Exploit%20to%20Target%20APAC.txt"
+ ]
+ },
+ "uuid": "d0c2cd99-64d5-406f-abd7-16b9e27966a7",
+ "value": "Earth Baxia"
}
],
"version": 313
From 483f532613836e2adcdfd712c853abe3ab97daa4 Mon Sep 17 00:00:00 2001
From: Rony <49360849+r0ny123@users.noreply.github.com>
Date: Tue, 24 Sep 2024 05:07:30 +0000
Subject: [PATCH 02/42] chg: [threat-actor] fix typo
---
clusters/threat-actor.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 76e932d..69e020d 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16690,7 +16690,7 @@
"value": "HikkI-Chan"
},
{
- "description": "Earth Baxia is a threat actor opearting ot of China, targeting government organizations in Taiwan and potentially across the APAC region, using spear-phishing emails and exploiting the GeoServer vulnerability CVE-2024-36401 for remote code execution, deploying customized Cobalt Strike components with altered signatures, leveraging GrimResource and AppDomainManager injection techniques to deliver additional payloads, and utilizing a new backdoor named EAGLEDOOR for multi-protocol communication and payload delivery.",
+ "description": "Earth Baxia is a threat actor opearting out of China, targeting government organizations in Taiwan and potentially across the APAC region, using spear-phishing emails and exploiting the GeoServer vulnerability CVE-2024-36401 for remote code execution, deploying customized Cobalt Strike components with altered signatures, leveraging GrimResource and AppDomainManager injection techniques to deliver additional payloads, and utilizing a new backdoor named EAGLEDOOR for multi-protocol communication and payload delivery.",
"meta": {
"country": "CN",
"refs": [
From 17c4d15eec0f833f0838568b15ffd58e81bfa4d2 Mon Sep 17 00:00:00 2001
From: Rony <49360849+r0ny123@users.noreply.github.com>
Date: Tue, 24 Sep 2024 05:21:54 +0000
Subject: [PATCH 03/42] chg: [doc] README updated
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 3be9919..7e3dcb7 100644
--- a/README.md
+++ b/README.md
@@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements
[Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
-Category: *actor* - source: *MISP Project* - total: *736* elements
+Category: *actor* - source: *MISP Project* - total: *737* elements
[[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]
From 24a228d731323f4282654f72f76ad650714c818c Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Thu, 26 Sep 2024 08:19:26 +0200
Subject: [PATCH 04/42] chg: [producer] updated with cloudflare and one
description fixed
---
README.md | 2 +-
clusters/producer.json | 9 +++++++--
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/README.md b/README.md
index 7e3dcb7..043c788 100644
--- a/README.md
+++ b/README.md
@@ -487,7 +487,7 @@ Category: *measure* - source: *MISP Project* - total: *20* elements
[Producer](https://www.misp-galaxy.org/producer) - List of threat intelligence producer from security vendors to CERTs including any producer of intelligence at large.
-Category: *actor* - source: *MISP Project* - total: *37* elements
+Category: *actor* - source: *MISP Project* - total: *38* elements
[[HTML](https://www.misp-galaxy.org/producer)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/producer.json)]
diff --git a/clusters/producer.json b/clusters/producer.json
index d8161eb..72fa059 100644
--- a/clusters/producer.json
+++ b/clusters/producer.json
@@ -448,7 +448,7 @@
"value": "BleepingComputer"
},
{
- "description": "",
+ "description": "Cisco Talos, or Cisco Talos Intelligence Group, is a cybersecurity technology and information security company based in Fulton, Maryland. It is a part of Cisco Systems Inc. Talos' threat intelligence powers Cisco Secure products and services, including malware detection and prevention systems. Talos provides Cisco customers and internet users with customizable defensive technologies and techniques through several of their own open-source products, including the Snort intrusion prevention system and ClamAV[3] anti-virus engine",
"meta": {
"country": "US",
"refs": [
@@ -663,7 +663,12 @@
},
"uuid": "e5964f36-7644-4f73-bdfd-f24d9e006656",
"value": "Avira"
+ },
+ {
+ "description": "Cloudflare, Inc. is an American company that provides content delivery network services, cloud cybersecurity, DDoS mitigation, wide area network services, reverse proxies, Domain Name Service, and ICANN-accredited domain registration services. Cloudflare's headquarters are in San Francisco, California.",
+ "uuid": "a0a87034-b8ff-4991-9ae1-e650a43292ef",
+ "value": "Cloudflare"
}
],
- "version": 11
+ "version": 12
}
From 60340edb22095708e4eb96b7007cfeb235655a7b Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Thu, 26 Sep 2024 08:34:37 +0200
Subject: [PATCH 05/42] chg: [threat-actor] SloppyLemming added
---
README.md | 2 +-
clusters/threat-actor.json | 12 +++++++++++-
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/README.md b/README.md
index 043c788..e5620d1 100644
--- a/README.md
+++ b/README.md
@@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements
[Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
-Category: *actor* - source: *MISP Project* - total: *737* elements
+Category: *actor* - source: *MISP Project* - total: *738* elements
[[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 69e020d..3cce334 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16702,7 +16702,17 @@
},
"uuid": "d0c2cd99-64d5-406f-abd7-16b9e27966a7",
"value": "Earth Baxia"
+ },
+ {
+ "description": "SloppyLemming is an advanced actor that uses multiple cloud service providers to facilitate different aspects of their activities, such as credential harvesting, malware delivery and command and control (C2). This actor conducts extensive operations targeting Pakistani, Sri Lanka, Bangladesh, and China. Industries targeted include government, law enforcement, energy, telecommunications, and technology entitie",
+ "meta": {
+ "refs": [
+ "https://blog.cloudflare.com/unraveling-sloppylemming-operations/"
+ ]
+ },
+ "uuid": "6f7489f5-7edc-4693-b35a-44e79c969678",
+ "value": "SloppyLemming"
}
],
- "version": 313
+ "version": 314
}
From f6f6ab550f905c21f0fd7e93a00620ff71a6e501 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Thu, 26 Sep 2024 17:36:42 +0200
Subject: [PATCH 06/42] chg: [ransomware] updated
---
README.md | 2 +-
clusters/ransomware.json | 17 +++++++++++++++--
2 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/README.md b/README.md
index e5620d1..8b3c6f9 100644
--- a/README.md
+++ b/README.md
@@ -495,7 +495,7 @@ Category: *actor* - source: *MISP Project* - total: *38* elements
[Ransomware](https://www.misp-galaxy.org/ransomware) - Ransomware galaxy based on different sources and maintained by the MISP Project.
-Category: *tool* - source: *Various* - total: *1804* elements
+Category: *tool* - source: *Various* - total: *1805* elements
[[HTML](https://www.misp-galaxy.org/ransomware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json)]
diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index 2a91f5c..3ff94d1 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -28551,7 +28551,8 @@
"description": "",
"meta": {
"links": [
- "http://weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd.onion"
+ "http://weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd.onion",
+ "http://c7jpc6h2ccrdwmhofuij7kz6sr2fg2ndtbvvqy4fse23cf7m2e5hvqid.onion"
],
"refs": [
"https://www.ransomlook.io/group/black suit"
@@ -29682,7 +29683,19 @@
},
"uuid": "2a1e103b-da5f-56d6-a0c8-5daff4c4fd87",
"value": "orca"
+ },
+ {
+ "meta": {
+ "links": [
+ "http://hackerosyolorz77y7vwj57zobwdeuzydhctz3kuuzr52ylzayvxuqyd.onion"
+ ],
+ "refs": [
+ "https://www.ransomlook.io/group/osyolorz collective"
+ ]
+ },
+ "uuid": "99ddf1b6-7d75-58f6-b340-47545fec5e55",
+ "value": "osyolorz collective"
}
],
- "version": 133
+ "version": 134
}
From aeab78b95eada597f609ee9521bcff681634939c Mon Sep 17 00:00:00 2001
From: Rony <49360849+r0ny123@users.noreply.github.com>
Date: Thu, 26 Sep 2024 17:12:54 +0000
Subject: [PATCH 07/42] chg: [threat-actor] `GhostEmperor` updated
---
clusters/threat-actor.json | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 3cce334..d51bb9c 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -15233,8 +15233,18 @@
"meta": {
"country": "CN",
"refs": [
- "https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation",
- "https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/"
+ "https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/",
+ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/30094337/GhostEmperor_technical-details_PDF_eng.pdf",
+ "https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/",
+ "https://www.ncsc.gov.uk/files/NCSC-MAR-SparrowDoor.pdf",
+ "https://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation",
+ "https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/",
+ "https://www.wsj.com/politics/national-security/china-cyberattack-internet-providers-260bd835"
+ ],
+ "synonyms": [
+ "FamousSparrow",
+ "UNC2286",
+ "Salt Typhoon"
]
},
"uuid": "3c3ca8f3-c6ab-4c5d-9bd0-be6677d6cdeb",
From e6db8c579a4ae9623dea49674869b206b7e9841d Mon Sep 17 00:00:00 2001
From: Rony <49360849+r0ny123@users.noreply.github.com>
Date: Thu, 26 Sep 2024 18:21:38 +0000
Subject: [PATCH 08/42] chg: [threat-actor] added a relationship between `Earth
Estries` and `GhostEmperor`
---
clusters/threat-actor.json | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index d51bb9c..6561381 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -12795,6 +12795,15 @@
"https://www.sentinelone.com/labs/cyber-soft-power-chinas-continental-takeover/"
]
},
+ "related": [
+ {
+ "dest-uuid": "3c3ca8f3-c6ab-4c5d-9bd0-be6677d6cdeb",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "similar"
+ }
+ ],
"uuid": "1f7f4a51-c4a8-4365-ade3-83b222e7cb67",
"value": "Earth Estries"
},
@@ -15247,6 +15256,15 @@
"Salt Typhoon"
]
},
+ "related": [
+ {
+ "dest-uuid": "1f7f4a51-c4a8-4365-ade3-83b222e7cb67",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "similar"
+ }
+ ],
"uuid": "3c3ca8f3-c6ab-4c5d-9bd0-be6677d6cdeb",
"value": "GhostEmperor"
},
From 70b0823947cb10d7bb02a31aee4674ae723daefe Mon Sep 17 00:00:00 2001
From: Delta-Sierra
Date: Fri, 27 Sep 2024 14:23:01 +0200
Subject: [PATCH 09/42] SloppyLemming relationsships
---
clusters/backdoor.json | 12 ++++-
clusters/botnet.json | 24 +++++++++-
clusters/ransomware.json | 11 ++++-
clusters/threat-actor.json | 90 +++++++++++++++++++++++++++++++++++++-
clusters/tool.json | 12 ++++-
5 files changed, 143 insertions(+), 6 deletions(-)
diff --git a/clusters/backdoor.json b/clusters/backdoor.json
index d41dede..25cfd99 100644
--- a/clusters/backdoor.json
+++ b/clusters/backdoor.json
@@ -488,7 +488,17 @@
],
"uuid": "4838b37b-2d1f-4cb8-945d-7185580f0bff",
"value": "TERRIBLETEA"
+ },
+ {
+ "description": "Merdoor is a fully-featured backdoor that appears to have been in existence since 2018.\nThe backdoor contains the following functionality: Installing itself as a service, Keylogging, A variety of methods to communicate with its command-and-control (C&C) server (HTTP, HTTPS, DNS, UDP, TCP), Ability to listen on a local port for commands\nInstances of the Merdoor backdoor are usually identical with the exception of embedded and encrypted configuration, which determines: C&C communication method, Service details, Installation directory\nTypically, the backdoor is injected into the legitimate processes perfhost.exe or svchost.exe.",
+ "meta": {
+ "refs": [
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor"
+ ]
+ },
+ "uuid": "8ebda9f4-f8f2-4d35-ba2b-d6ecb54b23d4",
+ "value": "Merdoor"
}
],
- "version": 19
+ "version": 20
}
diff --git a/clusters/botnet.json b/clusters/botnet.json
index c3d9d0a..05e7fbd 100644
--- a/clusters/botnet.json
+++ b/clusters/botnet.json
@@ -2031,7 +2031,29 @@
},
"uuid": "40cd57f6-39c9-4a9f-b4cf-de4762642bff",
"value": "Ztorg"
+ },
+ {
+ "meta": {
+ "refs": [
+ "https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromised-router",
+ "https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd"
+ ],
+ "synonyms": [
+ "7777"
+ ]
+ },
+ "uuid": "3e027dad-9c0a-437e-9938-dd3cf13b0c22",
+ "value": "Quad7"
+ },
+ {
+ "meta": {
+ "refs": [
+ "https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromised-router"
+ ]
+ },
+ "uuid": "963d898f-dc48-409e-8069-aaa51ad6664c",
+ "value": "63256 botnet"
}
],
- "version": 35
+ "version": 36
}
diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index 2a91f5c..7b4287c 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -1494,6 +1494,15 @@
"HavocCrypt Ransomware"
]
},
+ "related": [
+ {
+ "dest-uuid": "6f7489f5-7edc-4693-b35a-44e79c969678",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "used-by"
+ }
+ ],
"uuid": "c6bef9c8-becb-4bee-bd97-c1c655133396",
"value": "Havoc"
},
@@ -29684,5 +29693,5 @@
"value": "orca"
}
],
- "version": 133
+ "version": 134
}
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 3cce334..5fce634 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -15215,6 +15215,15 @@
"Outrider Tiger"
]
},
+ "related": [
+ {
+ "dest-uuid": "6f7489f5-7edc-4693-b35a-44e79c969678",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "similar"
+ }
+ ],
"uuid": "0df34184-4ccf-4357-8e8e-e990058d2992",
"value": "Fishing Elephant"
},
@@ -16710,9 +16719,88 @@
"https://blog.cloudflare.com/unraveling-sloppylemming-operations/"
]
},
+ "related": [
+ {
+ "dest-uuid": "0df34184-4ccf-4357-8e8e-e990058d2992",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "similar"
+ },
+ {
+ "dest-uuid": "97f26fab-af0e-4da9-b4c1-aec70cace22d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "c6bef9c8-becb-4bee-bd97-c1c655133396",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "4b09b683-5650-4a6c-a383-d8f3b686ebc2",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "targets"
+ },
+ {
+ "dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b250414b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "targets"
+ },
+ {
+ "dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b2424744",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "targets"
+ },
+ {
+ "dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b249444e",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "targets"
+ },
+ {
+ "dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b24c4b41",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "targets"
+ },
+ {
+ "dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b243484e",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "targets"
+ },
+ {
+ "dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b24e504c",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "targets"
+ },
+ {
+ "dest-uuid": "6012ecea-dcc8-490c-b368-e2e06b2cb62f",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "targets"
+ }
+ ],
"uuid": "6f7489f5-7edc-4693-b35a-44e79c969678",
"value": "SloppyLemming"
}
],
- "version": 314
+ "version": 315
}
diff --git a/clusters/tool.json b/clusters/tool.json
index d9d9cdb..3ac50d6 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -1882,7 +1882,8 @@
"refs": [
"http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html",
"https://blogs.cisco.com/security/talos/opening-zxshell",
- "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox"
+ "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor"
],
"synonyms": [
"Sensode"
@@ -9208,6 +9209,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "similar"
+ },
+ {
+ "dest-uuid": "6f7489f5-7edc-4693-b35a-44e79c969678",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "used-by"
}
],
"uuid": "97f26fab-af0e-4da9-b4c1-aec70cace22d",
@@ -11075,5 +11083,5 @@
"value": "SLIVER"
}
],
- "version": 173
+ "version": 174
}
From a71f9c7e944c42a6d4b854ed7138c8c46a44435e Mon Sep 17 00:00:00 2001
From: Delta-Sierra
Date: Mon, 30 Sep 2024 10:41:46 +0200
Subject: [PATCH 10/42] update README.md
---
README.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/README.md b/README.md
index 8b3c6f9..fd1d6b9 100644
--- a/README.md
+++ b/README.md
@@ -63,7 +63,7 @@ Category: *guidelines* - source: *Open Sources* - total: *71* elements
[Backdoor](https://www.misp-galaxy.org/backdoor) - A list of backdoor malware.
-Category: *tool* - source: *Open Sources* - total: *28* elements
+Category: *tool* - source: *Open Sources* - total: *29* elements
[[HTML](https://www.misp-galaxy.org/backdoor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/backdoor.json)]
@@ -87,7 +87,7 @@ Category: *mobile* - source: *https://arxiv.org/pdf/2005.05110.pdf* - total: *47
[Botnet](https://www.misp-galaxy.org/botnet) - botnet galaxy
-Category: *tool* - source: *MISP Project* - total: *130* elements
+Category: *tool* - source: *MISP Project* - total: *132* elements
[[HTML](https://www.misp-galaxy.org/botnet)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/botnet.json)]
From 710bcf6bd96e5bc3f7830ae3c894ff142bf220d1 Mon Sep 17 00:00:00 2001
From: Mathieu4141
Date: Wed, 2 Oct 2024 02:04:55 -0700
Subject: [PATCH 11/42] [threat-actors] Add Storm-0494
---
clusters/threat-actor.json | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index ff18ffb..1105c38 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16828,6 +16828,17 @@
],
"uuid": "6f7489f5-7edc-4693-b35a-44e79c969678",
"value": "SloppyLemming"
+ },
+ {
+ "description": "Storm-0494 is a threat actor that facilitates Gootloader infections, which are then exploited by groups like Vice Society to deploy tools such as the Supper backdoor, AnyDesk, and MEGA. They utilize RDP for lateral movement and employ the WMI Provider Host to deploy the INC ransomware payload. Microsoft has identified their activities as part of a campaign targeting the U.S. health sector. Their operations are characterized by financially motivated tactics.",
+ "meta": {
+ "refs": [
+ "https://cisoseries.com/cybersecurity-news-inc-targets-healthcare-providence-schools-cyberattack-apple-ipads-bricked/",
+ "https://x.com/MsftSecIntel/status/1836456406276342215"
+ ]
+ },
+ "uuid": "bed7279c-4ae4-459a-a862-8c69e0cfdb93",
+ "value": "Storm-0494"
}
],
"version": 315
From f39dcbdb730b77f3430a1a4e191c9ec34d92ffdc Mon Sep 17 00:00:00 2001
From: Mathieu4141
Date: Wed, 2 Oct 2024 02:04:55 -0700
Subject: [PATCH 12/42] [threat-actors] Add DragonRank
---
clusters/threat-actor.json | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 1105c38..38a35ba 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16839,6 +16839,16 @@
},
"uuid": "bed7279c-4ae4-459a-a862-8c69e0cfdb93",
"value": "Storm-0494"
+ },
+ {
+ "description": "DragonRank is a threat actor primarily targeting web application services in Asia and Europe, utilizing TTPs associated with Simplified Chinese-speaking hacking groups. They exploit vulnerabilities in platforms like phpMyAdmin and WordPress to deploy web shells, enabling the installation of PlugX and BadIIS malware for black hat SEO practices. Their operations involve lateral movement within compromised networks to maintain control and elevate privileges, while also engaging in unethical online marketing strategies. DragonRank's activities include manipulating search engine rankings and distributing scam websites through compromised Windows IIS servers.",
+ "meta": {
+ "refs": [
+ "https://blog.talosintelligence.com/dragon-rank-seo-poisoning/"
+ ]
+ },
+ "uuid": "28157c93-0b9f-4341-983a-3a521cee12bb",
+ "value": "DragonRank"
}
],
"version": 315
From 0c0817ab7e569a2446689bb4e9de9c84e752f4d0 Mon Sep 17 00:00:00 2001
From: Mathieu4141
Date: Wed, 2 Oct 2024 02:04:55 -0700
Subject: [PATCH 13/42] [threat-actors] Add VICE SPIDER
---
clusters/threat-actor.json | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 38a35ba..b50e58e 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16849,6 +16849,17 @@
},
"uuid": "28157c93-0b9f-4341-983a-3a521cee12bb",
"value": "DragonRank"
+ },
+ {
+ "description": "Vice Spider is a Russian-speaking ransomware group that has been active since at least April 2021 and is linked to a significant increase in identity-based attacks, with a reported 583% rise in Kerberoasting incidents. CrowdStrike attributes 27% of these intrusions specifically to Vice Spider, which exploits vulnerabilities in the Kerberos authentication protocol to crack user passwords.",
+ "meta": {
+ "country": "RU",
+ "refs": [
+ "https://www.techtarget.com/searchsecurity/news/366547445/CrowdStrike-observes-massive-spike-in-identity-based-attacks"
+ ]
+ },
+ "uuid": "2be3426b-c216-499f-b111-6694e96918f7",
+ "value": "VICE SPIDER"
}
],
"version": 315
From 84ca613198d11e60849d48bc285f815b2e383c00 Mon Sep 17 00:00:00 2001
From: Mathieu4141
Date: Wed, 2 Oct 2024 02:04:56 -0700
Subject: [PATCH 14/42] [threat-actors] Add AzzaSec
---
clusters/threat-actor.json | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index b50e58e..c278876 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16860,6 +16860,18 @@
},
"uuid": "2be3426b-c216-499f-b111-6694e96918f7",
"value": "VICE SPIDER"
+ },
+ {
+ "description": "AzzaSec is a hacktivist group that originated in Italy. Known for their pro-Palestine stance, they have been involved in various cyberattacks targeting Israel and pro-Israel countries. Additionally, AzzaSec has engaged in ransomware activities and has been known to collaborate with other cybercriminal groups.\n\n\n\n\n\n\n\n\n",
+ "meta": {
+ "country": "IT",
+ "refs": [
+ "https://socradar.io/dark-peep-16-play-ransomware-lockbits-alliance-breachforums-leak-and-cyberniggers-revival/",
+ "https://thecyberexpress.com/azzasec-noname-join-hands-to-target-ukriane/"
+ ]
+ },
+ "uuid": "7d067b1a-89df-46ff-a2fc-d688da721236",
+ "value": "AzzaSec"
}
],
"version": 315
From 3b57092dd15b05a7af3a83ff6b791b821a471e6d Mon Sep 17 00:00:00 2001
From: Mathieu4141
Date: Wed, 2 Oct 2024 02:04:56 -0700
Subject: [PATCH 15/42] [threat-actors] Add Handala
---
clusters/threat-actor.json | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index c278876..90e264c 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16872,6 +16872,19 @@
},
"uuid": "7d067b1a-89df-46ff-a2fc-d688da721236",
"value": "AzzaSec"
+ },
+ {
+ "description": "Handala is a pro-Palestinian hacktivist group that targets Israeli organizations, employing tactics such as phishing, data theft, extortion, and destructive attacks using custom wiper malware. The group utilizes a multi-stage loading process, including a Delphi-coded second-stage loader and an AutoIT injector, to deliver wiper malware that specifically targets Windows and Linux environments. Their phishing campaigns often exploit major events and critical vulnerabilities, masquerading as legitimate organizations to gain initial access. Handala operates a data leak site to publicize stolen data, although claims of successful attacks are sometimes disputed by targeted organizations.",
+ "meta": {
+ "country": "PS",
+ "refs": [
+ "https://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html",
+ "https://www.trellix.com/blogs/research/handalas-wiper-targets-israel/",
+ "https://intezer.com/blog/research/stealth-wiper-israeli-infrastructure/"
+ ]
+ },
+ "uuid": "7b14f285-86e9-47da-be1a-16ce566c428b",
+ "value": "Handala"
}
],
"version": 315
From 50b2ad7c23fd6655a691fe5a995cc4999b6b4036 Mon Sep 17 00:00:00 2001
From: Mathieu4141
Date: Wed, 2 Oct 2024 02:04:56 -0700
Subject: [PATCH 16/42] [threat-actors] Add Storm-0501
---
clusters/threat-actor.json | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 90e264c..392776f 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16885,6 +16885,16 @@
},
"uuid": "7b14f285-86e9-47da-be1a-16ce566c428b",
"value": "Handala"
+ },
+ {
+ "description": "Storm-0501 is a financially motivated cybercriminal group that has been active since 2021, initially targeting US school districts with the Sabbath ransomware and later transitioning to a RaaS model deploying various ransomware strains, including Embargo. The group exploits weak credentials and over-privileged accounts to achieve lateral movement from on-premises environments to cloud infrastructures, establishing persistent backdoor access and deploying ransomware. They have utilized techniques such as credential theft, exploiting vulnerabilities in Zoho ManageEngine and Citrix NetScaler, and employing tools like Cobalt Strike and Rclone for lateral movement and data exfiltration. Storm-0501 has specifically targeted sectors such as government, manufacturing, transportation, and law enforcement in the United States.",
+ "meta": {
+ "refs": [
+ "https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/"
+ ]
+ },
+ "uuid": "f6a60403-4bcc-4fc6-ac07-abb913c1f080",
+ "value": "Storm-0501"
}
],
"version": 315
From e6072c5823937cc47458cc7e8708d91cb9e1d538 Mon Sep 17 00:00:00 2001
From: Mathieu4141
Date: Wed, 2 Oct 2024 02:04:56 -0700
Subject: [PATCH 17/42] [threat-actors] Add CosmicBeetle
---
clusters/threat-actor.json | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 392776f..60d9868 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16895,6 +16895,16 @@
},
"uuid": "f6a60403-4bcc-4fc6-ac07-abb913c1f080",
"value": "Storm-0501"
+ },
+ {
+ "description": "CosmicBeetle is a threat actor known for deploying the ScRansom ransomware, which has replaced its previous variant, Scarab. The actor utilizes a custom toolset called Spacecolon, consisting of ScHackTool, ScInstaller, and ScService, to gain initial access through RDP brute forcing and exploiting vulnerabilities like CVE-2020-1472 and FortiOS SSL-VPN. CosmicBeetle has been observed impersonating the LockBit ransomware gang to leverage its reputation and has shown a tendency to leave artifacts on compromised systems. The group primarily targets SMBs globally, employing techniques such as credential dumping and data destruction.",
+ "meta": {
+ "refs": [
+ "https://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/"
+ ]
+ },
+ "uuid": "9686ff2b-01e0-46eb-9169-9e8d115be345",
+ "value": "CosmicBeetle"
}
],
"version": 315
From cbdca883d69a213abfd3ea40468673d2574127a5 Mon Sep 17 00:00:00 2001
From: Mathieu4141
Date: Wed, 2 Oct 2024 02:04:56 -0700
Subject: [PATCH 18/42] [threat-actors] Add Storm-1567 aliases
---
clusters/threat-actor.json | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 60d9868..8c4ba11 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -15084,7 +15084,9 @@
"https://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/"
],
"synonyms": [
- "Akira"
+ "Akira",
+ "PUNK SPIDER",
+ "GOLD SAHARA"
]
},
"uuid": "3a912680-6f38-4fe7-9941-744f0e2280b3",
From aa21df1b3fe244dca89bcb71b8f724df3feba242 Mon Sep 17 00:00:00 2001
From: Mathieu4141
Date: Wed, 2 Oct 2024 02:04:56 -0700
Subject: [PATCH 19/42] [threat-actors] Add UNC1860
---
clusters/threat-actor.json | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 8c4ba11..498caf6 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16907,6 +16907,17 @@
},
"uuid": "9686ff2b-01e0-46eb-9169-9e8d115be345",
"value": "CosmicBeetle"
+ },
+ {
+ "description": "UNC1860 is a persistent and opportunistic Iranian state-sponsored threat actor that is likely affiliated with Iran’s Ministry of Intelligence and Security (MOIS). A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that Mandiant believes supports several objectives, including its role as a probable initial access provider and its ability to gain persistent access to high-priority networks, such as those in the government and telecommunications space throughout the Middle East.",
+ "meta": {
+ "country": "IR",
+ "refs": [
+ "https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks"
+ ]
+ },
+ "uuid": "80a874d5-0645-4245-aeb6-9b33a8689928",
+ "value": "UNC1860"
}
],
"version": 315
From d9c1ddb7cecff3ea94fdf32474cbf658e96ceb40 Mon Sep 17 00:00:00 2001
From: Mathieu4141
Date: Wed, 2 Oct 2024 02:04:57 -0700
Subject: [PATCH 20/42] [threat actors] Update README
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index fd1d6b9..6baa9db 100644
--- a/README.md
+++ b/README.md
@@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements
[Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
-Category: *actor* - source: *MISP Project* - total: *738* elements
+Category: *actor* - source: *MISP Project* - total: *746* elements
[[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]
From 86e27576100848cfe7d518485f89406cb7852b80 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Thu, 3 Oct 2024 08:21:33 +0200
Subject: [PATCH 21/42] chg: [ransomware] updated
---
clusters/ransomware.json | 129 +++++++++++++++++++++++++++++++++++----
1 file changed, 118 insertions(+), 11 deletions(-)
diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index be420bc..5980df9 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -14578,7 +14578,10 @@
],
"links": [
"http://ekbgzchl6x2ias37.onion",
- "http://santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion/"
+ "http://santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion/",
+ "http://3ws3t4uo7fehnn4qpmadk3zjrxta5xlt3gsc5mx4sztrsy7ficuz5ayd.onion/",
+ "http://amnwxasjtjc6e42siac6t45mhbkgtycrx5krv7sf5festvqxmnchuayd.onion/",
+ "http://qahjimrublt35jlv4teesicrw6zhpwhkb6nhtonwxuqafmjhr7hax2id.onion/"
],
"refs": [
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf",
@@ -26498,7 +26501,19 @@
"links": [
"https://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion/",
"https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion",
- "http://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion/"
+ "http://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion/",
+ "http://6y2qjrzzt4inluxzygdfxccym5qjy2ltyae7vnxtoyeotfg3ljwqtaid.onion/",
+ "http://r6qkk55wxvy2ziy47oyhptesucwdqqaip23uxregdgquq5oxxlpeecad.onion/",
+ "http://weqv4fxkacebqrjd3lmnss6lrmoxoyihtcc6kdc6mblbv62p5q6skgid.onion/",
+ "http://thesiliconroad1.top/",
+ "http://stuffstevenpeters4.top/",
+ "http://greenmotors5.top/",
+ "http://megatron3.top/",
+ "http://fmzipzpirdpfelbbvnfhoehqxbqg7s7efmgce6hpr5xdcmeazdmic2id.onion/",
+ "http://daulpxe3epdysjozaujz4sj7rytanp4suvdnebxkwdfcuzwxlslebvyd.onion/",
+ "http://databasebb3.top/",
+ "http://l6zxfn3u2s4bl4vt3nvpve6uibqn3he3tgwdpkeeplhwlfwy3ifbt5id.onion/",
+ "http://onlylegalstuff6.top/"
],
"ransomnotes": [
"Your data are stolen and encrypted\nThe data will be published on TOR website if you do not pay the ransom\nYou can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565y1u2c6Lay6yfiebkcbtvvcytyolt33s77xypi7nypxyd.onion/ \n\nYour company id for log in: [REDACTED]"
@@ -27649,7 +27664,8 @@
"http://lbbjmbkvw3yurmnazwkbj5muyvw5dd6y7hyxrus23y33qiqczclrnbyd.onion/",
"http://lbbpoq6d2jglpw7dxarr6oaakgnlxt5nmrza5ojlufsuffuzexajsuyd.onion/",
"http://lbbp2rsfcmg5durpwgs22wxrdngsa4wiwmc4xk6hgmuluy6bvbvvtlid.onion/",
- "http://lbbov7weoojwnqytnjqygmglkwtim5dvyw3xvoluk5ostz75ofd6enqd.onion/"
+ "http://lbbov7weoojwnqytnjqygmglkwtim5dvyw3xvoluk5ostz75ofd6enqd.onion/",
+ "http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion/ec_page3.php"
],
"refs": [
"https://threatpost.com/lockbit-ransomware-proliferates-globally/168746",
@@ -28426,7 +28442,8 @@
"links": [
"https://hunters55rdxciehoqzwv7vgyv6nt37tbwax2reroyzxhou7my5ejyid.onion",
"https://hunters33mmcwww7ek7q5ndahul6nmzmrsumfs6aenicbqon6mxfiqyd.onion/login",
- "https://huntersinternational.net"
+ "https://huntersinternational.net",
+ "http://huntersinternational.su"
],
"refs": [
"https://www.ransomlook.io/group/hunters"
@@ -28561,7 +28578,18 @@
"meta": {
"links": [
"http://weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd.onion",
- "http://c7jpc6h2ccrdwmhofuij7kz6sr2fg2ndtbvvqy4fse23cf7m2e5hvqid.onion"
+ "http://c7jpc6h2ccrdwmhofuij7kz6sr2fg2ndtbvvqy4fse23cf7m2e5hvqid.onion",
+ "http://nz2ihtemh2zli2wc3bovzps55clanspsqx5htu2plolby45a7pk4d3qd.onion/",
+ "http://qjdremetxo2zpli32exwb5uct6cjljyj7v52d5thn7usmj5mlyxdojqd.onion/",
+ "http://yef4xoqj2jq554rqetf2ikmpdtewdlbnx5xrtjtjqaotvfw77ipb6pad.onion/",
+ "http://ptsfbwx5j7kyk5r6n6uz4faic43jtb55sbls7py5wztwbxkyvsikguid.onion/",
+ "http://ro4h37fieb6oyfrwoi5u5wpvaalnegsxzxnwzwzw43anxqmv6hjcsfyd.onion/",
+ "http://cyfafnmijhiqxxfhtofmn5lgk3w5ana6xzpc6gk5uvdfadqflvznpjyd.onion/",
+ "http://betrvom4agzebo27bt7o3hk35tvr7ppw3hrx5xx4ecvijwfsb4iufoyd.onion/",
+ "http://ybo3xr25btxs47nmwykoudoe23nyv6ftkcpjdo4gilfzww4djpurtgid.onion/",
+ "http://k6wtpxwq72gpeil5hqofae7yhbtxphbkyoe2g7rwmpx5sadc4sgsfvid.onion/",
+ "http://vm2rbvfkcqsx2xusltbxziwbsrunjegk6qeywf3bxpjlznq622s3iead.onion/",
+ "http://ng2gzceugc2df6hp6s7wtg7hpupw37vqkvamaydhagv2qbrswdqlq6ad.onion/"
],
"refs": [
"https://www.ransomlook.io/group/black suit"
@@ -28861,7 +28889,8 @@
{
"meta": {
"links": [
- "http://threeamkelxicjsaf2czjyz2lc4q3ngqkxhhlexyfcp2o6raw4rphyad.onion"
+ "http://threeamkelxicjsaf2czjyz2lc4q3ngqkxhhlexyfcp2o6raw4rphyad.onion",
+ "http://ulkvlj5sirgrbnvb4hvbjo2ex2c2ceqe2j4my57fcdozpbq5h5pyu7id.onion"
],
"refs": [
"https://www.ransomlook.io/group/3am"
@@ -28898,7 +28927,8 @@
"meta": {
"links": [
"http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion/blog",
- "http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion/login"
+ "http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion/login",
+ "http://dragonforxxbp3awc7mzs5dkswrua3znqyx5roefmi4smjrsdi22xwqd.onion"
],
"refs": [
"https://www.ransomlook.io/group/dragonforce"
@@ -28956,7 +28986,33 @@
"links": [
"http://mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onion",
"http://k7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd.onion",
- "http://k7kg3jqzffsxe2z53jjx4goybvxu3a557kpsqakpwi6mrvfgcdo55tid.onion"
+ "http://k7kg3jqzffsxe2z53jjx4goybvxu3a557kpsqakpwi6mrvfgcdo55tid.onion",
+ "http://ipi4tiumgzjsym6pyuzrfqrtwskokxokqannmd6sa24shvr7x5kxdvqd.onion",
+ "http://j75o7xvvsm4lpsjhkjvb4wl2q6ajegvabe6oswthuaubbykk4xkzgpid.onion",
+ "http://zi34ocznt242jallttwvvhihrezjdzfgflf3uhdv6t3z23hhcn54efid.onion",
+ "http://37wb3ygyb3r2vf2dt5o3ca62zlduuowvkkwjrtbcgc5iri4t6rnzr7yd.onion",
+ "http://eppsldmcnv3ylabsx5srvf36wnk6jrowg6x4unxclv55rnu4kf5436yd.onion",
+ "http://slg7tnjb65swwyaebnyymyvo73xm36hxwugdsps7cwcxicizyzyt2byd.onion",
+ "http://x6zdxw6vt3gtpv35yqloydttvfvwyrju3opkmp4xejmlfxto7ahgnpyd.onion",
+ "http://jnbiz5lp44ddg4u5rsr4yebbpxa3iytcsshgbqa4m6r6po5y57h6yxid.onion",
+ "http://sm2gah7bjg6u2dfl3voiex6njh2kcuqqquvv7za37xokmbcivsgqcnad.onion",
+ "http://z7u6dkys7b2aeibvklxga7mldzrepoauiuniqwfhdadkkwwgmv6bqhad.onion",
+ "http://kri3lez34pbqra3xs5wxo55djldtsekol6tuqdjqecqzga6dpnjqruyd.onion",
+ "http://iejj6bywviuecjwi3kxanzojqroe3j3phzgplvrdzcicimtcw6xgk3yd.onion",
+ "http://xixkhm6inbg6t5642t2pjafsjsh3eaonpjysdcfvr3zvadlqb6nhryad.onion",
+ "http://giix5r763sbxmu442tmwfb4thqbz4i5ppxcqsmnnlqnm2yiezv6epxqd.onion",
+ "http://mokcrzbitq2gc5qcpxcbce43pawuthyaoazl6iz2xknj53ebyb4r4eid.onion",
+ "http://gpph6awu7hqsmzmr5sihusjoscp3itwtk3b4i2chwspmka2ikuqcwaqd.onion",
+ "http://v3r6g4q3b2jpqusznecxexr5aqi42vy5ts6jy6fu3strecvb5c2woead.onion",
+ "http://4xo3cicwo2rhpwr6vkgwt7mqg4oiqihsmoxwlmklf4sjoatkdqjtmcyd.onion",
+ "http://a4gbdvoorwn3tcqijoedvdeukqaqwc6t2kx4gh3gm37gv4p37evvzqad.onion",
+ "http://6jb5avmh6rvcb7vcux7kaivnzpqcrfg4ui4xv2co5vmspgrwll7lkkyd.onion",
+ "http://doz7omlqqanryonvil4iuj65shzcv3efupqwubkza6553wnekrrd4uid.onion",
+ "http://hbwsxlq3uzknabg2blt7d4mcbu24oriklji36zdqsz3ou3mf2d7bvoid.onion",
+ "http://ysknyr5m5n3pwg4jnaqsytxea2thwsbca3qipi64vlep42flywx7dgqd.onion",
+ "http://b3pzp6qwelgeygmzn6awkduym6s4gxh6htwxuxeydrziwzlx63zergyd.onion",
+ "http://p2qzf3rfvg4f74v2ambcnr6vniueucitbw6lyupkagsqejtuyak6qrid.onion",
+ "http://whfsjr35whjtrmmqqeqfxscfq564htdm427mjekic63737xscuayvkad.onion"
],
"refs": [
"https://www.ransomlook.io/group/play",
@@ -29012,10 +29068,15 @@
"value": "qiulong"
},
{
+ "description": "",
"meta": {
"links": [
"https://cactusbloguuodvqjmnzlwetjlpj6aggc6iocwhuupb47laukux7ckid.onion",
- "https://cactus5dqnqkppa5ayckiyk6dttpqwczdqphv5mxh4dkk5ct544q5aad.onion/"
+ "https://cactus5dqnqkppa5ayckiyk6dttpqwczdqphv5mxh4dkk5ct544q5aad.onion/",
+ "https://vhfd5qagh6j7qbisjqvly7eejqbv6z5bv77v6yuhctn77wmd3hjkyvad.onion",
+ "https://acfckf3l6l7v2tsnedfx222a4og63zt6dmvheqbvsd72hkhaqadrrsad.onion",
+ "https://6wuivqgrv2g7brcwhjw5co3vligiqowpumzkcyebku7i2busrvlxnzid.onion",
+ "https://truysrv2txxvobngtlssbgqs3e3ekd53zl6zoxbotajyvmslp5rdxgid.onion"
],
"refs": [
"https://www.ransomlook.io/group/cactus"
@@ -29250,7 +29311,19 @@
"meta": {
"links": [
"http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion",
- "http://5ntlvn7lmkezscee2vhatjaigkcu2rzj3bwhqaz32snmqc4jha3gcjad.onion"
+ "http://5ntlvn7lmkezscee2vhatjaigkcu2rzj3bwhqaz32snmqc4jha3gcjad.onion",
+ "http://76yl7gfmz2kkjglcevxps4tleyeqnqhfcxh6rnstxj27oxhoxird3hyd.onion",
+ "http://yj3eozlkkxkcsprc2fug7tolgtnllruyavuyyar3yzsccjdgvu2bl2yd.onion/",
+ "http://ufjoe7fdwvml52oin7flwlqksvp3fcvfyh2kwsngt7j2yf7xou52w2qd.onion/",
+ "http://i2okedfryhllg6ka6aur3wnxcxdaufbuuysp4drr5xoc6gvqpcogejid.onion/",
+ "http://s37weqmxusvfcxkoorgkut5v7frn27zftdb6pdjsyjl5djg6oxjqjbid.onion/",
+ "http://oftm4u5cfl6wyadj27h3csdxfvyd7favssxcr7l7wnswdsrfedxswxqd.onion/",
+ "http://wg55rcy2chmbpeh6pl5pftnveac2lqfxbletrtzanfjhhmvcjnn5tcqd.onion/",
+ "http://sbjthwyoxfuxq75b77e2hsj7ie67m3qicfnuikhuabwo3sikvrzyaxad.onion/",
+ "http://zo5xog4vpvdae473doneepetidh36m5czdq2vyeiq3lvqhuel56p6nid.onion/",
+ "http://66ohzao6afsv2opk22r2kv6fbnf2fthe7v4ykzzc5vjezvvyf3gocwyd.onion/",
+ "https://2nn4b6gihz5bttzabjegune3blwktad2zmy77fwutvvrxxodbufo6qid.onion/",
+ "http://y6kyfs2unbfcyodzjrxadn4w5vyulhyotdi5dtiqulxbduujehupunqd.onion/"
],
"refs": [
"https://www.ransomlook.io/group/embargo"
@@ -29299,6 +29372,7 @@
"value": "apos"
},
{
+ "description": "This group is believed to be connected to Lost Trust. El Dorado rebranded to BlackLock in September 2024.",
"meta": {
"links": [
"http://dataleakypypu7uwblm5kttv726l3iripago6p336xjnbstkjwrlnlid.onion/",
@@ -29544,6 +29618,7 @@
"value": "chilelocker"
},
{
+ "description": "Group is also currently known as MADDLL32 and Metatron.",
"meta": {
"links": [
"http://k67ivvik3dikqi4gy4ua7xa6idijl4si7k5ad5lotbaeirfcsx4sgbid.onion"
@@ -29704,7 +29779,39 @@
},
"uuid": "99ddf1b6-7d75-58f6-b340-47545fec5e55",
"value": "osyolorz collective"
+ },
+ {
+ "meta": {
+ "links": [
+ "http://3o5ewrzhqoyodfs5kll4cjxagdfrpuu474panwobm4im7ejfpaux5jyd.onion/"
+ ],
+ "refs": [
+ "https://www.ransomlook.io/group/embrago"
+ ]
+ },
+ "uuid": "f054ec08-9058-52ba-a90d-922a9cc1a412",
+ "value": "embrago"
+ },
+ {
+ "meta": {
+ "links": [
+ "http://nitrogenczslprh3xyw6lh5xyjvmsz7ciljoqxxknd7uymkfetfhgvqd.onion",
+ "http://2u6njk55okdxvrup5feu3wbhyxvlqla7yuj2oz3xkzz27yzc66vcirqd.onion/",
+ "http://jzl4bylm4bng2zgmeqw3lx6bcbxzb2hulicxneuosq26sshnitrcvcad.onion/",
+ "http://6a5ib4udgwlkyl3zzeyenedcb7d33j2vq7egpqykr5457uiskeu6zjad.onion/",
+ "http://hzyp7n436ecwo73xvrgnf5wmbjewszwut4h6vz4fu6f2oqd5zfcd7sad.onion/",
+ "http://67hvtslok5a4cwjxfmidbgbunsvckypf2dwkpxg3y2sabar5b4jidmyd.onion/",
+ "http://sqnnhgqr4iiwnkaih6vspyxmebz2vvjv3uybmjdynw6sne5plilunhyd.onion/",
+ "http://z4tonbkjybcllsvd45smpkqkk5uaspmlnvmysrkxt37wuudijvp7k2id.onion",
+ "http://awrfq7pjydfp3hwbsun6ltxrrzths5ztgxj7i7ybx7twjrdvzvxkgwad.onion"
+ ],
+ "refs": [
+ "https://www.ransomlook.io/group/nitrogen"
+ ]
+ },
+ "uuid": "9d7ca9df-c219-59fc-93fb-86f4606942ba",
+ "value": "nitrogen"
}
],
- "version": 134
+ "version": 135
}
From a3fd555efe6248e7ea5a399e1f7b083f9a019d39 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Thu, 3 Oct 2024 08:38:18 +0200
Subject: [PATCH 22/42] chg: [sigma] updated to the latest version
---
README.md | 4 +-
clusters/sigma-rules.json | 3046 +++++++++++++++++++------------------
2 files changed, 1543 insertions(+), 1507 deletions(-)
diff --git a/README.md b/README.md
index fd1d6b9..71ff208 100644
--- a/README.md
+++ b/README.md
@@ -495,7 +495,7 @@ Category: *actor* - source: *MISP Project* - total: *38* elements
[Ransomware](https://www.misp-galaxy.org/ransomware) - Ransomware galaxy based on different sources and maintained by the MISP Project.
-Category: *tool* - source: *Various* - total: *1805* elements
+Category: *tool* - source: *Various* - total: *1807* elements
[[HTML](https://www.misp-galaxy.org/ransomware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json)]
@@ -535,7 +535,7 @@ Category: *sector* - source: *CERT-EU* - total: *118* elements
[Sigma-Rules](https://www.misp-galaxy.org/sigma-rules) - MISP galaxy cluster based on Sigma Rules.
-Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2964* elements
+Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2965* elements
[[HTML](https://www.misp-galaxy.org/sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)]
diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json
index 222a4df..db7c7bf 100644
--- a/clusters/sigma-rules.json
+++ b/clusters/sigma-rules.json
@@ -23,10 +23,10 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
+ "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml"
],
"tags": [
@@ -149,10 +149,10 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors",
+ "https://www.sans.org/cyber-security-summit/archives",
"https://twitter.com/jamieantisocial/status/1304520651248668673",
"https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling",
- "https://www.sans.org/cyber-security-summit/archives",
- "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml"
],
"tags": [
@@ -188,9 +188,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
- "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml"
],
"tags": [
@@ -258,10 +258,10 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
+ "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml"
],
"tags": [
@@ -294,9 +294,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/",
"https://twitter.com/Hexacorn/status/991447379864932352",
"https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml",
+ "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml"
],
"tags": [
@@ -395,8 +395,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging",
"https://persistence-info.github.io/Data/aedebug.html",
+ "https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml"
],
"tags": [
@@ -419,12 +419,12 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/",
- "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior",
- "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI",
- "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper",
- "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html",
"https://www.attackiq.com/2023/09/20/emulating-rhysida/",
+ "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html",
+ "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI",
+ "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior",
+ "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/",
+ "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml"
],
"tags": [
@@ -466,11 +466,11 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/",
- "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html",
- "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN",
- "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6",
"https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html",
+ "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html",
+ "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/",
+ "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6",
+ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml"
],
"tags": [
@@ -717,8 +717,8 @@
"logsource.product": "windows",
"refs": [
"https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf",
- "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps",
"https://github.com/deepinstinct/Lsass-Shtinkering",
+ "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml"
],
"tags": [
@@ -751,8 +751,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf",
"https://twitter.com/standa_t/status/1808868985678803222",
+ "https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml"
],
"tags": [
@@ -820,9 +820,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx",
- "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html",
"https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx",
+ "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html",
+ "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml"
],
"tags": [
@@ -863,8 +863,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change",
"https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74",
+ "https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml"
],
"tags": [
@@ -1032,8 +1032,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy",
"https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade",
+ "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_network_provider.yml"
],
"tags": [
@@ -1100,9 +1100,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
- "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml"
],
"tags": [
@@ -1135,8 +1135,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/dottor_morte/status/1544652325570191361",
"https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf",
+ "https://twitter.com/dottor_morte/status/1544652325570191361",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml"
],
"tags": [
@@ -1202,10 +1202,10 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection",
+ "https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html",
"https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html",
"https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine",
- "https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html",
+ "https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml"
],
"tags": [
@@ -1329,8 +1329,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://labs.f-secure.com/blog/scheduled-task-tampering/",
"https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/",
+ "https://labs.f-secure.com/blog/scheduled-task-tampering/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml"
],
"tags": [
@@ -1439,8 +1439,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll",
"https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/",
+ "https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml"
],
"tags": [
@@ -1473,8 +1473,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html",
"https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry",
+ "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml"
],
"tags": [
@@ -1508,6 +1508,7 @@
"logsource.product": "windows",
"refs": [
"https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)",
+ "https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml"
],
"tags": [
@@ -1540,9 +1541,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/",
"https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/",
"https://learn.microsoft.com/en-us/windows/win32/api/winevt/",
- "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml"
],
"tags": [
@@ -1626,9 +1627,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a",
"https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/",
"https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password",
+ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml"
],
"tags": [
@@ -1661,8 +1662,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/inversecos/status/1494174785621819397",
"https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/",
+ "https://twitter.com/inversecos/status/1494174785621819397",
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml"
],
@@ -1773,8 +1774,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53",
"https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/",
+ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml"
],
"tags": [
@@ -1857,8 +1858,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/dottor_morte/status/1544652325570191361",
"https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf",
+ "https://twitter.com/dottor_morte/status/1544652325570191361",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml"
],
"tags": [
@@ -1891,9 +1892,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf",
"https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise",
"https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/",
+ "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml"
],
"tags": [
@@ -1939,10 +1940,10 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308",
- "https://github.com/gtworek/PSBits/tree/master/IFilter",
- "https://twitter.com/0gtweet/status/1468548924600459267",
"https://persistence-info.github.io/Data/ifilters.html",
+ "https://twitter.com/0gtweet/status/1468548924600459267",
+ "https://github.com/gtworek/PSBits/tree/master/IFilter",
+ "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml"
],
"tags": [
@@ -1965,10 +1966,10 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/JAMESWT_MHT/status/1699042827261391247",
"https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content",
- "https://twitter.com/M_haggis/status/1699056847154725107",
+ "https://twitter.com/JAMESWT_MHT/status/1699042827261391247",
"https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries",
+ "https://twitter.com/M_haggis/status/1699056847154725107",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml"
],
"tags": [
@@ -2285,17 +2286,17 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38",
- "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_",
+ "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39",
"http://managed670.rssing.com/chan-5590147/all_p1.html",
- "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code",
- "https://bunnyinside.com/?term=f71e8cb9c76a",
- "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr",
+ "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables",
"https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/",
"https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf",
+ "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_",
"https://twitter.com/_xpn_/status/1268712093928378368",
- "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables",
- "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39",
+ "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38",
+ "https://bunnyinside.com/?term=f71e8cb9c76a",
+ "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr",
+ "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml"
],
"tags": [
@@ -2336,8 +2337,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence",
"https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md",
+ "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_xll.yml"
],
"tags": [
@@ -2393,8 +2394,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store",
+ "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml"
],
"tags": [
@@ -2451,8 +2452,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll",
"https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/",
+ "https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml"
],
"tags": [
@@ -2485,8 +2486,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files",
"https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index",
+ "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml"
],
"tags": [
@@ -2519,8 +2520,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://youtu.be/zSihR3lTf7g",
"https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650",
+ "https://youtu.be/zSihR3lTf7g",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml"
],
"tags": [
@@ -2610,16 +2611,16 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://blog.sekoia.io/darkgate-internals/",
- "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html",
- "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/",
"https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services",
- "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/",
+ "https://blog.sekoia.io/darkgate-internals/",
"https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry",
- "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html",
- "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/",
- "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03",
"https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry",
+ "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/",
+ "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03",
+ "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html",
+ "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/",
+ "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html",
+ "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml"
],
"tags": [
@@ -2787,9 +2788,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
- "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml"
],
"tags": [
@@ -2857,13 +2858,13 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
"https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
+ "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting",
"https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105",
+ "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
"https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html",
"https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html",
- "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml"
],
"tags": [
@@ -2896,9 +2897,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/",
"https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task",
+ "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml"
],
"tags": [
@@ -2933,9 +2934,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
- "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml"
],
"tags": [
@@ -2991,9 +2992,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/MichalKoczwara/status/1553634816016498688",
- "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf",
"https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
+ "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf",
+ "https://twitter.com/MichalKoczwara/status/1553634816016498688",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml"
],
"tags": [
@@ -3077,9 +3078,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
- "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml"
],
"tags": [
@@ -3148,8 +3149,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time",
"https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml"
],
"tags": [
@@ -3184,9 +3185,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
- "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml"
],
"tags": [
@@ -3277,9 +3278,9 @@
"logsource.product": "windows",
"refs": [
"https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html",
- "https://github.com/elastic/detection-rules/issues/1371",
- "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode",
"https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS",
+ "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode",
+ "https://github.com/elastic/detection-rules/issues/1371",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml"
],
"tags": [
@@ -3444,9 +3445,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
- "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml"
],
"tags": [
@@ -3552,8 +3553,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/inversecos/status/1494174785621819397",
"https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/",
+ "https://twitter.com/inversecos/status/1494174785621819397",
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml"
],
@@ -3620,8 +3621,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/win32/shell/app-registration",
"https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/",
+ "https://learn.microsoft.com/en-us/windows/win32/shell/app-registration",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml"
],
"tags": [
@@ -3654,13 +3655,13 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html",
- "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/",
"https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services",
"http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/",
- "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html",
- "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/",
"https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03",
+ "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html",
+ "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/",
+ "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html",
+ "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml"
],
"tags": [
@@ -3728,8 +3729,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd",
"https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml"
],
"tags": [
@@ -3819,8 +3820,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://vanmieghem.io/stealth-outlook-persistence/",
"https://twitter.com/_vivami/status/1347925307643355138",
+ "https://vanmieghem.io/stealth-outlook-persistence/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml"
],
"tags": [
@@ -3877,8 +3878,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "Internal Research",
"https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01",
+ "Internal Research",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml"
],
"tags": [
@@ -3978,10 +3979,10 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/",
- "https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1",
"https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware",
+ "https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/",
"https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps",
+ "https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml"
],
"tags": [
@@ -4038,9 +4039,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
- "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml"
],
"tags": [
@@ -4106,9 +4107,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf",
"https://persistence-info.github.io/Data/codesigning.html",
"https://github.com/gtworek/PSBits/tree/master/SIP",
- "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml"
],
"tags": [
@@ -4199,8 +4200,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior",
"https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5",
+ "https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml"
],
"tags": [
@@ -4233,8 +4234,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/client-management/manage-recall",
"https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis",
+ "https://learn.microsoft.com/en-us/windows/client-management/manage-recall",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enable_windows_recall.yml"
],
"tags": [
@@ -4267,8 +4268,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.exploit-db.com/exploits/47696",
"http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass",
+ "https://www.exploit-db.com/exploits/47696",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml"
],
"tags": [
@@ -4399,8 +4400,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/",
"https://github.com/hfiref0x/UACME",
+ "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml"
],
"tags": [
@@ -4468,8 +4469,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass",
"https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/",
+ "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml"
],
"tags": [
@@ -4535,9 +4536,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us",
"https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70",
"https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change",
- "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml"
],
"tags": [
@@ -4645,8 +4646,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/rootm0s/WinPwnage",
"https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/",
+ "https://github.com/rootm0s/WinPwnage",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml"
],
"tags": [
@@ -4679,8 +4680,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105",
"https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
+ "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml"
],
"tags": [
@@ -4804,9 +4805,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope",
"https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba",
"https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/",
- "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml"
],
"tags": [
@@ -4862,8 +4863,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44",
"https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048",
+ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml"
],
"tags": [
@@ -5087,8 +5088,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html",
"https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/",
+ "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml"
],
"tags": [
@@ -5189,9 +5190,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files",
"https://twitter.com/pabraeken/status/998627081360695297",
"https://twitter.com/VakninHai/status/1517027824984547329",
+ "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml"
],
"tags": [
@@ -5265,8 +5266,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"https://twitter.com/malmoeb/status/1560536653709598721",
+ "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml"
],
"tags": [
@@ -5290,10 +5291,10 @@
"logsource.product": "windows",
"refs": [
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md",
- "https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage",
"https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html",
"https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl",
"https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
+ "https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml"
],
"tags": [
@@ -5459,8 +5460,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html",
"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/",
+ "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml"
],
"tags": [
@@ -5527,9 +5528,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
- "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml"
],
"tags": [
@@ -5597,10 +5598,10 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://persistence-info.github.io/Data/userinitmprlogonscript.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
- "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml"
],
"tags": [
@@ -5634,9 +5635,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
- "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml"
],
"tags": [
@@ -5711,8 +5712,8 @@
"logsource.product": "windows",
"refs": [
"https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials",
- "https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/",
"https://adsecurity.org/?p=1785",
+ "https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml"
],
"tags": [
@@ -5745,10 +5746,10 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
- "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/",
"https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/",
"https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
+ "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml"
],
"tags": [
@@ -6086,8 +6087,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html",
"https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83",
+ "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml"
],
"tags": [
@@ -6327,9 +6328,9 @@
"logsource.category": "registry_delete",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer",
"https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html",
"http://woshub.com/how-to-clear-rdp-connections-history/",
+ "https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml"
],
"tags": [
@@ -6370,11 +6371,11 @@
"logsource.category": "registry_delete",
"logsource.product": "windows",
"refs": [
+ "https://learn.microsoft.com/en-us/windows/win32/shell/launch",
"https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand",
"https://github.com/OTRF/detection-hackathon-apt29/issues/7",
"https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md",
"https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code",
- "https://learn.microsoft.com/en-us/windows/win32/shell/launch",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml"
],
"tags": [
@@ -6441,8 +6442,8 @@
"logsource.category": "registry_delete",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/client-management/manage-recall",
"https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis",
+ "https://learn.microsoft.com/en-us/windows/client-management/manage-recall",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_enable_windows_recall.yml"
],
"tags": [
@@ -6508,8 +6509,8 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/",
"https://lolbas-project.github.io/lolbas/Binaries/Atbroker/",
+ "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml"
],
"tags": [
@@ -6552,9 +6553,9 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
+ "https://adepts.of0x.cc/netsh-portproxy-code/",
"https://www.dfirnotes.net/portproxy_detection/",
"https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html",
- "https://adepts.of0x.cc/netsh-portproxy-code/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml"
],
"tags": [
@@ -6659,9 +6660,9 @@
"logsource.product": "windows",
"refs": [
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913",
+ "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760",
"https://www.lexjansen.com/sesug/1993/SESUG93035.pdf",
"https://nvd.nist.gov/vuln/detail/cve-2021-34527",
- "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760",
"https://nvd.nist.gov/vuln/detail/cve-2021-1675",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml"
],
@@ -6697,9 +6698,9 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
+ "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/",
"https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf",
"https://persistence-info.github.io/Data/recyclebin.html",
- "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml"
],
"tags": [
@@ -6732,10 +6733,10 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass",
- "https://github.com/hfiref0x/UACME",
- "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/",
"https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]",
+ "https://github.com/hfiref0x/UACME",
+ "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass",
+ "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml"
],
"tags": [
@@ -6877,8 +6878,8 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Wsreset",
"https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly",
+ "https://lolbas-project.github.io/lolbas/Binaries/Wsreset",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml"
],
"tags": [
@@ -7253,8 +7254,8 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/",
"https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Install-SSP.ps1#L157",
+ "https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml"
],
"tags": [
@@ -7428,8 +7429,8 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/MalwareJake/status/870349480356454401",
"https://wikileaks.org/vault7/#Pandemic",
+ "https://twitter.com/MalwareJake/status/870349480356454401",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml"
],
"tags": [
@@ -7743,11 +7744,11 @@
"logsource.category": "registry_add",
"logsource.product": "windows",
"refs": [
- "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/",
- "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/",
- "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/",
- "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing",
"https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line",
+ "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing",
+ "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/",
+ "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/",
+ "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_netwire.yml"
],
"tags": [
@@ -7847,8 +7848,8 @@
"logsource.category": "registry_add",
"logsource.product": "windows",
"refs": [
- "https://persistence-info.github.io/Data/amsi.html",
"https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c",
+ "https://persistence-info.github.io/Data/amsi.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml"
],
"tags": [
@@ -8307,8 +8308,8 @@
"logsource.category": "dns_query",
"logsource.product": "windows",
"refs": [
- "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/",
"https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns",
+ "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml"
],
"tags": [
@@ -8341,8 +8342,8 @@
"logsource.category": "dns_query",
"logsource.product": "windows",
"refs": [
- "Internal Research",
"https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/",
+ "Internal Research",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml"
],
"tags": [
@@ -8376,9 +8377,9 @@
"logsource.product": "windows",
"refs": [
"https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/",
- "https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia",
"https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/",
"https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/",
+ "https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_domain_azurewebsites.yml"
],
"tags": [
@@ -8411,8 +8412,8 @@
"logsource.category": "dns_query",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/",
"https://twitter.com/notwhickey/status/1333900137232523264",
+ "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_appinstaller.yml"
],
"tags": [
@@ -8445,9 +8446,9 @@
"logsource.category": "dns_query",
"logsource.product": "windows",
"refs": [
- "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html",
"https://twitter.com/neonprimetime/status/1436376497980428318",
"https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon",
+ "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml"
],
"tags": [
@@ -8548,8 +8549,8 @@
"logsource.category": "dns_query",
"logsource.product": "windows",
"refs": [
- "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2",
"https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security",
+ "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2",
"https://cydefops.com/devtunnels-unleashed",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml"
],
@@ -8784,8 +8785,8 @@
"logsource.product": "windows",
"refs": [
"https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/",
- "https://www.malwarebytes.com/blog/detections/pup-optional-onelaunch-silentcf",
"https://malware.guide/browser-hijacker/remove-onelaunch-virus/",
+ "https://www.malwarebytes.com/blog/detections/pup-optional-onelaunch-silentcf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml"
],
"tags": [
@@ -8861,13 +8862,13 @@
"logsource.category": "dns_query",
"logsource.product": "windows",
"refs": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows",
"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a",
- "https://redcanary.com/blog/misbehaving-rats/",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution",
"https://blog.sekoia.io/scattered-spider-laying-new-eggs/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows",
"https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows",
+ "https://redcanary.com/blog/misbehaving-rats/",
"https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml"
],
@@ -8901,18 +8902,18 @@
"logsource.category": "pipe_created",
"logsource.product": "windows",
"refs": [
- "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/",
- "https://thedfirreport.com/2020/06/21/snatch-ransomware/",
- "https://github.com/RiccardoAncarani/LiquidSnake",
- "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf",
- "https://securelist.com/faq-the-projectsauron-apt/75533/",
- "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf",
- "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/",
- "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
- "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a",
"https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/",
+ "https://github.com/RiccardoAncarani/LiquidSnake",
+ "https://securelist.com/faq-the-projectsauron-apt/75533/",
"https://www.us-cert.gov/ncas/alerts/TA17-117A",
+ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
+ "https://thedfirreport.com/2020/06/21/snatch-ransomware/",
+ "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a",
+ "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity",
+ "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf",
+ "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf",
+ "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml"
],
"tags": [
@@ -9027,8 +9028,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml",
- "https://o365blog.com/post/adfs/",
"https://github.com/Azure/SimuLand",
+ "https://o365blog.com/post/adfs/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_adfs_namedpipe_connection_uncommon_tool.yml"
],
"tags": [
@@ -9130,8 +9131,8 @@
"logsource.category": "pipe_created",
"logsource.product": "windows",
"refs": [
- "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view",
"https://github.com/malcomvetter/CSExec",
+ "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_pua_csexec_default_pipe.yml"
],
"tags": [
@@ -9309,10 +9310,10 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/d4rksystem/status/1357010969264873472",
+ "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/",
+ "https://github.com/SigmaHQ/sigma/issues/253",
"https://redcanary.com/threat-detection-report/threats/cobalt-strike/",
"https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/",
- "https://github.com/SigmaHQ/sigma/issues/253",
- "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml"
],
"tags": [
@@ -9346,8 +9347,8 @@
"logsource.category": "pipe_created",
"logsource.product": "windows",
"refs": [
- "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html",
"https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html",
+ "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml"
],
"tags": [
@@ -9448,8 +9449,8 @@
"logsource.category": "pipe_created",
"logsource.product": "windows",
"refs": [
- "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
"https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799",
+ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml"
],
"tags": [
@@ -9506,8 +9507,8 @@
"logsource.category": "pipe_created",
"logsource.product": "windows",
"refs": [
- "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html",
"https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html",
+ "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml"
],
"tags": [
@@ -9540,8 +9541,8 @@
"logsource.category": "sysmon_status",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml"
],
"tags": [
@@ -9620,8 +9621,8 @@
"logsource.category": "sysmon_error",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_error.yml"
],
"tags": [
@@ -9654,8 +9655,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon",
"https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36",
+ "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_file_executable_detected.yml"
],
"tags": [
@@ -9736,9 +9737,9 @@
"logsource.category": "create_remote_thread",
"logsource.product": "windows",
"refs": [
- "https://github.com/GhostPack/KeeThief",
"https://github.com/denandz/KeeFarce",
"https://www.cisa.gov/uscert/ncas/alerts/aa20-259a",
+ "https://github.com/GhostPack/KeeThief",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml"
],
"tags": [
@@ -9771,8 +9772,8 @@
"logsource.category": "create_remote_thread",
"logsource.product": "windows",
"refs": [
- "https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/",
"https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/",
+ "https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml"
],
"tags": [
@@ -9906,8 +9907,8 @@
"logsource.category": "create_remote_thread",
"logsource.product": "windows",
"refs": [
- "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f",
"https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/",
+ "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml"
],
"tags": [
@@ -10523,8 +10524,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/GhostPack/SafetyKatz",
"https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63",
+ "https://github.com/GhostPack/SafetyKatz",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml"
],
"tags": [
@@ -10557,8 +10558,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/",
"https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/",
+ "https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml"
],
"tags": [
@@ -10682,8 +10683,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "Internal Research",
"https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3",
+ "Internal Research",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml"
],
"tags": [
@@ -10740,8 +10741,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html",
"https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/",
+ "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html",
"https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml"
],
@@ -10775,9 +10776,9 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://en.wikipedia.org/wiki/IExpress",
- "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior",
"https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html",
+ "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior",
+ "https://en.wikipedia.org/wiki/IExpress",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sed_file_creation.yml"
],
"tags": [
@@ -10960,10 +10961,10 @@
"logsource.product": "windows",
"refs": [
"https://labs.f-secure.com/blog/prelude-to-ransomware-systembc",
- "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/",
- "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html",
- "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf",
"https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer",
+ "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html",
+ "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/",
+ "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml"
],
"tags": [
@@ -10996,8 +10997,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/",
"https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/",
+ "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/",
"https://redcanary.com/blog/intelligence-insights-october-2021/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml"
],
@@ -11111,8 +11112,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs",
"https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government",
+ "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml"
],
"tags": [
@@ -11303,8 +11304,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders",
"https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies",
+ "https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml"
],
"tags": [
@@ -11337,10 +11338,10 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer",
"https://github.com/Yaxser/Backstab",
- "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/",
"https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks",
+ "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/",
+ "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml"
],
"tags": [
@@ -11543,9 +11544,9 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence",
"Internal Research",
"https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md",
+ "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml"
],
"tags": [
@@ -11578,8 +11579,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/",
"https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/",
+ "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml"
],
"tags": [
@@ -11602,10 +11603,10 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/",
- "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008",
"https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html",
"https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml",
+ "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/",
+ "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml"
],
"tags": [
@@ -11727,8 +11728,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://persistence-info.github.io/Data/wpbbin.html",
"https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c",
+ "https://persistence-info.github.io/Data/wpbbin.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml"
],
"tags": [
@@ -11785,8 +11786,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "Internal Research",
"https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3",
+ "Internal Research",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml"
],
"tags": [
@@ -11882,8 +11883,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf",
"https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100",
+ "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_adwind.yml"
],
"tags": [
@@ -12399,9 +12400,9 @@
"logsource.product": "windows",
"refs": [
"https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/",
+ "https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions",
"https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3",
"http://addbalance.com/word/startup.htm",
- "https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml"
],
"tags": [
@@ -12533,26 +12534,26 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/besimorhino/powercat",
- "https://github.com/S3cur3Th1sSh1t/WinPwn",
- "https://github.com/adrecon/ADRecon",
- "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
- "https://github.com/samratashok/nishang",
- "https://github.com/DarkCoderSc/PowerRunAsSystem/",
- "https://github.com/NetSPI/PowerUpSQL",
- "https://github.com/adrecon/AzureADRecon",
- "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
- "https://github.com/HarmJ0y/DAMP",
- "https://github.com/nettitude/Invoke-PowerThIEf",
- "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
- "https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu",
- "https://github.com/PowerShellMafia/PowerSploit",
"https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
+ "https://github.com/PowerShellMafia/PowerSploit",
+ "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
+ "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
"https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
- "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
+ "https://github.com/nettitude/Invoke-PowerThIEf",
+ "https://github.com/NetSPI/PowerUpSQL",
+ "https://github.com/S3cur3Th1sSh1t/WinPwn",
"https://github.com/CsEnox/EventViewer-UACBypass",
- "https://github.com/Kevin-Robertson/Powermad",
+ "https://github.com/besimorhino/powercat",
"https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
+ "https://github.com/samratashok/nishang",
+ "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
+ "https://github.com/DarkCoderSc/PowerRunAsSystem/",
+ "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
+ "https://github.com/HarmJ0y/DAMP",
+ "https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu",
+ "https://github.com/Kevin-Robertson/Powermad",
+ "https://github.com/adrecon/ADRecon",
+ "https://github.com/adrecon/AzureADRecon",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml"
],
"tags": [
@@ -12651,8 +12652,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/davisrichardg/status/1616518800584704028",
"https://aboutdfir.com/the-key-to-identify-psexec/",
+ "https://twitter.com/davisrichardg/status/1616518800584704028",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml"
],
"tags": [
@@ -12705,12 +12706,12 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/helpsystems/nanodump",
- "https://www.google.com/search?q=procdump+lsass",
"https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/",
- "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml",
"https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf",
+ "https://www.google.com/search?q=procdump+lsass",
"https://github.com/CCob/MirrorDump",
+ "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml",
+ "https://github.com/helpsystems/nanodump",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml"
],
"tags": [
@@ -12811,10 +12812,10 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore",
- "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/",
"https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore",
+ "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/",
+ "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml"
],
"tags": [
@@ -12880,8 +12881,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/nas_bench/status/1550836225652686848",
"https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1547.015/T1547.015.md#atomic-test-1---persistence-by-modifying-windows-terminal-profile",
+ "https://twitter.com/nas_bench/status/1550836225652686848",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml"
],
"tags": [
@@ -13045,8 +13046,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "Internal Research",
"https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3",
+ "Internal Research",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml"
],
"tags": [
@@ -13069,8 +13070,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md",
"PT ESC rule and personal experience",
+ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml"
],
"tags": [
@@ -13103,8 +13104,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute",
"https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g",
+ "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute",
"https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml"
],
@@ -13233,8 +13234,8 @@
"refs": [
"https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/",
"https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79",
- "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form",
"https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76",
+ "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml"
],
"tags": [
@@ -13367,8 +13368,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/OTRF/detection-hackathon-apt29/issues/14",
"https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md",
+ "https://github.com/OTRF/detection-hackathon-apt29/issues/14",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml"
],
"tags": [
@@ -13598,10 +13599,10 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory",
- "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/",
"https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence",
"https://liberty-shell.com/sec/2020/02/25/shim-persistence/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory",
+ "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml"
],
"tags": [
@@ -13768,8 +13769,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs",
- "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
"https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs",
+ "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml"
],
"tags": [
@@ -13835,8 +13836,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/",
"https://github.com/last-byte/PersistenceSniper",
+ "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_errorhandler_persistence.yml"
],
"tags": [
@@ -13859,11 +13860,11 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
+ "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations",
"https://twitter.com/malwrhunterteam/status/1235135745611960321",
"https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles",
- "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/",
- "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations",
"https://twitter.com/luc4m/status/1073181154126254080",
+ "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml"
],
"tags": [
@@ -13897,9 +13898,9 @@
"logsource.product": "windows",
"refs": [
"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration",
- "https://pentestlab.blog/tag/ntds-dit/",
"https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/",
"https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1",
+ "https://pentestlab.blog/tag/ntds-dit/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml"
],
"tags": [
@@ -14065,10 +14066,10 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/cube0x0/status/1418920190759378944",
- "https://github.com/WiredPulse/Invoke-HiveNightmare",
"https://github.com/GossiTheDog/HiveNightmare",
"https://github.com/FireFart/hivenightmare/",
+ "https://github.com/WiredPulse/Invoke-HiveNightmare",
+ "https://twitter.com/cube0x0/status/1418920190759378944",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml"
],
"tags": [
@@ -14247,8 +14248,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py",
"https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/",
+ "https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml"
],
"tags": [
@@ -14282,8 +14283,8 @@
"logsource.product": "windows",
"refs": [
"https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html",
- "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image",
"https://twitter.com/Sam0x90/status/1552011547974696960",
+ "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml"
],
"tags": [
@@ -14339,8 +14340,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html",
"https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/",
+ "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html",
"https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml"
],
@@ -14407,8 +14408,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/outflanknl/Dumpert",
"https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/",
+ "https://github.com/outflanknl/Dumpert",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_dumpert.yml"
],
"tags": [
@@ -14441,8 +14442,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961",
"https://github.com/fox-it/LDAPFragger",
+ "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961",
"https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml"
],
@@ -14536,9 +14537,9 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
+ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3",
"https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation",
"https://twitter.com/pfiatde/status/1681977680688738305",
- "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3",
"https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/",
"https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml"
@@ -14573,8 +14574,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.joesandbox.com/analysis/465533/0/html",
"https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/",
+ "https://www.joesandbox.com/analysis/465533/0/html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_get_variable.yml"
],
"tags": [
@@ -14657,11 +14658,11 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
+ "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations",
"https://twitter.com/malwrhunterteam/status/1235135745611960321",
"https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles",
- "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/",
- "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations",
"https://twitter.com/luc4m/status/1073181154126254080",
+ "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml"
],
"tags": [
@@ -14694,8 +14695,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc",
"https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0",
+ "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml"
],
"tags": [
@@ -14755,10 +14756,10 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/MaD_c4t/status/1623414582382567424",
+ "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/",
+ "https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/",
"https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/",
"https://labs.withsecure.com/publications/detecting-onenote-abuse",
- "https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/",
- "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/",
"https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml"
],
@@ -15107,12 +15108,12 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992",
+ "https://decoded.avast.io/martinchlumecky/png-steganography/",
+ "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc",
+ "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/",
"https://github.com/Wh04m1001/SysmonEoP",
"https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/",
- "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc",
- "https://decoded.avast.io/martinchlumecky/png-steganography/",
- "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/",
+ "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml"
],
"tags": [
@@ -15155,8 +15156,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
"Internal Research",
+ "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml"
],
"tags": [
@@ -15222,9 +15223,9 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
+ "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1",
"https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405",
"https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb",
- "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml"
],
"tags": [
@@ -15257,11 +15258,11 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
+ "https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934",
+ "https://www.google.com/search?q=%22reg.exe+save%22+sam",
"https://github.com/search?q=CVE-2021-36934",
"https://github.com/HuskyHacks/ShadowSteal",
"https://github.com/FireFart/hivenightmare",
- "https://www.google.com/search?q=%22reg.exe+save%22+sam",
- "https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml"
],
"tags": [
@@ -15294,8 +15295,8 @@
"logsource.category": "file_rename",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/",
"https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/",
+ "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml"
],
"tags": [
@@ -15362,8 +15363,8 @@
"logsource.category": "file_access",
"logsource.product": "windows",
"refs": [
- "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/",
"https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz",
+ "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_credential_manager_access.yml"
],
"tags": [
@@ -15465,8 +15466,8 @@
"logsource.category": "file_access",
"logsource.product": "windows",
"refs": [
- "https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens",
"https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/",
+ "https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml"
],
"tags": [
@@ -15599,8 +15600,8 @@
"logsource.category": "file_delete",
"logsource.product": "windows",
"refs": [
- "https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/",
"Internal Research",
+ "https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml"
],
"tags": [
@@ -15756,8 +15757,8 @@
"logsource.category": "file_delete",
"logsource.product": "windows",
"refs": [
- "https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/",
"Internal Research",
+ "https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml"
],
"tags": [
@@ -15823,8 +15824,8 @@
"logsource.category": "file_delete",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/",
"https://github.com/cube0x0/CVE-2021-1675",
+ "https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml"
],
"tags": [
@@ -15961,8 +15962,8 @@
"logsource.category": "file_delete",
"logsource.product": "windows",
"refs": [
- "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md",
"https://github.com/OTRF/detection-hackathon-apt29/issues/9",
+ "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml"
],
"tags": [
@@ -16028,9 +16029,9 @@
"logsource.category": "file_executable_detected",
"logsource.product": "windows",
"refs": [
- "https://en.wikipedia.org/wiki/IExpress",
- "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior",
"https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html",
+ "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior",
+ "https://en.wikipedia.org/wiki/IExpress",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml"
],
"tags": [
@@ -16188,9 +16189,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps",
- "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files",
"https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE",
+ "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files",
+ "https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml"
],
"tags": [
@@ -16223,9 +16224,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf",
- "https://github.com/hfiref0x/UACME",
"https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b",
+ "https://github.com/hfiref0x/UACME",
+ "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml"
],
"tags": [
@@ -16510,10 +16511,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/",
"https://twitter.com/splinter_code/status/1483815103279603714",
- "https://www.elastic.co/security-labs/operation-bleeding-bear",
+ "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/",
"https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3",
+ "https://www.elastic.co/security-labs/operation-bleeding-bear",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml"
],
"tags": [
@@ -16565,8 +16566,8 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/bohops/status/1477717351017680899?s=12",
- "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/",
+ "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_acccheckconsole_execution.yml"
],
"tags": [
@@ -16656,8 +16657,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/",
"https://twitter.com/nao_sec/status/1530196847679401984",
+ "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/",
"https://twitter.com/_JohnHammond/status/1531672601067675648",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml"
],
@@ -16724,9 +16725,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus",
- "https://github.com/GhostPack/Rubeus",
"https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html",
+ "https://github.com/GhostPack/Rubeus",
+ "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml"
],
"tags": [
@@ -16776,12 +16777,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/",
- "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/",
- "https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior",
- "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic",
- "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar",
"https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic",
+ "https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior",
+ "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/",
+ "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar",
+ "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml"
],
"tags": [
@@ -16814,13 +16815,13 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware",
- "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf",
- "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/",
- "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration",
- "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4",
- "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow",
+ "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf",
+ "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/",
+ "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/",
+ "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4",
+ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration",
+ "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml"
],
"tags": [
@@ -16853,9 +16854,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/",
"https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6",
"http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html",
- "https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_rdp_redirect.yml"
],
"tags": [
@@ -16932,8 +16933,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/",
"https://ss64.com/bash/rar.html",
+ "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml"
],
@@ -17159,8 +17160,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp",
+ "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml"
],
"tags": [
@@ -17226,10 +17227,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://en.wikipedia.org/wiki/IExpress",
- "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior",
- "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html",
"https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/",
+ "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html",
+ "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior",
+ "https://en.wikipedia.org/wiki/IExpress",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml"
],
"tags": [
@@ -17295,9 +17296,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/",
"https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/",
+ "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7",
"https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml"
],
@@ -17413,8 +17414,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
"http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
+ "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
"https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml"
],
@@ -17597,8 +17598,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml",
"Turla has used fsutil fsinfo drives to list connected drives.",
+ "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml"
],
"tags": [
@@ -17631,8 +17632,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/BloodHoundAD/BloodHound",
"https://github.com/BloodHoundAD/SharpHound",
+ "https://github.com/BloodHoundAD/BloodHound",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml"
],
"tags": [
@@ -17706,8 +17707,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/GhostPack/Seatbelt",
"https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html",
+ "https://github.com/GhostPack/Seatbelt",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml"
],
"tags": [
@@ -17923,8 +17924,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/mandiant/SharPersist",
"https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit",
+ "https://github.com/mandiant/SharPersist",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml"
],
"tags": [
@@ -17980,13 +17981,13 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1",
"https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/",
"https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1",
- "https://github.com/zcgonvh/NTDSDumpEx",
"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration",
- "https://pentestlab.blog/tag/ntds-dit/",
- "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1",
"https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1",
+ "https://pentestlab.blog/tag/ntds-dit/",
+ "https://github.com/zcgonvh/NTDSDumpEx",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml"
],
"tags": [
@@ -18128,8 +18129,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/Alh4zr3d/status/1580925761996828672",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2",
+ "https://twitter.com/Alh4zr3d/status/1580925761996828672",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml"
],
"tags": [
@@ -18360,8 +18361,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml"
],
"tags": [
@@ -18462,8 +18463,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/",
"https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/",
+ "https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml"
],
"tags": [
@@ -18497,9 +18498,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://adepts.of0x.cc/netsh-portproxy-code/",
"https://www.dfirnotes.net/portproxy_detection/",
"https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html",
- "https://adepts.of0x.cc/netsh-portproxy-code/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml"
],
"tags": [
@@ -18608,10 +18609,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191",
"https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64",
- "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178",
+ "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191",
"https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165",
+ "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml"
],
"tags": [
@@ -18721,10 +18722,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine",
"https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf",
"https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution",
"https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml"
],
"tags": [
@@ -18791,9 +18792,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://github.com/cloudflare/cloudflared",
"https://blog.reconinfosec.com/emergence-of-akira-ransomware-group",
"https://developers.cloudflare.com/cloudflare-one/connections/connect-apps",
- "https://github.com/cloudflare/cloudflared",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml"
],
"tags": [
@@ -19020,8 +19021,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36",
"https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/",
+ "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml"
],
"tags": [
@@ -19360,11 +19361,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/vysecurity/status/885545634958385153",
"https://twitter.com/Hexacorn/status/885570278637678592",
+ "https://twitter.com/Hexacorn/status/885553465417756673",
"https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques",
"https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/",
- "https://twitter.com/Hexacorn/status/885553465417756673",
+ "https://twitter.com/vysecurity/status/885545634958385153",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml"
],
"tags": [
@@ -19487,8 +19488,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html",
"https://www.echotrail.io/insights/search/wusa.exe/",
+ "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml"
],
"tags": [
@@ -19661,8 +19662,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"Internal Research",
+ "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml"
],
"tags": [
@@ -19686,8 +19687,8 @@
"logsource.product": "windows",
"refs": [
"https://blog.viettelcybersecurity.com/saml-show-stopper/",
- "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/",
"https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py",
+ "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml"
],
"tags": [
@@ -19779,8 +19780,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase",
"https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml"
],
"tags": [
@@ -19813,8 +19814,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/",
"https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38",
+ "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradle_obfuscated.yml"
],
"tags": [
@@ -20030,8 +20031,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://persistence-info.github.io/Data/wpbbin.html",
"https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c",
+ "https://persistence-info.github.io/Data/wpbbin.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml"
],
"tags": [
@@ -20139,8 +20140,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://pentestlab.blog/tag/svchost/",
"https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/",
+ "https://pentestlab.blog/tag/svchost/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml"
],
"tags": [
@@ -20172,8 +20173,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://emkc.org/s/RJjuLa",
"https://www.mandiant.com/resources/blog/lnk-between-browsers",
+ "https://emkc.org/s/RJjuLa",
"https://redcanary.com/blog/chromeloader/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml"
],
@@ -20207,8 +20208,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/",
"https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings",
+ "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml"
],
"tags": [
@@ -20307,8 +20308,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://linux.die.net/man/1/bash",
"https://lolbas-project.github.io/lolbas/Binaries/Bash/",
+ "https://linux.die.net/man/1/bash",
"Internal Research",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml"
],
@@ -20410,9 +20411,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/swagkarna/Defeat-Defender-V1.2.0",
- "https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2",
"https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/",
+ "https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2",
+ "https://github.com/swagkarna/Defeat-Defender-V1.2.0",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml"
],
"tags": [
@@ -20512,9 +20513,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/gN3mes1s/status/1222088214581825540",
"https://twitter.com/gN3mes1s/status/1222095963789111296",
"https://twitter.com/gN3mes1s/status/1222095371175911424",
+ "https://twitter.com/gN3mes1s/status/1222088214581825540",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml"
],
"tags": [
@@ -20570,10 +20571,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/",
- "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/",
"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac",
+ "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsi_fsharp_code_execution.yml"
],
"tags": [
@@ -20606,8 +20607,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows",
"https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml"
],
"tags": [
@@ -20657,8 +20658,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/",
"https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/",
+ "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml"
],
"tags": [
@@ -20732,11 +20733,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/aceresponder/status/1636116096506818562",
+ "https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png",
"https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/",
+ "https://twitter.com/aceresponder/status/1636116096506818562",
"https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/",
"https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/",
- "https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml"
],
"tags": [
@@ -20838,8 +20839,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.youtube.com/watch?v=Ie831jF0bb0",
"https://twitter.com/_xpn_/status/1491557187168178176",
+ "https://www.youtube.com/watch?v=Ie831jF0bb0",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml"
],
"tags": [
@@ -20881,9 +20882,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2023/03/06/2022-year-in-review/",
- "https://www.yeahhub.com/list-installed-programs-version-path-windows/",
"https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product",
+ "https://www.yeahhub.com/list-installed-programs-version-path-windows/",
+ "https://thedfirreport.com/2023/03/06/2022-year-in-review/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml"
],
"tags": [
@@ -20918,9 +20919,9 @@
"refs": [
"https://forensicitguy.github.io/agenttesla-vba-certutil-download/",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
- "https://twitter.com/egre55/status/1087685529016193025",
- "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/",
"https://lolbas-project.github.io/lolbas/Binaries/Certutil/",
+ "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/",
+ "https://twitter.com/egre55/status/1087685529016193025",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml"
],
"tags": [
@@ -20953,8 +20954,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "Internal Research",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks",
+ "Internal Research",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_change.yml"
],
"tags": [
@@ -20988,9 +20989,9 @@
"logsource.product": "windows",
"refs": [
"https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/",
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup",
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery",
"https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml"
],
"tags": [
@@ -21023,9 +21024,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16",
"https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html",
"https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/",
+ "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml"
],
"tags": [
@@ -21092,9 +21093,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html",
"https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA",
"https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/",
- "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml"
],
"tags": [
@@ -21129,9 +21130,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120",
- "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/",
"https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html",
+ "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/",
+ "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"
],
"tags": [
@@ -21274,8 +21275,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments",
+ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml"
],
"tags": [
@@ -21310,9 +21311,9 @@
"logsource.product": "windows",
"refs": [
"https://thedfirreport.com/2022/09/26/bumblebee-round-two/",
- "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments",
"https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708",
+ "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml"
],
"tags": [
@@ -21336,8 +21337,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70",
"https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html",
+ "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml"
],
"tags": [
@@ -21459,8 +21460,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd",
"https://labs.withsecure.com/publications/fin7-target-veeam-servers",
+ "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"
],
"tags": [
@@ -21527,8 +21528,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/nas_bench/status/1550836225652686848",
"https://persistence-info.github.io/Data/windowsterminalprofile.html",
+ "https://twitter.com/nas_bench/status/1550836225652686848",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml"
],
"tags": [
@@ -21586,8 +21587,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http",
"https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml"
],
"tags": [
@@ -21662,10 +21663,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16",
- "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/",
"https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control",
+ "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/",
"https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
+ "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml"
],
"tags": [
@@ -21754,8 +21755,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/dsnezhkov/TruffleSnout",
"https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md",
+ "https://github.com/dsnezhkov/TruffleSnout",
"https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml"
],
@@ -21823,9 +21824,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.mandiant.com/resources/telegram-malware-iranian-espionage",
"https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode",
"https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html",
+ "https://www.mandiant.com/resources/telegram-malware-iranian-espionage",
"https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml"
],
@@ -22109,11 +22110,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Ssh/",
- "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files",
"https://man.openbsd.org/ssh_config#LocalCommand",
"https://gtfobins.github.io/gtfobins/ssh/",
+ "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files",
"https://man.openbsd.org/ssh_config#ProxyCommand",
+ "https://lolbas-project.github.io/lolbas/Binaries/Ssh/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssh_proxy_execution.yml"
],
"tags": [
@@ -22146,10 +22147,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
+ "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
"https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
"https://isc.sans.edu/diary/22264",
- "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
- "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml"
],
"tags": [
@@ -22192,9 +22193,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/",
"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
"https://www.intrinsec.com/apt27-analysis/",
- "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml"
],
"tags": [
@@ -22434,9 +22435,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
"https://twitter.com/MichalKoczwara/status/1553634816016498688",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task",
- "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml"
],
"tags": [
@@ -22537,8 +22538,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml",
"https://twitter.com/med0x2e/status/1520402518685200384",
+ "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml"
],
"tags": [
@@ -22614,8 +22615,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/",
"https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/",
+ "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml"
],
"tags": [
@@ -22648,8 +22649,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet",
"https://twitter.com/kmkz_security/status/1220694202301976576",
+ "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml"
],
"tags": [
@@ -22794,8 +22795,8 @@
"refs": [
"https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms",
"https://redcanary.com/blog/msix-installers/",
- "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit",
"https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf",
+ "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csvde_export.yml"
],
"tags": [
@@ -22829,9 +22830,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/",
- "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/",
"https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html",
+ "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/",
+ "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml"
],
"tags": [
@@ -23012,10 +23013,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior",
"https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior",
- "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior",
+ "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior",
"https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior",
+ "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml"
],
"tags": [
@@ -23292,12 +23293,12 @@
"logsource.product": "windows",
"refs": [
"https://lolbas-project.github.io/lolbas/Binaries/Msedge/",
- "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf",
- "https://positive.security/blog/ms-officecmd-rce",
- "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/",
- "https://lolbas-project.github.io/lolbas/Binaries/Teams/",
"https://taggart-tech.com/quasar-electron/",
+ "https://lolbas-project.github.io/lolbas/Binaries/Teams/",
+ "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/",
"https://github.com/mttaggart/quasar",
+ "https://positive.security/blog/ms-officecmd-rce",
+ "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml"
],
"tags": [
@@ -23353,8 +23354,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)",
"https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/",
+ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)",
"https://twitter.com/frack113/status/1555830623633375232",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml"
],
@@ -23421,8 +23422,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://tria.ge/240731-jh4crsycnb/behavioral2",
"https://redcanary.com/blog/threat-detection/process-masquerading/",
+ "https://tria.ge/240731-jh4crsycnb/behavioral2",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml"
],
"tags": [
@@ -23479,11 +23480,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
+ "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/",
"https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955",
"https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg",
- "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml"
],
"tags": [
@@ -23516,13 +23517,13 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/sql/tools/bcp-utility",
- "https://asec.ahnlab.com/en/61000/",
- "https://www.huntress.com/blog/attacking-mssql-servers",
- "https://asec.ahnlab.com/en/78944/",
- "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/",
"https://www.huntress.com/blog/attacking-mssql-servers-pt-ii",
+ "https://www.huntress.com/blog/attacking-mssql-servers",
"https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/",
+ "https://asec.ahnlab.com/en/61000/",
+ "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/",
+ "https://asec.ahnlab.com/en/78944/",
+ "https://docs.microsoft.com/en-us/sql/tools/bcp-utility",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcp_export_data.yml"
],
"tags": [
@@ -23555,8 +23556,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.echotrail.io/insights/search/wermgr.exe",
"https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html",
+ "https://www.echotrail.io/insights/search/wermgr.exe",
"https://github.com/binderlabs/DirCreate2System",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml"
],
@@ -23600,9 +23601,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://twitter.com/AdamTheAnalyst/status/1483497517119590403",
"https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml"
],
"tags": [
@@ -23726,8 +23727,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md",
+ "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml"
],
"tags": [
@@ -23828,8 +23829,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57",
"https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0",
+ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml"
],
"tags": [
@@ -23903,9 +23904,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change",
- "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml"
],
"tags": [
@@ -23971,10 +23972,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://tria.ge/240521-ynezpagf56/behavioral1",
- "https://bazaar.abuse.ch/sample/64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3/",
"https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091",
"https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/",
+ "https://bazaar.abuse.ch/sample/64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3/",
+ "https://tria.ge/240521-ynezpagf56/behavioral1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml"
],
"tags": [
@@ -24007,8 +24008,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/",
"https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/",
+ "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml"
],
"tags": [
@@ -24042,11 +24043,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html",
"https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
- "https://twitter.com/cglyer/status/1355171195654709249",
"https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/",
+ "https://twitter.com/cglyer/status/1355171195654709249",
"https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
+ "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml"
],
"tags": [
@@ -24222,8 +24223,8 @@
"logsource.product": "windows",
"refs": [
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/",
- "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/",
"http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/",
+ "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_download.yml"
],
"tags": [
@@ -24257,8 +24258,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
"https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/",
+ "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
"https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml"
],
@@ -24326,8 +24327,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Regasm/",
"https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/",
+ "https://lolbas-project.github.io/lolbas/Binaries/Regasm/",
"https://www.fortiguard.com/threat-signal-report/4718?s=09",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml"
],
@@ -24403,8 +24404,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/",
+ "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml"
],
"tags": [
@@ -24470,8 +24471,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html",
"https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/",
+ "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml"
],
"tags": [
@@ -24538,8 +24539,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core",
"https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html",
+ "https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml"
],
"tags": [
@@ -24572,12 +24573,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/vletoux/pingcastle",
- "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/",
- "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8",
"https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699",
"https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1",
+ "https://github.com/vletoux/pingcastle",
"https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680",
+ "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8",
+ "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/",
"https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml"
],
@@ -24612,8 +24613,8 @@
"logsource.product": "windows",
"refs": [
"https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41",
- "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a",
"https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature",
+ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml"
],
"tags": [
@@ -24646,8 +24647,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://emkc.org/s/RJjuLa",
"https://www.mandiant.com/resources/blog/lnk-between-browsers",
+ "https://emkc.org/s/RJjuLa",
"https://redcanary.com/blog/chromeloader/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml"
],
@@ -24681,11 +24682,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py",
"https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py",
"https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py",
- "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py",
- "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py",
"https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html",
+ "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml"
],
"tags": [
@@ -24761,12 +24762,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/helpsystems/nanodump",
"https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/",
- "https://github.com/Hackndo/lsassy",
- "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml",
"https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf",
+ "https://github.com/Hackndo/lsassy",
"https://github.com/CCob/MirrorDump",
+ "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml",
+ "https://github.com/helpsystems/nanodump",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml"
],
"tags": [
@@ -24799,8 +24800,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Print/",
"https://twitter.com/Oddvarmoe/status/985518877076541440",
+ "https://lolbas-project.github.io/lolbas/Binaries/Print/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml"
],
"tags": [
@@ -24882,9 +24883,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.revshells.com/",
"https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
"https://www.php.net/manual/en/features.commandline.php",
+ "https://www.revshells.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml"
],
"tags": [
@@ -24942,8 +24943,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax",
"https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html",
+ "https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml"
],
"tags": [
@@ -25043,8 +25044,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/",
"https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/",
+ "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/",
"https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml"
],
@@ -25122,8 +25123,8 @@
"logsource.product": "windows",
"refs": [
"https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/",
- "https://twitter.com/vxunderground/status/1423336151860002816?s=20",
"https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection",
+ "https://twitter.com/vxunderground/status/1423336151860002816?s=20",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml"
],
"tags": [
@@ -25189,10 +25190,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/_JohnHammond/status/1588155401752788994",
"https://twitter.com/Max_Mal_/status/1633863678909874176",
"Internal Research",
"https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465",
+ "https://twitter.com/_JohnHammond/status/1588155401752788994",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml"
],
"tags": [
@@ -25258,8 +25259,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
+ "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml"
],
"tags": [
@@ -25348,9 +25349,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/",
"https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/",
"https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md",
+ "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml"
],
"tags": [
@@ -25452,10 +25453,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/",
- "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password",
- "https://github.com/defaultnamehere/cookie_crimes/",
"https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/",
+ "https://github.com/defaultnamehere/cookie_crimes/",
+ "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password",
+ "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml"
],
"tags": [
@@ -25554,8 +25555,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Regini/",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini",
+ "https://lolbas-project.github.io/lolbas/Binaries/Regini/",
"https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_execution.yml"
],
@@ -25657,8 +25658,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
"https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt",
+ "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
"https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml"
],
@@ -26140,10 +26141,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view",
- "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
- "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html",
"https://twitter.com/SBousseaden/status/1211636381086339073",
+ "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html",
+ "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
+ "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml"
],
"tags": [
@@ -26194,8 +26195,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/",
"https://lolbas-project.github.io/lolbas/Binaries/Gpscript/",
+ "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml"
],
"tags": [
@@ -26228,12 +26229,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16",
- "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html",
"https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/",
"https://redcanary.com/blog/raspberry-robin/",
- "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176",
+ "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html",
"https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
+ "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176",
+ "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml"
],
"tags": [
@@ -26299,8 +26300,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.gpg4win.de/documentation.html",
"https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html",
+ "https://www.gpg4win.de/documentation.html",
"https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml"
],
@@ -26324,8 +26325,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism",
"https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dism_remove.yml"
],
"tags": [
@@ -26359,9 +26360,9 @@
"logsource.product": "windows",
"refs": [
"https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/",
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup",
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery",
"https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml"
],
"tags": [
@@ -26461,9 +26462,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1",
- "https://labs.nettitude.com/blog/introducing-sharpwsus/",
"https://github.com/nettitude/SharpWSUS",
+ "https://labs.nettitude.com/blog/introducing-sharpwsus/",
+ "https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.yml"
],
"tags": [
@@ -26530,8 +26531,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/",
"https://lolbas-project.github.io/lolbas/Binaries/Atbroker/",
+ "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_atbroker_uncommon_ats_execution.yml"
],
"tags": [
@@ -26901,8 +26902,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
"http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
+ "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml"
],
"tags": [
@@ -27026,8 +27027,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/",
"https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/",
+ "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml"
],
"tags": [
@@ -27061,11 +27062,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/S3cur3Th1sSh1t/WinPwn",
- "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md",
- "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team",
"https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841",
+ "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team",
+ "https://github.com/S3cur3Th1sSh1t/WinPwn",
"https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml"
],
"tags": [
@@ -27159,9 +27160,9 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/Cyb3rWard0g/status/1453123054243024897",
- "https://github.com/antonioCoco/RogueWinRM",
"https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/",
"https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment",
+ "https://github.com/antonioCoco/RogueWinRM",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml"
],
"tags": [
@@ -27194,8 +27195,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/",
"https://twitter.com/nao_sec/status/1530196847679401984",
+ "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml"
],
"tags": [
@@ -27269,8 +27270,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation",
"https://github.com/carlospolop/PEASS-ng",
+ "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml"
],
"tags": [
@@ -27342,8 +27343,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options",
"https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html",
+ "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml"
],
"tags": [
@@ -27575,12 +27576,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2020/05/08/adfind-recon/",
- "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx",
- "https://www.joeware.net/freetools/tools/adfind/",
- "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/",
"https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md",
+ "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx",
"https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/",
+ "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/",
+ "https://thedfirreport.com/2020/05/08/adfind-recon/",
+ "https://www.joeware.net/freetools/tools/adfind/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml"
],
"tags": [
@@ -27711,8 +27712,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html",
"https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat",
+ "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml"
],
"tags": [
@@ -27778,10 +27779,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/cloudflare/cloudflared/releases",
"https://github.com/cloudflare/cloudflared",
- "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/",
"https://www.intrinsec.com/akira_ransomware/",
+ "https://github.com/cloudflare/cloudflared/releases",
+ "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/",
"https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml"
],
@@ -27815,9 +27816,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/",
"https://twitter.com/nas_bench/status/1534915321856917506",
"https://twitter.com/nas_bench/status/1534916659676422152",
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml"
],
"tags": [
@@ -27893,8 +27894,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.gpg4win.de/documentation.html",
"https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html",
+ "https://www.gpg4win.de/documentation.html",
"https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml"
],
@@ -28020,8 +28021,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy",
"https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade",
+ "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml"
],
"tags": [
@@ -28054,9 +28055,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/",
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd",
"https://learn.microsoft.com/en-us/azure/dns/dns-zones-records",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd",
+ "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml"
],
"tags": [
@@ -28340,8 +28341,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/",
"https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/",
+ "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml"
],
"tags": [
@@ -28466,9 +28467,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing",
"https://reaqta.com/2017/11/short-journey-darkvnc/",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html",
+ "https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml"
],
"tags": [
@@ -28560,12 +28561,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/",
- "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior",
- "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI",
- "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper",
- "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html",
"https://www.attackiq.com/2023/09/20/emulating-rhysida/",
+ "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html",
+ "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI",
+ "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior",
+ "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/",
+ "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml"
],
"tags": [
@@ -28608,9 +28609,9 @@
"logsource.product": "windows",
"refs": [
"https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad",
- "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/",
"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac",
+ "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml"
],
"tags": [
@@ -28869,13 +28870,13 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware",
- "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf",
- "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/",
- "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration",
- "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4",
- "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow",
+ "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf",
+ "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/",
+ "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/",
+ "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4",
+ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration",
+ "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml"
],
"tags": [
@@ -28975,8 +28976,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm",
"https://github.com/Hackplayers/evil-winrm",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml"
],
"tags": [
@@ -29178,9 +29179,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://ss64.com/nt/dsacls.html",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)",
"https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone",
+ "https://ss64.com/nt/dsacls.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml"
],
"tags": [
@@ -29282,10 +29283,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/",
+ "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList",
"https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos",
"https://twitter.com/EricaZelic/status/1614075109827874817",
- "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList",
+ "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml"
],
"tags": [
@@ -29334,8 +29335,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Certoc/",
"https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2",
+ "https://lolbas-project.github.io/lolbas/Binaries/Certoc/",
"https://twitter.com/sblmsrsn/status/1445758411803480072?s=20",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml"
],
@@ -29438,13 +29439,13 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/gN3mes1s/status/941315826107510784",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md",
- "https://reaqta.com/2017/12/mavinject-microsoft-injector/",
- "https://github.com/SigmaHQ/sigma/issues/3742",
- "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection",
"https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e",
"https://twitter.com/Hexacorn/status/776122138063409152",
+ "https://twitter.com/gN3mes1s/status/941315826107510784",
+ "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md",
+ "https://github.com/SigmaHQ/sigma/issues/3742",
+ "https://reaqta.com/2017/12/mavinject-microsoft-injector/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml"
],
@@ -29520,8 +29521,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/bopin2020/status/1366400799199272960",
"https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/",
+ "https://twitter.com/bopin2020/status/1366400799199272960",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml"
],
"tags": [
@@ -29562,9 +29563,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/SBousseaden/status/1464566846594691073?s=20",
"https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
"https://twitter.com/Hexacorn/status/1420053502554951689",
- "https://twitter.com/SBousseaden/status/1464566846594691073?s=20",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml"
],
"tags": [
@@ -29642,8 +29643,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml"
],
"tags": [
@@ -29677,8 +29678,8 @@
"logsource.product": "windows",
"refs": [
"https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses",
- "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/",
"https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md",
+ "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/",
"https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml"
],
@@ -29777,8 +29778,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.nirsoft.net/utils/nircmd.html",
"https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/",
+ "https://www.nirsoft.net/utils/nircmd.html",
"https://www.nirsoft.net/utils/nircmd2.html#using",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml"
],
@@ -29837,8 +29838,8 @@
"logsource.product": "windows",
"refs": [
"https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/",
- "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/",
"https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf",
+ "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml"
],
"tags": [
@@ -29976,8 +29977,8 @@
"logsource.product": "windows",
"refs": [
"https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08",
- "https://redcanary.com/blog/child-processes/",
"https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf",
+ "https://redcanary.com/blog/child-processes/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml"
],
"tags": [
@@ -30010,9 +30011,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf",
"https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/",
"https://twitter.com/RedDrip7/status/1506480588827467785",
+ "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml"
],
"tags": [
@@ -30045,8 +30046,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/pabraeken/status/995837734379032576",
"https://twitter.com/pabraeken/status/999090532839313408",
+ "https://twitter.com/pabraeken/status/995837734379032576",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml"
],
@@ -30080,9 +30081,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist",
- "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf",
"https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html",
+ "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf",
+ "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml"
],
"tags": [
@@ -30156,8 +30157,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml",
"https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp",
+ "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml",
"https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml"
],
@@ -30259,15 +30260,15 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set",
- "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml",
- "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml",
- "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/",
- "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html",
- "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100",
- "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html",
"https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml",
+ "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html",
+ "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set",
+ "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml",
+ "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml",
+ "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html",
+ "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/",
"https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A",
+ "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100",
"https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/",
"https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml"
@@ -30319,8 +30320,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps",
"https://github.com/cloudflare/cloudflared",
+ "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml"
],
"tags": [
@@ -30446,8 +30447,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.echotrail.io/insights/search/msbuild.exe",
"https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/",
+ "https://www.echotrail.io/insights/search/msbuild.exe",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml"
],
"tags": [
@@ -30526,8 +30527,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa",
+ "https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml"
],
"tags": [
@@ -30585,8 +30586,8 @@
"logsource.product": "windows",
"refs": [
"https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/",
- "https://redcanary.com/threat-detection-report/",
"https://www.cobaltstrike.com/help-windows-executable",
+ "https://redcanary.com/threat-detection-report/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml"
],
"tags": [
@@ -30619,10 +30620,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
- "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/",
"https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml",
"https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/",
+ "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/",
+ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml"
],
"tags": [
@@ -30699,9 +30700,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://unicode-explorer.com/c/202E",
"https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method",
"https://redcanary.com/blog/right-to-left-override/",
- "https://unicode-explorer.com/c/202E",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml"
],
"tags": [
@@ -30801,8 +30802,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md",
"https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1",
+ "https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml"
],
"tags": [
@@ -30936,9 +30937,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/mrd0x/status/1461041276514623491",
"https://twitter.com/tccontre18/status/1480950986650832903",
"https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/",
+ "https://twitter.com/mrd0x/status/1461041276514623491",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml"
],
"tags": [
@@ -30971,13 +30972,13 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.softperfect.com/products/networkscanner/",
+ "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/",
"https://www.protect.airbus.com/blog/uncovering-cyber-intruders-netscan/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue",
"https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf",
"https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/",
- "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue",
"https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/",
- "https://www.softperfect.com/products/networkscanner/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netscan.yml"
],
"tags": [
@@ -31119,9 +31120,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
"https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
"https://isc.sans.edu/diary/22264",
- "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml"
],
"tags": [
@@ -31197,8 +31198,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/",
"https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-",
+ "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml"
],
"tags": [
@@ -31308,8 +31309,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md",
"https://twitter.com/Oddvarmoe/status/993383596244258816",
+ "https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml"
],
"tags": [
@@ -31484,8 +31485,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml",
"https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/",
+ "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml",
"https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/",
"https://twitter.com/ForensicITGuy/status/1334734244120309760",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml"
@@ -31537,9 +31538,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey",
"https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation",
"https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx",
- "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml"
],
"tags": [
@@ -31572,9 +31573,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://lolbas-project.github.io/lolbas/Scripts/Winrm/",
"https://twitter.com/bohops/status/994405551751815170",
"https://redcanary.com/blog/lateral-movement-winrm-wmi/",
- "https://lolbas-project.github.io/lolbas/Scripts/Winrm/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml"
],
"tags": [
@@ -31641,10 +31642,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/",
"https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7",
- "https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support",
+ "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/",
"https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/",
+ "https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml"
],
"tags": [
@@ -31744,8 +31745,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100",
"https://adsecurity.org/?p=2288",
+ "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml"
],
"tags": [
@@ -31842,8 +31843,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66",
"https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/",
+ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml"
],
"tags": [
@@ -32013,9 +32014,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/",
"https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md",
"https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md",
+ "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml"
],
"tags": [
@@ -32057,8 +32058,8 @@
"logsource.product": "windows",
"refs": [
"https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/",
- "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0",
"https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4",
+ "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml"
],
"tags": [
@@ -32091,9 +32092,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://youtu.be/5mqid-7zp8k?t=2481",
"https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1",
"https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/",
- "https://youtu.be/5mqid-7zp8k?t=2481",
"https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml"
],
@@ -32152,8 +32153,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Libraries/Desk/",
"https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl",
+ "https://lolbas-project.github.io/lolbas/Libraries/Desk/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml"
],
"tags": [
@@ -32219,10 +32220,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
+ "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
"https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
"https://isc.sans.edu/diary/22264",
- "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
- "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml"
],
"tags": [
@@ -32265,8 +32266,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/cglyer/status/1182391019633029120",
"https://twitter.com/cglyer/status/1182389676876980224",
+ "https://twitter.com/cglyer/status/1182391019633029120",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml"
],
"tags": [
@@ -32322,11 +32323,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://isc.sans.edu/diary/22264",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
"https://www.cisa.gov/uscert/ncas/alerts/aa22-321a",
"https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
"https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
- "https://isc.sans.edu/diary/22264",
"https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml"
],
@@ -32370,8 +32371,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Regasm/",
"https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/",
+ "https://lolbas-project.github.io/lolbas/Binaries/Regasm/",
"https://www.fortiguard.com/threat-signal-report/4718?s=09",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml"
],
@@ -32405,8 +32406,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.phpied.com/make-your-javascript-a-windows-exe/",
"https://twitter.com/DissectMalware/status/998797808907046913",
+ "https://www.phpied.com/make-your-javascript-a-windows-exe/",
"https://lolbas-project.github.io/lolbas/Binaries/Jsc/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_jsc_execution.yml"
],
@@ -32440,8 +32441,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md",
+ "https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_view_share_and_sessions_enum.yml"
],
"tags": [
@@ -32661,8 +32662,8 @@
"logsource.product": "windows",
"refs": [
"https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication",
- "https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922",
"https://github.com/grayhatkiller/SharpExShell",
+ "https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml"
],
"tags": [
@@ -32695,8 +32696,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Certoc/",
"https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2",
+ "https://lolbas-project.github.io/lolbas/Binaries/Certoc/",
"https://twitter.com/sblmsrsn/status/1445758411803480072?s=20",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml"
],
@@ -32805,8 +32806,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap",
"https://thedfirreport.com/2020/06/21/snatch-ransomware/",
+ "https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ditsnap.yml"
],
"tags": [
@@ -32930,10 +32931,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/nas_bench/status/1535322450858233858",
- "https://twitter.com/bohops/status/1276357235954909188?s=12",
"https://twitter.com/CyberRaiju/status/1273597319322058752",
+ "https://twitter.com/nas_bench/status/1535322450858233858",
"https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/",
+ "https://twitter.com/bohops/status/1276357235954909188?s=12",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml"
],
"tags": [
@@ -32966,8 +32967,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://unit42.paloaltonetworks.com/chromeloader-malware/",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage",
+ "https://unit42.paloaltonetworks.com/chromeloader-malware/",
"https://lolbas-project.github.io/lolbas/Binaries/Tar/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tar_extraction.yml"
],
@@ -33010,10 +33011,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
"https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/",
- "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv",
+ "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
"https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708",
+ "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml"
],
"tags": [
@@ -33104,8 +33105,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/",
"https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/",
+ "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/",
"https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml"
],
@@ -33140,13 +33141,13 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/gN3mes1s/status/941315826107510784",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md",
- "https://reaqta.com/2017/12/mavinject-microsoft-injector/",
- "https://github.com/SigmaHQ/sigma/issues/3742",
- "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection",
"https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e",
"https://twitter.com/Hexacorn/status/776122138063409152",
+ "https://twitter.com/gN3mes1s/status/941315826107510784",
+ "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md",
+ "https://github.com/SigmaHQ/sigma/issues/3742",
+ "https://reaqta.com/2017/12/mavinject-microsoft-injector/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml"
],
@@ -33213,8 +33214,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/hfiref0x/UACME",
- "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf",
"https://lolbas-project.github.io/lolbas/Binaries/Wsreset/",
+ "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml"
],
"tags": [
@@ -33386,9 +33387,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png",
"https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf",
"https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/",
- "https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml"
],
"tags": [
@@ -33423,9 +33424,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16",
"https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac",
"https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
+ "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml"
],
"tags": [
@@ -33492,9 +33493,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA",
"https://twitter.com/pabraeken/status/990717080805789697",
"https://lolbas-project.github.io/lolbas/Binaries/Runonce/",
- "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_runonce_execution.yml"
],
"tags": [
@@ -33528,8 +33529,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/sensepost/ruler",
- "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html",
"https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49",
+ "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml"
],
"tags": [
@@ -33571,8 +33572,8 @@
"logsource.product": "windows",
"refs": [
"https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo",
- "https://www.echotrail.io/insights/search/regsvr32.exe",
"https://redcanary.com/blog/intelligence-insights-april-2022/",
+ "https://www.echotrail.io/insights/search/regsvr32.exe",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml"
],
"tags": [
@@ -33728,10 +33729,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/lefterispan/status/1286259016436514816",
+ "https://twitter.com/jseerden/status/1247985304667066373/photo/1",
"https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/",
- "https://twitter.com/jseerden/status/1247985304667066373/photo/1",
- "https://twitter.com/lefterispan/status/1286259016436514816",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml"
],
"tags": [
@@ -33764,8 +33765,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/3proxy/3proxy",
"https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
+ "https://github.com/3proxy/3proxy",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml"
],
"tags": [
@@ -33832,9 +33833,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/",
"https://twitter.com/mrd0x/status/1511489821247684615",
"https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f",
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/",
"https://twitter.com/mrd0x/status/1511415432888131586",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml"
],
@@ -33877,8 +33878,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/",
"https://www.uptycs.com/blog/lolbins-are-no-laughing-matter",
+ "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml"
],
"tags": [
@@ -33912,8 +33913,8 @@
"logsource.product": "windows",
"refs": [
"https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115",
- "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42",
"https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41",
+ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml"
],
"tags": [
@@ -33946,11 +33947,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/nao_sec/status/1530196847679401984",
"https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/",
"https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/",
- "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/",
+ "https://twitter.com/nao_sec/status/1530196847679401984",
"https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e",
+ "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml"
],
"tags": [
@@ -34034,9 +34035,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/",
- "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/",
"https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html",
+ "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/",
+ "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml"
],
"tags": [
@@ -34092,9 +34093,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer",
"https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection",
"https://www.exploit-db.com/exploits/37525",
- "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml"
],
"tags": [
@@ -34194,10 +34195,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf",
- "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/",
"https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/",
"https://github.com/AlessandroZ/LaZagne/tree/master",
+ "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf",
+ "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/",
"https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml"
],
@@ -34221,8 +34222,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://redcanary.com/blog/child-processes/",
"https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html",
+ "https://redcanary.com/blog/child-processes/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_scrcons_susp_child_process.yml"
],
"tags": [
@@ -34255,8 +34256,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/",
"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml"
],
"tags": [
@@ -34355,8 +34356,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive",
"https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool",
+ "https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml"
],
"tags": [
@@ -34423,8 +34424,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://ss64.com/nt/netsh.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules",
+ "https://ss64.com/nt/netsh.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml"
],
"tags": [
@@ -34457,10 +34458,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf",
"https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack",
"https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware",
+ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml"
],
"tags": [
@@ -34493,9 +34494,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/",
"https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/",
"https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/",
+ "https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/",
"https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user.yml"
],
@@ -34528,8 +34529,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml"
],
"tags": [
@@ -34642,8 +34643,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local",
"https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz",
+ "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local",
"https://www.mandiant.com/resources/telegram-malware-iranian-espionage",
"https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml"
@@ -34790,10 +34791,10 @@
"refs": [
"https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/",
"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted",
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup",
- "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell",
+ "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml"
],
"tags": [
@@ -34868,8 +34869,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/",
"https://securityxploded.com/",
+ "https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml"
],
"tags": [
@@ -34902,10 +34903,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf",
- "https://github.com/wunderwuzzi23/firefox-cookiemonster",
- "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/",
"https://github.com/defaultnamehere/cookie_crimes/",
+ "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/",
+ "https://github.com/wunderwuzzi23/firefox-cookiemonster",
+ "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml"
],
"tags": [
@@ -35142,8 +35143,8 @@
"logsource.product": "windows",
"refs": [
"https://www.revshells.com/",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md",
"https://nmap.org/ncat/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netcat.yml"
],
"tags": [
@@ -35243,8 +35244,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/",
+ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml"
],
"tags": [
@@ -35326,8 +35327,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows",
"https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml"
],
"tags": [
@@ -35402,9 +35403,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/gN3mes1s/status/1222088214581825540",
"https://twitter.com/gN3mes1s/status/1222095963789111296",
"https://twitter.com/gN3mes1s/status/1222095371175911424",
+ "https://twitter.com/gN3mes1s/status/1222088214581825540",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml"
],
"tags": [
@@ -35461,11 +35462,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1",
"https://twitter.com/cyberwar_15/status/1187287262054076416",
+ "https://blog.alyac.co.kr/1901",
+ "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1",
"https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/",
"https://en.wikipedia.org/wiki/Hangul_(word_processor)",
- "https://blog.alyac.co.kr/1901",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml"
],
"tags": [
@@ -35516,11 +35517,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive",
"https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/",
"https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/",
- "https://twitter.com/0gtweet/status/1299071304805560321?s=21",
"https://www.pureid.io/dumping-abusing-windows-credentials-part-1/",
+ "https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive",
+ "https://twitter.com/0gtweet/status/1299071304805560321?s=21",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml"
],
"tags": [
@@ -35586,8 +35587,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/",
"http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/",
+ "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml"
],
"tags": [
@@ -35621,8 +35622,8 @@
"logsource.product": "windows",
"refs": [
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)",
- "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit",
"https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html",
+ "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_export.yml"
],
"tags": [
@@ -35678,8 +35679,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml"
],
"tags": [
@@ -35713,8 +35714,8 @@
"logsource.product": "windows",
"refs": [
"http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt",
- "https://twitter.com/n1nj4sec/status/1421190238081277959",
"https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt",
+ "https://twitter.com/n1nj4sec/status/1421190238081277959",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml"
],
"tags": [
@@ -35780,9 +35781,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16",
"https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html",
"https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
+ "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml"
],
"tags": [
@@ -35838,8 +35839,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/",
"https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens",
+ "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml"
],
"tags": [
@@ -35998,8 +35999,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
"https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/",
+ "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
"https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml"
],
@@ -36033,12 +36034,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/",
"https://twitter.com/eral4m/status/1479080793003671557",
+ "https://twitter.com/nas_bench/status/1433344116071583746",
"https://twitter.com/Hexacorn/status/885258886428725250",
"https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52",
- "https://twitter.com/nas_bench/status/1433344116071583746",
"https://twitter.com/eral4m/status/1479106975967240209",
- "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"
],
"tags": [
@@ -36137,9 +36138,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html",
- "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf",
"https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors",
+ "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf",
+ "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml"
],
"tags": [
@@ -36266,11 +36267,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md",
- "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee",
"https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html",
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil",
"https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/",
+ "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml"
],
"tags": [
@@ -36378,8 +36379,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/Hexacorn/status/1224848930795552769",
"http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/",
+ "https://twitter.com/Hexacorn/status/1224848930795552769",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml"
],
"tags": [
@@ -36402,8 +36403,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/quarkslab/quarkspwdump",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east",
+ "https://github.com/quarkslab/quarkspwdump",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml"
],
"tags": [
@@ -36478,8 +36479,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/",
"https://lolbas-project.github.io/lolbas/Binaries/Findstr/",
+ "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/",
"https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml"
],
@@ -36570,8 +36571,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt",
"https://twitter.com/bigmacjpg/status/1349727699863011328?s=12",
+ "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt",
"https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_finger_execution.yml"
],
@@ -36638,8 +36639,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/",
"https://github.com/malcomvetter/CSExec",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_csexec.yml"
],
"tags": [
@@ -36681,8 +36682,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/",
"https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/",
+ "https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml"
],
"tags": [
@@ -37021,11 +37022,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html",
+ "https://twitter.com/Alh4zr3d/status/1580925761996828672",
+ "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/",
"https://twitter.com/0gtweet/status/1628720819537936386",
"https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/",
- "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/",
- "https://twitter.com/Alh4zr3d/status/1580925761996828672",
+ "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml"
],
"tags": [
@@ -37060,9 +37061,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.revshells.com/",
"https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
"https://docs.python.org/3/using/cmdline.html#cmdoption-c",
+ "https://www.revshells.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml"
],
"tags": [
@@ -37218,10 +37219,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.intrinsec.com/akira_ransomware/",
"https://github.com/cloudflare/cloudflared",
- "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/",
"https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/",
+ "https://www.intrinsec.com/akira_ransomware/",
+ "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml"
],
"tags": [
@@ -37336,8 +37337,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://hatching.io/blog/powershell-analysis/",
"https://lab52.io/blog/winter-vivern-all-summer/",
+ "https://hatching.io/blog/powershell-analysis/",
"https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"
],
@@ -37440,8 +37441,8 @@
"refs": [
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/",
"https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/",
- "https://twitter.com/Z3Jpa29z/status/1317545798981324801",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/",
+ "https://twitter.com/Z3Jpa29z/status/1317545798981324801",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csi_execution.yml"
],
"tags": [
@@ -37525,9 +37526,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py",
"https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/",
"https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1",
- "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml"
],
"tags": [
@@ -37593,9 +37594,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js",
"https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/",
"https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/",
- "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml"
],
"tags": [
@@ -37644,9 +37645,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/",
"https://twitter.com/nas_bench/status/1534957360032120833",
- "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cdb_arbitrary_command_execution.yml"
],
"tags": [
@@ -37762,8 +37763,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/Kevin-Robertson/Inveigh",
"https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
+ "https://github.com/Kevin-Robertson/Inveigh",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml"
],
"tags": [
@@ -37796,8 +37797,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/x86matthew/status/1505476263464607744?s=12",
"https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b",
+ "https://twitter.com/x86matthew/status/1505476263464607744?s=12",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml"
],
"tags": [
@@ -37898,8 +37899,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.revshells.com/",
"https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+ "https://www.revshells.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml"
],
"tags": [
@@ -38009,8 +38010,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/byt3bl33d3r/CrackMapExec",
"https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242",
+ "https://github.com/byt3bl33d3r/CrackMapExec",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml"
],
"tags": [
@@ -38052,9 +38053,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/oulusoyum/status/1191329746069655553",
- "https://twitter.com/mattifestation/status/1196390321783025666",
"https://lolbas-project.github.io/lolbas/Binaries/Tttracer/",
+ "https://twitter.com/mattifestation/status/1196390321783025666",
+ "https://twitter.com/oulusoyum/status/1191329746069655553",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml"
],
"tags": [
@@ -38310,8 +38311,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/",
"https://twitter.com/0gtweet/status/1457676633809330184",
+ "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sigverif_uncommon_child_process.yml"
],
"tags": [
@@ -38410,10 +38411,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return",
- "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
- "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/",
"https://nodejs.org/api/cli.html",
+ "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
+ "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return",
+ "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml"
],
"tags": [
@@ -38446,8 +38447,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
"https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt",
+ "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
"https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml"
],
@@ -38471,9 +38472,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan",
"https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/",
"https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/",
- "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml"
],
"tags": [
@@ -38599,24 +38600,24 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/DarkCoderSc/PowerRunAsSystem/",
- "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1",
- "https://github.com/besimorhino/powercat",
"https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
- "https://github.com/adrecon/ADRecon",
- "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
- "https://github.com/adrecon/AzureADRecon",
+ "https://adsecurity.org/?p=2921",
+ "https://github.com/HarmJ0y/DAMP",
"https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
"https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html",
- "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
- "https://github.com/samratashok/nishang",
- "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
- "https://github.com/HarmJ0y/DAMP",
- "https://github.com/Kevin-Robertson/Powermad",
- "https://adsecurity.org/?p=2921",
+ "https://github.com/besimorhino/powercat",
"https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
- "https://github.com/calebstewart/CVE-2021-1675",
"https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
+ "https://github.com/calebstewart/CVE-2021-1675",
+ "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
+ "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
+ "https://github.com/samratashok/nishang",
+ "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1",
+ "https://github.com/Kevin-Robertson/Powermad",
+ "https://github.com/adrecon/ADRecon",
+ "https://github.com/adrecon/AzureADRecon",
+ "https://github.com/DarkCoderSc/PowerRunAsSystem/",
+ "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"
],
"tags": [
@@ -38706,8 +38707,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html",
"https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/",
+ "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml"
],
"tags": [
@@ -38764,8 +38765,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/",
"https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/",
+ "https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml"
],
"tags": [
@@ -38798,9 +38799,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/",
"https://lolbas-project.github.io/lolbas/Binaries/Xwizard/",
"https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html",
+ "https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml"
],
"tags": [
@@ -38901,8 +38902,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/",
"https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866",
+ "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml"
],
"tags": [
@@ -39043,9 +39044,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://twitter.com/AdamTheAnalyst/status/1483497517119590403",
"https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml"
],
"tags": [
@@ -39187,10 +39188,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/cloudflare/cloudflared/releases",
"https://github.com/cloudflare/cloudflared",
- "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/",
"https://www.intrinsec.com/akira_ransomware/",
+ "https://github.com/cloudflare/cloudflared/releases",
+ "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/",
"https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml"
],
@@ -39374,9 +39375,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/",
"https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019",
"https://twitter.com/pabraeken/status/990758590020452353",
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml"
],
"tags": [
@@ -39409,8 +39410,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md",
+ "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_soundrecorder_audio_capture.yml"
],
"tags": [
@@ -39466,10 +39467,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/lefterispan/status/1286259016436514816",
+ "https://twitter.com/jseerden/status/1247985304667066373/photo/1",
"https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/",
- "https://twitter.com/jseerden/status/1247985304667066373/photo/1",
- "https://twitter.com/lefterispan/status/1286259016436514816",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml"
],
"tags": [
@@ -39535,8 +39536,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/blackorbird/status/1140519090961825792",
"https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html",
+ "https://twitter.com/blackorbird/status/1140519090961825792",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml"
],
"tags": [
@@ -39604,10 +39605,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior",
"https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior",
- "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior",
+ "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior",
"https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior",
+ "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml"
],
"tags": [
@@ -39640,8 +39641,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/",
"https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/",
+ "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/",
"https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_output.yml"
],
@@ -39733,12 +39734,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes",
+ "https://www.localpotato.com/",
"https://github.com/ohpe/juicy-potato",
"https://pentestlab.blog/2017/04/13/hot-potato/",
- "https://www.localpotato.com/",
"https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/",
"https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire",
- "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml"
],
"tags": [
@@ -39840,11 +39841,11 @@
"logsource.product": "windows",
"refs": [
"https://labs.f-secure.com/blog/prelude-to-ransomware-systembc",
- "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/",
- "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html",
- "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf",
"https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer",
+ "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html",
"https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner",
+ "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/",
+ "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml"
],
"tags": [
@@ -39885,9 +39886,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120",
- "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/",
"https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html",
+ "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/",
+ "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml"
],
"tags": [
@@ -40056,8 +40057,8 @@
"logsource.product": "windows",
"refs": [
"https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/",
- "https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0",
"https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar",
+ "https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml"
],
"tags": [
@@ -40099,9 +40100,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges",
"https://github.com/samratashok/ADModule",
"https://twitter.com/cyb3rops/status/1617108657166061568?s=20",
+ "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml"
],
"tags": [
@@ -40195,13 +40196,13 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.softwaretestinghelp.com/how-to-use-ngrok/",
+ "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection",
+ "https://ngrok.com/docs",
"https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/",
"https://twitter.com/xorJosh/status/1598646907802451969",
- "https://www.softwaretestinghelp.com/how-to-use-ngrok/",
- "https://ngrok.com/docs",
"https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html",
"https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp",
- "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml"
],
"tags": [
@@ -40267,8 +40268,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec",
"https://twitter.com/_st0pp3r_/status/1583914515996897281",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml"
],
@@ -40338,8 +40339,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md",
- "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/",
"https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx",
+ "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml"
],
"tags": [
@@ -40372,8 +40373,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://pentestlab.blog/2017/03/30/weak-service-permissions/",
"https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment",
+ "https://pentestlab.blog/2017/03/30/weak-service-permissions/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml"
],
"tags": [
@@ -40409,8 +40410,8 @@
"logsource.product": "windows",
"refs": [
"https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/",
- "https://twitter.com/0gtweet/status/1628720819537936386",
"https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings",
+ "https://twitter.com/0gtweet/status/1628720819537936386",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml"
],
"tags": [
@@ -40443,8 +40444,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf",
"https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/",
+ "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml"
],
"tags": [
@@ -40688,8 +40689,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64",
"https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64",
+ "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml"
],
"tags": [
@@ -40758,8 +40759,8 @@
"logsource.product": "windows",
"refs": [
"https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/",
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
"https://lolbas-project.github.io/lolbas/Binaries/Certutil/",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode.yml"
],
"tags": [
@@ -40793,11 +40794,11 @@
"logsource.product": "windows",
"refs": [
"https://forensicitguy.github.io/agenttesla-vba-certutil-download/",
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
- "https://twitter.com/egre55/status/1087685529016193025",
- "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/",
- "https://lolbas-project.github.io/lolbas/Binaries/Certutil/",
"https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
+ "https://lolbas-project.github.io/lolbas/Binaries/Certutil/",
+ "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/",
+ "https://twitter.com/egre55/status/1087685529016193025",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml"
],
"tags": [
@@ -40832,8 +40833,8 @@
"refs": [
"https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/",
"https://twitter.com/hFireF0X/status/897640081053364225",
- "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf",
"https://github.com/hfiref0x/UACME",
+ "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml"
],
"tags": [
@@ -40878,8 +40879,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs",
"https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government",
+ "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml"
],
"tags": [
@@ -40956,15 +40957,15 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://redcanary.com/blog/intelligence-insights-october-2021/",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware",
- "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100",
- "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/",
- "https://github.com/Neo23x0/Raccine#the-process",
- "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
- "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/",
"https://blog.talosintelligence.com/2017/05/wannacry.html",
+ "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100",
"https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware",
+ "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/",
+ "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/",
+ "https://redcanary.com/blog/intelligence-insights-october-2021/",
+ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
+ "https://github.com/Neo23x0/Raccine#the-process",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml"
],
"tags": [
@@ -41191,8 +41192,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md",
"https://www.radmin.fr/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_radmin.yml"
],
"tags": [
@@ -41226,8 +41227,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/",
"https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5",
+ "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/",
"https://lolbas-project.github.io/lolbas/Binaries/Verclsid/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml"
],
@@ -41261,10 +41262,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/",
- "https://adsecurity.org/?p=2604",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4",
+ "https://adsecurity.org/?p=2604",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4",
+ "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml"
],
"tags": [
@@ -41297,8 +41298,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)",
"https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/",
+ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)",
"https://twitter.com/jonasLyk/status/1555914501802921984",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml"
],
@@ -41405,8 +41406,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks",
+ "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml"
],
"tags": [
@@ -41530,12 +41531,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/JohnLaTwC/status/835149808817991680",
"https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
- "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/",
- "https://twitter.com/JohnLaTwC/status/835149808817991680",
- "https://lolbas-project.github.io/lolbas/Binaries/Certutil/",
"https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/",
+ "https://lolbas-project.github.io/lolbas/Binaries/Certutil/",
+ "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_decode.yml"
],
"tags": [
@@ -41568,10 +41569,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
- "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md",
+ "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult",
+ "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml"
],
"tags": [
@@ -41639,8 +41640,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool",
"https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/",
+ "https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml"
],
"tags": [
@@ -41663,10 +41664,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/JAMESWT_MHT/status/1699042827261391247",
"https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content",
- "https://twitter.com/M_haggis/status/1699056847154725107",
+ "https://twitter.com/JAMESWT_MHT/status/1699042827261391247",
"https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries",
+ "https://twitter.com/M_haggis/status/1699056847154725107",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml"
],
"tags": [
@@ -41690,9 +41691,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/",
- "https://en.wikipedia.org/wiki/HTML_Application",
"https://www.echotrail.io/insights/search/mshta.exe",
+ "https://en.wikipedia.org/wiki/HTML_Application",
+ "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml"
],
"tags": [
@@ -41725,8 +41726,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/",
"https://github.com/fireeye/DueDLLigence",
+ "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/",
"https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml"
],
@@ -41845,10 +41846,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing",
"https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files",
"https://pentestlab.blog/2020/02/24/parent-pid-spoofing/",
"https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks",
- "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml"
],
"tags": [
@@ -41914,16 +41915,16 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38",
- "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_",
+ "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39",
"http://managed670.rssing.com/chan-5590147/all_p1.html",
- "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code",
+ "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables",
+ "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf",
+ "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_",
+ "https://twitter.com/_xpn_/status/1268712093928378368",
+ "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38",
"https://bunnyinside.com/?term=f71e8cb9c76a",
"https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr",
- "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf",
- "https://twitter.com/_xpn_/status/1268712093928378368",
- "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables",
- "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39",
+ "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml"
],
"tags": [
@@ -41980,10 +41981,10 @@
"logsource.product": "windows",
"refs": [
"https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356",
- "https://twitter.com/mattifestation/status/1326228491302563846",
- "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script",
- "http://blog.sevagas.com/?Hacking-around-HTA-files",
"https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997",
+ "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script",
+ "https://twitter.com/mattifestation/status/1326228491302563846",
+ "http://blog.sevagas.com/?Hacking-around-HTA-files",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml"
],
"tags": [
@@ -42034,15 +42035,15 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3",
- "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil",
- "https://www.group-ib.com/blog/apt41-world-tour-2021/",
- "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/",
- "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a",
+ "https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1",
"http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/",
+ "https://www.group-ib.com/blog/apt41-world-tour-2021/",
+ "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
+ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a",
+ "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml"
],
"tags": [
@@ -42245,9 +42246,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/Alh4zr3d/status/1580925761996828672",
- "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html",
"https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/",
+ "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html",
+ "https://twitter.com/Alh4zr3d/status/1580925761996828672",
"https://www.sans.org/blog/red-team-tactics-hiding-windows-services/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml"
],
@@ -42308,8 +42309,8 @@
"logsource.product": "windows",
"refs": [
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/",
- "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/",
"http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/",
+ "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml"
],
"tags": [
@@ -42343,10 +42344,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
+ "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
"https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
"https://isc.sans.edu/diary/22264",
- "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
- "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml"
],
"tags": [
@@ -42455,13 +42456,13 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32",
"https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32",
+ "https://www.cobaltstrike.com/help-opsec",
"https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/",
"https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool",
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32",
"https://twitter.com/CyberRaiju/status/1251492025678983169",
- "https://www.cobaltstrike.com/help-opsec",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml"
],
"tags": [
@@ -42550,9 +42551,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/",
"https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control",
"https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29",
+ "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml"
],
"tags": [
@@ -42655,8 +42656,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/pabraeken/status/991335019833708544",
"https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/",
+ "https://twitter.com/pabraeken/status/991335019833708544",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml"
],
"tags": [
@@ -42732,8 +42733,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.echotrail.io/insights/search/wermgr.exe",
"https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html",
+ "https://www.echotrail.io/insights/search/wermgr.exe",
"https://github.com/binderlabs/DirCreate2System",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml"
],
@@ -42781,8 +42782,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/outflanknl/Dumpert",
"https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/",
+ "https://github.com/outflanknl/Dumpert",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml"
],
"tags": [
@@ -42898,8 +42899,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution",
+ "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml"
],
"tags": [
@@ -42956,8 +42957,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/",
"https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/",
+ "https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml"
],
"tags": [
@@ -42991,8 +42992,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.revshells.com/",
"https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+ "https://www.revshells.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml"
],
"tags": [
@@ -43082,8 +43083,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/",
"https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/",
+ "https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml"
],
"tags": [
@@ -43116,9 +43117,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3",
"https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation",
"https://twitter.com/pfiatde/status/1681977680688738305",
- "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3",
"https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/",
"https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml"
@@ -43355,10 +43356,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.activecyber.us/activelabs/windows-uac-bypass",
- "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/",
- "https://twitter.com/ReaQta/status/1222548288731217921",
"https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html",
+ "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/",
+ "https://www.activecyber.us/activelabs/windows-uac-bypass",
+ "https://twitter.com/ReaQta/status/1222548288731217921",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml"
],
"tags": [
@@ -43425,9 +43426,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://redcanary.com/blog/raspberry-robin/",
"https://github.com/SigmaHQ/sigma/issues/1009",
"https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/",
- "https://redcanary.com/blog/raspberry-robin/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml"
],
"tags": [
@@ -43549,8 +43550,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute",
"https://twitter.com/orange_8361/status/1518970259868626944",
+ "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml"
],
"tags": [
@@ -43617,8 +43618,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall",
+ "https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml"
],
"tags": [
@@ -43717,8 +43718,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/Gerenios/AADInternals",
"https://o365blog.com/aadinternals/",
+ "https://github.com/Gerenios/AADInternals",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml"
],
"tags": [
@@ -43803,8 +43804,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples",
"https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65",
+ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml"
],
"tags": [
@@ -43969,8 +43970,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.nirsoft.net/utils/nircmd.html",
"https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/",
+ "https://www.nirsoft.net/utils/nircmd.html",
"https://www.nirsoft.net/utils/nircmd2.html#using",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml"
],
@@ -44138,8 +44139,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/",
"https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/",
+ "https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml"
],
"tags": [
@@ -44163,8 +44164,8 @@
"logsource.product": "windows",
"refs": [
"https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/",
- "https://twitter.com/pabraeken/status/993298228840992768",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/",
+ "https://twitter.com/pabraeken/status/993298228840992768",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml"
],
"tags": [
@@ -44197,8 +44198,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/client-management/manage-recall",
"https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis",
+ "https://learn.microsoft.com/en-us/windows/client-management/manage-recall",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_enable_windows_recall.yml"
],
"tags": [
@@ -44273,8 +44274,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://support.anydesk.com/Automatic_Deployment",
"https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20",
+ "https://support.anydesk.com/Automatic_Deployment",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml"
],
"tags": [
@@ -44476,9 +44477,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16",
"https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html",
"https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
+ "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml"
],
"tags": [
@@ -44535,9 +44536,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/_st0pp3r_/status/1583914515996897281",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md",
"https://lolbas-project.github.io/lolbas/Binaries/Msiexec/",
+ "https://twitter.com/_st0pp3r_/status/1583914515996897281",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml"
],
"tags": [
@@ -44772,11 +44773,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets",
+ "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md",
"https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html",
"https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
- "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml"
],
"tags": [
@@ -44826,9 +44827,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/",
"https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/",
+ "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7",
"https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml"
],
@@ -45011,13 +45012,13 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/pythonresponder/status/1385064506049630211?s=21",
+ "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/",
+ "https://twitter.com/SBousseaden/status/1167417096374050817",
+ "https://twitter.com/Hexacorn/status/1224848930795552769",
"https://twitter.com/Wietze/status/1542107456507203586",
+ "https://twitter.com/pythonresponder/status/1385064506049630211?s=21",
"https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py",
"https://twitter.com/shantanukhande/status/1229348874298388484",
- "https://twitter.com/Hexacorn/status/1224848930795552769",
- "https://twitter.com/SBousseaden/status/1167417096374050817",
- "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml"
],
"tags": [
@@ -45061,8 +45062,8 @@
"logsource.product": "windows",
"refs": [
"https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html",
- "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394",
"http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html",
+ "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml"
],
"tags": [
@@ -45165,9 +45166,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://ss64.com/ps/foreach-object.html",
- "https://ss64.com/nt/for.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md",
+ "https://ss64.com/nt/for.html",
+ "https://ss64.com/ps/foreach-object.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml"
],
"tags": [
@@ -45209,9 +45210,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/mrd0x/status/1461041276514623491",
"https://twitter.com/tccontre18/status/1480950986650832903",
"https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/",
+ "https://twitter.com/mrd0x/status/1461041276514623491",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml"
],
"tags": [
@@ -45244,8 +45245,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery",
"https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_restore_file.yml"
],
"tags": [
@@ -45278,8 +45279,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md",
"https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yml"
],
"tags": [
@@ -45463,8 +45464,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/",
"https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/",
+ "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution.yml"
],
"tags": [
@@ -45498,8 +45499,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608",
"https://h.43z.one/ipconverter/",
+ "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml"
],
"tags": [
@@ -45555,8 +45556,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03",
"https://twitter.com/JohnLaTwC/status/1082851155481288706",
+ "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml"
],
"tags": [
@@ -45663,8 +45664,8 @@
"refs": [
"https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services",
"https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe",
- "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services",
"https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6",
+ "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services",
"https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml"
],
@@ -45843,11 +45844,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware",
- "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone",
"https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a",
+ "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone",
"https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a",
+ "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml"
],
"tags": [
@@ -45880,9 +45881,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Wmic/",
"https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html",
"https://twitter.com/mattifestation/status/986280382042595328",
+ "https://lolbas-project.github.io/lolbas/Binaries/Wmic/",
"https://atomicredteam.io/defense-evasion/T1220/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml"
],
@@ -45941,8 +45942,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil",
"https://abuse.io/lockergoga.txt",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil",
"https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml"
],
@@ -45985,8 +45986,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/",
"https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md",
+ "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml"
],
"tags": [
@@ -46106,12 +46107,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/vletoux/pingcastle",
- "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/",
- "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8",
"https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699",
"https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1",
+ "https://github.com/vletoux/pingcastle",
"https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680",
+ "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8",
+ "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/",
"https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml"
],
@@ -46145,8 +46146,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100",
"https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html",
+ "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml"
],
"tags": [
@@ -46221,8 +46222,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers",
"https://twitter.com/cglyer/status/1183756892952248325",
+ "https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml"
],
"tags": [
@@ -46255,8 +46256,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md",
"https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml"
],
"tags": [
@@ -46433,8 +46434,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://nmap.org/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows",
+ "https://nmap.org/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml"
],
"tags": [
@@ -46467,11 +46468,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/",
- "https://twitter.com/JohnLaTwC/status/1223292479270600706",
"https://twitter.com/bohops/status/980659399495741441",
"https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712",
+ "https://twitter.com/JohnLaTwC/status/1223292479270600706",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md",
+ "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml"
],
"tags": [
@@ -46639,8 +46640,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Regini/",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini",
+ "https://lolbas-project.github.io/lolbas/Binaries/Regini/",
"https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml"
],
@@ -46674,8 +46675,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100",
"https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100",
+ "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml"
],
"tags": [
@@ -46816,12 +46817,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/_JohnHammond/status/1708910264261980634",
"https://forensicitguy.github.io/agenttesla-vba-certutil-download/",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
- "https://twitter.com/egre55/status/1087685529016193025",
- "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/",
"https://lolbas-project.github.io/lolbas/Binaries/Certutil/",
- "https://twitter.com/_JohnHammond/status/1708910264261980634",
+ "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/",
+ "https://twitter.com/egre55/status/1087685529016193025",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml"
],
"tags": [
@@ -46896,11 +46897,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html",
"https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html",
- "https://twitter.com/christophetd/status/1164506034720952320",
- "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks",
"https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/",
+ "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks",
+ "https://twitter.com/christophetd/status/1164506034720952320",
+ "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml"
],
"tags": [
@@ -47033,9 +47034,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/wsl/install-on-server",
- "https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps",
"https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system",
+ "https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps",
+ "https://learn.microsoft.com/en-us/windows/wsl/install-on-server",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml"
],
"tags": [
@@ -47058,9 +47059,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
"https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
"https://isc.sans.edu/diary/22264",
- "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml"
],
"tags": [
@@ -47145,8 +47146,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)",
"https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/",
+ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)",
"https://twitter.com/jonasLyk/status/1555914501802921984",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml"
],
@@ -47229,8 +47230,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/",
+ "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnx_execute_csharp_code.yml"
],
"tags": [
@@ -47271,8 +47272,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
"https://tools.thehacker.recipes/mimikatz/modules",
+ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml"
],
"tags": [
@@ -47337,8 +47338,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect",
"https://twitter.com/bohops/status/1635288066909966338",
+ "https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnetdump_memory_dump.yml"
],
"tags": [
@@ -47513,8 +47514,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html",
"https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/",
+ "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml"
],
"tags": [
@@ -47582,11 +47583,11 @@
"logsource.product": "windows",
"refs": [
"https://lolbas-project.github.io/lolbas/Binaries/Msedge/",
- "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf",
- "https://positive.security/blog/ms-officecmd-rce",
- "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/",
- "https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc",
"https://lolbas-project.github.io/lolbas/Binaries/Teams/",
+ "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/",
+ "https://positive.security/blog/ms-officecmd-rce",
+ "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf",
+ "https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml"
],
"tags": [
@@ -47651,8 +47652,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs",
"https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government",
+ "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml"
],
"tags": [
@@ -47729,8 +47730,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter",
"https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/",
+ "https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml"
],
"tags": [
@@ -47763,8 +47764,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://ss64.com/nt/dsacls.html",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)",
+ "https://ss64.com/nt/dsacls.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml"
],
"tags": [
@@ -47898,10 +47899,10 @@
"logsource.product": "windows",
"refs": [
"https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/",
- "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464",
"https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt",
- "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file",
+ "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464",
"https://twitter.com/max_mal_/status/1542461200797163522",
+ "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml"
],
"tags": [
@@ -47934,8 +47935,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/bryon_/status/975835709587075072",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/",
+ "https://twitter.com/bryon_/status/975835709587075072",
"https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml"
],
@@ -48027,9 +48028,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://boinc.berkeley.edu/",
"https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details",
"https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software",
- "https://boinc.berkeley.edu/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_boinc.yml"
],
"tags": [
@@ -48104,9 +48105,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/",
- "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/",
"https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html",
+ "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/",
+ "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml"
],
"tags": [
@@ -48130,8 +48131,8 @@
"logsource.product": "windows",
"refs": [
"https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/",
- "https://twitter.com/vxunderground/status/1423336151860002816?s=20",
"https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection",
+ "https://twitter.com/vxunderground/status/1423336151860002816?s=20",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml"
],
"tags": [
@@ -48164,8 +48165,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://securelist.com/muddywater/88059/",
"https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection",
+ "https://securelist.com/muddywater/88059/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml"
],
"tags": [
@@ -48295,8 +48296,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://securelist.com/locked-out/68960/",
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md",
+ "https://securelist.com/locked-out/68960/",
"https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml"
],
@@ -48363,10 +48364,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://isc.sans.edu/diary/More+Data+Exfiltration/25698",
+ "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password",
"https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt",
"https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry",
- "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password",
+ "https://isc.sans.edu/diary/More+Data+Exfiltration/25698",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml"
],
"tags": [
@@ -48537,8 +48538,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html",
"https://twitter.com/eral4m/status/1451112385041911809",
+ "https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml"
],
"tags": [
@@ -48661,8 +48662,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)",
"https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/",
+ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)",
"https://twitter.com/frack113/status/1555830623633375232",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml"
],
@@ -48719,8 +48720,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/mrd0x/status/1511489821247684615",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/",
+ "https://twitter.com/mrd0x/status/1511489821247684615",
"https://twitter.com/mrd0x/status/1511415432888131586",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml"
],
@@ -48829,8 +48830,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/LOLBAS-Project/LOLBAS/pull/180",
"https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/",
+ "https://github.com/LOLBAS-Project/LOLBAS/pull/180",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml"
],
"tags": [
@@ -48897,8 +48898,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/bopin2020/status/1366400799199272960",
"https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/",
+ "https://twitter.com/bopin2020/status/1366400799199272960",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yml"
],
"tags": [
@@ -48939,10 +48940,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/0gtweet/status/1583356502340870144",
"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)",
- "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html",
+ "https://twitter.com/0gtweet/status/1583356502340870144",
"https://lolbas-project.github.io/lolbas/Binaries/Setres/",
+ "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_setres_uncommon_child_process.yml"
],
"tags": [
@@ -48983,10 +48984,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/",
+ "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html",
"https://twitter.com/gbti_sa/status/1249653895900602375?lang=en",
"https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml",
- "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html",
+ "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml"
],
"tags": [
@@ -49019,14 +49020,14 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/",
+ "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/",
+ "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters",
+ "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html",
+ "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/",
+ "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)",
"https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest",
- "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html",
- "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/",
- "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/",
- "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/",
- "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/",
- "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml"
],
"tags": [
@@ -49141,8 +49142,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://asec.ahnlab.com/en/39828/",
"https://twitter.com/GelosSnake/status/934900723426439170",
+ "https://asec.ahnlab.com/en/39828/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml"
],
"tags": [
@@ -49245,9 +49246,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement",
"https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6",
"http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html",
- "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml"
],
"tags": [
@@ -49282,8 +49283,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md",
- "https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn",
+ "https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt",
"https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html",
"https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml"
@@ -49328,9 +49329,9 @@
"logsource.product": "windows",
"refs": [
"https://bidouillesecurity.com/disable-windows-defender-in-powershell/",
- "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1",
- "https://twitter.com/JohnLaTwC/status/1415295021041979392",
"https://vms.drweb.fr/virus/?i=24144899",
+ "https://twitter.com/JohnLaTwC/status/1415295021041979392",
+ "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml"
],
"tags": [
@@ -49503,8 +49504,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2",
"https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set",
+ "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml"
],
"tags": [
@@ -49633,10 +49634,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab",
"https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0",
"https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd",
"https://twitter.com/nas_bench/status/1537896324837781506",
- "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml"
],
"tags": [
@@ -49704,8 +49705,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt",
- "Internal Research",
"https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt",
+ "Internal Research",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml"
],
"tags": [
@@ -49894,9 +49895,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/",
- "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf",
"https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery",
+ "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf",
+ "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml"
],
"tags": [
@@ -49963,8 +49964,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/harr0ey/status/989617817849876488",
"https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/",
+ "https://twitter.com/harr0ey/status/989617817849876488",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml"
],
"tags": [
@@ -49997,9 +49998,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html",
"https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44",
"https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048",
+ "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml"
],
"tags": [
@@ -50158,9 +50159,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608",
"https://twitter.com/fr0s7_/status/1712780207105404948",
"https://h.43z.one/ipconverter/",
+ "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml"
],
"tags": [
@@ -50183,10 +50184,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/",
- "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/",
+ "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml"
],
"tags": [
@@ -50317,8 +50318,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic",
"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml"
],
"tags": [
@@ -50396,8 +50397,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.poweradmin.com/paexec/",
"https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf",
+ "https://www.poweradmin.com/paexec/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml"
],
"tags": [
@@ -50430,8 +50431,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20",
"https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs",
+ "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml"
],
"tags": [
@@ -50465,8 +50466,8 @@
"logsource.product": "windows",
"refs": [
"https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell",
- "https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps",
"https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/",
+ "https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"
],
"tags": [
@@ -50499,8 +50500,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html",
"https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83",
+ "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml"
],
"tags": [
@@ -50541,8 +50542,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8",
"https://blackpointcyber.com/resources/blog/breaking-through-the-screen/",
+ "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml"
],
"tags": [
@@ -50575,9 +50576,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
"https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1",
"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/",
+ "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml"
],
"tags": [
@@ -50610,8 +50611,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/",
"https://pentestlab.blog/2020/07/06/indirect-command-execution/",
+ "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml"
],
"tags": [
@@ -50710,9 +50711,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a",
"https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/",
"https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password",
+ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml"
],
"tags": [
@@ -50765,6 +50766,41 @@
"uuid": "6d3a3952-6530-44a3-8554-cf17c116c615",
"value": "Suspicious Office Token Search Via CLI"
},
+ {
+ "description": "Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly.\nMeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.\n",
+ "meta": {
+ "author": "@Kostastsale",
+ "creation_date": "2024-09-22",
+ "falsepositive": [
+ "False positives can be found in environments using MessAgent for remote management, analysis should prioritize the grandparent process, MessAgent.exe, and scrutinize the resulting child processes triggered by any suspicious interactive commands directed at the target host."
+ ],
+ "filename": "proc_creation_win_remote_access_tools_meshagent_exec.yml",
+ "level": "medium",
+ "logsource.category": "process_creation",
+ "logsource.product": "windows",
+ "refs": [
+ "https://github.com/Ylianst/MeshAgent",
+ "https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55",
+ "https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_exec.yml"
+ ],
+ "tags": [
+ "attack.command-and-control",
+ "attack.t1219"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "74a2b202-73e0-4693-9a3a-9d36146d0775",
+ "value": "Remote Access Tool - MeshAgent Command Execution via MeshCentral"
+ },
{
"description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique",
"meta": {
@@ -50855,9 +50891,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe",
- "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915",
"https://github.com/electron/rcedit",
+ "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915",
+ "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml"
],
"tags": [
@@ -50914,8 +50950,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/",
"https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/",
+ "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml"
],
"tags": [
@@ -50948,13 +50984,13 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2020/05/08/adfind-recon/",
"https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects",
- "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx",
- "https://www.joeware.net/freetools/tools/adfind/",
- "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/",
"https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md",
+ "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx",
"https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/",
+ "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/",
+ "https://thedfirreport.com/2020/05/08/adfind-recon/",
+ "https://www.joeware.net/freetools/tools/adfind/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml"
],
"tags": [
@@ -51047,9 +51083,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/0gtweet/status/1564968845726580736",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)",
"https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html",
+ "https://twitter.com/0gtweet/status/1564968845726580736",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml"
],
"tags": [
@@ -51168,10 +51204,10 @@
"refs": [
"https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/",
"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted",
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup",
- "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell",
+ "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_delete_backups.yml"
],
"tags": [
@@ -51246,8 +51282,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md",
+ "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml"
],
"tags": [
@@ -51280,9 +51316,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/",
"https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/",
"https://github.com/jpillora/chisel/",
+ "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_chisel.yml"
],
"tags": [
@@ -51349,8 +51385,8 @@
"logsource.product": "windows",
"refs": [
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/",
- "https://twitter.com/_felamos/status/1204705548668555264",
"https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/",
+ "https://twitter.com/_felamos/status/1204705548668555264",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml"
],
"tags": [
@@ -51383,8 +51419,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/",
"https://lolbas-project.github.io/lolbas/Binaries/Findstr/",
+ "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/",
"https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_download.yml"
],
@@ -51442,9 +51478,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20",
"https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf",
"https://lolbas-project.github.io/lolbas/Libraries/Setupapi/",
- "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20",
"https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml"
],
@@ -51511,8 +51547,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html",
"https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md",
+ "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html",
"https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml"
],
@@ -51546,8 +51582,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/",
"https://twitter.com/nas_bench/status/1535431474429808642",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml"
],
"tags": [
@@ -51630,8 +51666,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md",
+ "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml"
],
"tags": [
@@ -51700,8 +51736,8 @@
"logsource.product": "windows",
"refs": [
"https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md",
"https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml"
],
"tags": [
@@ -51835,8 +51871,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/1ZRR4H/status/1534259727059787783",
"https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/",
+ "https://twitter.com/1ZRR4H/status/1534259727059787783",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml"
],
"tags": [
@@ -51869,9 +51905,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/",
- "https://web.archive.org/web/20231210115125/http://www.xuetr.com/",
"https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/",
+ "https://web.archive.org/web/20231210115125/http://www.xuetr.com/",
+ "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml"
],
"tags": [
@@ -52138,8 +52174,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/outflanknl/NetshHelperBeacon",
"https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/",
+ "https://github.com/outflanknl/NetshHelperBeacon",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml"
],
@@ -52454,9 +52490,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/",
"https://twitter.com/vysecurity/status/974806438316072960",
"https://twitter.com/vysecurity/status/873181705024266241",
- "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml"
],
@@ -52490,8 +52526,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md",
+ "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml"
],
"tags": [
@@ -52625,8 +52661,8 @@
"logsource.product": "windows",
"refs": [
"https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/",
- "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/",
"https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings",
+ "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml"
],
"tags": [
@@ -52659,8 +52695,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md",
"https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains",
+ "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_w32tm.yml"
],
"tags": [
@@ -52802,8 +52838,8 @@
"refs": [
"https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW",
"https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat",
- "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat",
"https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43",
+ "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml"
],
"tags": [
@@ -52836,8 +52872,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
"https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/",
+ "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
"https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml"
],
@@ -53099,8 +53135,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/pabraeken/status/993497996179492864",
"https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml",
+ "https://twitter.com/pabraeken/status/993497996179492864",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml"
],
"tags": [
@@ -53133,8 +53169,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://unit42.paloaltonetworks.com/chromeloader-malware/",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage",
+ "https://unit42.paloaltonetworks.com/chromeloader-malware/",
"https://lolbas-project.github.io/lolbas/Binaries/Tar/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tar_compression.yml"
],
@@ -53313,8 +53349,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/frgnca/AudioDeviceCmdlets",
- "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md",
+ "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml"
],
"tags": [
@@ -53348,8 +53384,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/tevora-threat/SharpView/",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview",
"https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml"
],
"tags": [
@@ -53414,8 +53450,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml"
],
"tags": [
@@ -53490,8 +53526,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/",
"https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment",
+ "https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml"
],
"tags": [
@@ -53525,8 +53561,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md",
"https://github.com/OTRF/detection-hackathon-apt29/issues/17",
+ "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml"
],
"tags": [
@@ -53852,8 +53888,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec",
"https://twitter.com/_st0pp3r_/status/1583914244344799235",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml"
],
@@ -53978,10 +54014,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode",
- "https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers",
"https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior",
+ "https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html",
+ "https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml"
],
"tags": [
@@ -54014,9 +54050,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/countuponsec/status/910969424215232518",
"https://twitter.com/countuponsec/status/910977826853068800",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/",
- "https://twitter.com/countuponsec/status/910969424215232518",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml"
],
"tags": [
@@ -54049,10 +54085,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/",
"https://twitter.com/splinter_code/status/1483815103279603714",
- "https://www.elastic.co/security-labs/operation-bleeding-bear",
+ "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/",
"https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3",
+ "https://www.elastic.co/security-labs/operation-bleeding-bear",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml"
],
"tags": [
@@ -54121,8 +54157,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://pentestlab.blog/tag/svchost/",
"https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/",
+ "https://pentestlab.blog/tag/svchost/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml"
],
"tags": [
@@ -54227,8 +54263,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/0gtweet/status/1206692239839289344",
"https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/",
+ "https://twitter.com/0gtweet/status/1206692239839289344",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml"
],
"tags": [
@@ -54403,9 +54439,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md",
"https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx",
"https://www.joeware.net/freetools/tools/adfind/",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml"
],
"tags": [
@@ -54438,8 +54474,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/",
"https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/",
+ "https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml"
],
"tags": [
@@ -54473,8 +54509,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/",
"https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml",
+ "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_email_exfil.yml"
],
"tags": [
@@ -54497,13 +54533,13 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware",
- "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf",
- "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/",
- "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration",
- "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4",
- "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow",
+ "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf",
+ "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/",
+ "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/",
+ "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4",
+ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration",
+ "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml"
],
"tags": [
@@ -54538,10 +54574,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/",
- "https://twitter.com/gN3mes1s/status/1206874118282448897",
"https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf",
"https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe",
+ "https://twitter.com/gN3mes1s/status/1206874118282448897",
+ "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/",
"https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml"
],
@@ -54845,8 +54881,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/",
"https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment",
+ "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml"
],
"tags": [
@@ -54879,8 +54915,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/SwiftOnSecurity/status/1455897435063074824",
"https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/",
+ "https://twitter.com/SwiftOnSecurity/status/1455897435063074824",
"https://github.com/LOLBAS-Project/LOLBAS/pull/151",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdl32_arbitrary_file_download.yml"
],
@@ -54923,8 +54959,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml",
"https://twitter.com/harr0ey/status/991670870384021504",
+ "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_openwith.yml"
],
"tags": [
@@ -55127,8 +55163,8 @@
"logsource.product": "windows",
"refs": [
"https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/",
- "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/",
"https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf",
+ "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml"
],
"tags": [
@@ -55364,9 +55400,9 @@
"logsource.product": "windows",
"refs": [
"https://zero2auto.com/2020/05/19/netwalker-re/",
- "https://mez0.cc/posts/cobaltstrike-powershell-exec/",
- "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65",
"https://redcanary.com/blog/yellow-cockatoo/",
+ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65",
+ "https://mez0.cc/posts/cobaltstrike-powershell-exec/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml"
],
"tags": [
@@ -55493,9 +55529,9 @@
"logsource.category": "wmi_event",
"logsource.product": "windows",
"refs": [
+ "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/",
"https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19",
"https://github.com/RiccardoAncarani/LiquidSnake",
- "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml"
],
"tags": [
@@ -55528,8 +55564,8 @@
"logsource.category": "process_tampering",
"logsource.product": "windows",
"refs": [
- "https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/",
"https://twitter.com/SecurePeacock/status/1486054048390332423?s=20",
+ "https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml"
],
"tags": [
@@ -55674,8 +55710,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2",
"https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security",
+ "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2",
"https://cydefops.com/devtunnels-unleashed",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_devtunnels.yml"
],
@@ -55709,8 +55745,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://megatools.megous.com/",
"https://www.mandiant.com/resources/russian-targeting-gov-business",
+ "https://megatools.megous.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_mega_nz.yml"
],
"tags": [
@@ -55854,8 +55890,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp",
"https://www.ietf.org/rfc/rfc2821.txt",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml"
],
"tags": [
@@ -55930,11 +55966,11 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://youtu.be/n2dFlSaBBKo",
+ "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf",
"https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/",
"https://github.com/looCiprian/GC2-sheet",
+ "https://youtu.be/n2dFlSaBBKo",
"https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/",
- "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_google_api_non_browser_access.yml"
],
"tags": [
@@ -56068,9 +56104,9 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
+ "https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2",
"https://portmap.io/",
"https://github.com/rapid7/metasploit-framework/issues/11337",
- "https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_portmap.yml"
],
"tags": [
@@ -56181,8 +56217,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://pypi.org/project/scapy/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python",
+ "https://pypi.org/project/scapy/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml"
],
"tags": [
@@ -56215,8 +56251,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "Internal Research",
"https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/",
+ "Internal Research",
"https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_cloudflared_communication.yml"
],
@@ -56418,11 +56454,11 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
"https://www.cisa.gov/uscert/ncas/alerts/aa22-321a",
"https://twitter.com/M_haggis/status/900741347035889665",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
- "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1",
"https://twitter.com/M_haggis/status/1032799638213066752",
+ "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml"
],
"tags": [
@@ -56524,9 +56560,9 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
+ "https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/",
"https://lolbas-project.github.io/lolbas/Binaries/Regasm/",
"https://app.any.run/tasks/ec207948-4916-47eb-a0f4-4c6abb2e7668/",
- "https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regasm_network_activity.yml"
],
"tags": [
@@ -56561,8 +56597,8 @@
"refs": [
"https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/",
"https://tria.ge/240301-rk34sagf5x/behavioral2",
- "https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d",
"https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html",
+ "https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml"
],
"tags": [
@@ -56618,10 +56654,10 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf",
- "https://ngrok.com/",
"https://ngrok.com/blog-post/new-ngrok-domains",
+ "https://ngrok.com/",
"https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/",
+ "https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_ngrok.yml"
],
"tags": [
@@ -56654,8 +56690,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c",
"https://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md",
+ "https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_adws_unusual_connection.yml"
],
"tags": [
@@ -56688,9 +56724,9 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
+ "https://www.poolwatch.io/coin/monero",
"https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files",
"https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt",
- "https://www.poolwatch.io/coin/monero",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_crypto_mining_pools.yml"
],
"tags": [
@@ -56800,9 +56836,9 @@
"logsource.product": "windows",
"refs": [
"https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/",
- "https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia",
"https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/",
"https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/",
+ "https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml"
],
"tags": [
@@ -57140,8 +57176,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/",
"https://twitter.com/forensicitguy/status/1513538712986079238",
+ "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/",
"https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml"
],
@@ -57175,9 +57211,9 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
+ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a",
"https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/",
"https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html",
- "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a",
"https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml"
],
@@ -57313,12 +57349,12 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al",
- "https://twitter.com/kleiton0x7e/status/1600567316810551296",
- "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html",
"https://securelist.com/the-tetrade-brazilian-banking-malware/97779/",
- "https://github.com/kleiton0x00/RedditC2",
+ "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al",
"https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/",
+ "https://twitter.com/kleiton0x7e/status/1600567316810551296",
+ "https://github.com/kleiton0x00/RedditC2",
+ "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml"
],
"tags": [
@@ -57479,8 +57515,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg",
"https://ngrok.com/",
+ "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml"
],
"tags": [
@@ -57581,8 +57617,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md",
"https://twitter.com/malmoeb/status/1535142803075960832",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml"
],
"tags": [
@@ -57616,10 +57652,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md",
- "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/",
"https://twitter.com/malmoeb/status/1535142803075960832",
+ "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml"
],
"tags": [
@@ -57721,10 +57757,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
+ "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
"https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
"https://isc.sans.edu/diary/22264",
- "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
- "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml"
],
"tags": [
@@ -57758,9 +57794,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://nxlog.co/documentation/nxlog-user-guide/applocker.html",
- "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker",
"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker",
+ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker",
+ "https://nxlog.co/documentation/nxlog-user-guide/applocker.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml"
],
"tags": [
@@ -57833,8 +57869,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/mattifestation/status/899646620148539397",
"https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/",
+ "https://twitter.com/mattifestation/status/899646620148539397",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml"
],
"tags": [
@@ -57993,8 +58029,8 @@
"logsource.product": "windows",
"refs": [
"https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/",
- "https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170",
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule",
+ "https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml"
],
"tags": [
@@ -58147,8 +58183,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/mattifestation/status/899646620148539397",
"https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/",
+ "https://twitter.com/mattifestation/status/899646620148539397",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml"
],
"tags": [
@@ -58182,8 +58218,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx",
"https://twitter.com/SBousseaden/status/1096148422984384514",
+ "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml"
],
"tags": [
@@ -58235,8 +58271,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072",
"https://twitter.com/duzvik/status/1269671601852813320",
+ "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_camera_microphone_access.yml"
],
"tags": [
@@ -58597,7 +58633,7 @@
}
],
"uuid": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d",
- "value": "Windows Defender Exclusion Reigstry Key - Write Access Requested"
+ "value": "Windows Defender Exclusion Registry Key - Write Access Requested"
},
{
"description": "Detects WRITE_DAC access to a domain object",
@@ -58911,8 +58947,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/SBousseaden/status/1101431884540710913",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625",
+ "https://twitter.com/SBousseaden/status/1101431884540710913",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml"
],
"tags": [
@@ -59165,10 +59201,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
- "https://www.cisecurity.org/controls/cis-controls-list/",
- "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800",
+ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
+ "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
+ "https://www.cisecurity.org/controls/cis-controls-list/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml"
],
"tags": [
@@ -59191,9 +59227,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html",
"https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf",
"https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all",
+ "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml"
],
@@ -59335,8 +59371,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649",
"https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md",
+ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_replay_attack_detected.yml"
],
"tags": [
@@ -59402,9 +59438,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634",
- "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647",
"https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md",
+ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647",
+ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml"
],
"tags": [
@@ -59640,8 +59676,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.trustedsec.com/blog/art_of_kerberoast/",
"https://adsecurity.org/?p=3513",
+ "https://www.trustedsec.com/blog/art_of_kerberoast/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_kerberoasting_activity.yml"
],
"tags": [
@@ -59674,16 +59710,16 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38",
- "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_",
+ "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39",
"http://managed670.rssing.com/chan-5590147/all_p1.html",
- "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code",
+ "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables",
+ "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf",
+ "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_",
+ "https://twitter.com/_xpn_/status/1268712093928378368",
+ "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38",
"https://bunnyinside.com/?term=f71e8cb9c76a",
"https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr",
- "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf",
- "https://twitter.com/_xpn_/status/1268712093928378368",
- "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables",
- "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39",
+ "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml"
],
"tags": [
@@ -59766,9 +59802,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html",
"https://twitter.com/menasec1/status/1106899890377052160",
"https://www.secureworks.com/blog/ransomware-as-a-distraction",
- "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml"
],
"tags": [
@@ -59843,8 +59879,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://msdn.microsoft.com/en-us/library/cc220234.aspx",
"https://adsecurity.org/?p=3466",
+ "https://msdn.microsoft.com/en-us/library/cc220234.aspx",
"https://blog.harmj0y.net/redteaming/another-word-on-delegation/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml"
],
@@ -59986,8 +60022,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.sans.org/webcasts/119395",
"https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/",
+ "https://www.sans.org/webcasts/119395",
"https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml"
],
@@ -60039,9 +60075,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/gentilkiwi/status/1003236624925413376",
- "https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48",
"https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2",
+ "https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48",
+ "https://twitter.com/gentilkiwi/status/1003236624925413376",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml"
],
"tags": [
@@ -60074,10 +60110,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore",
- "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image",
- "https://twitter.com/MsftSecIntel/status/1257324139515269121",
"https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages",
+ "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore",
+ "https://twitter.com/MsftSecIntel/status/1257324139515269121",
+ "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml"
],
"tags": [
@@ -60313,9 +60349,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/SBousseaden/status/1581300963650187264?",
"https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/",
"https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html",
- "https://twitter.com/SBousseaden/status/1581300963650187264?",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml"
],
"tags": [
@@ -60416,8 +60452,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/",
"https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens",
+ "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml"
],
"tags": [
@@ -60450,9 +60486,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616",
- "Live environment caused by malware",
"Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)",
+ "Live environment caused by malware",
+ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml"
],
"tags": [
@@ -60518,10 +60554,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://x.com/_st0pp3r_/status/1742203752361128162?s=20",
"https://github.com/deepinstinct/NoFilter",
- "https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp",
"https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation",
+ "https://x.com/_st0pp3r_/status/1742203752361128162?s=20",
+ "https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hktl_nofilter.yml"
],
"tags": [
@@ -60595,8 +60631,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://adsecurity.org/?p=1714",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794",
+ "https://adsecurity.org/?p=1714",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml"
],
"tags": [
@@ -60679,8 +60715,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml",
"https://twitter.com/deviouspolack/status/832535435960209408",
+ "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml",
"https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_audit_log_cleared.yml"
],
@@ -60717,8 +60753,8 @@
"refs": [
"https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8",
"https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html",
- "https://twitter.com/Flangvik/status/1283054508084473861",
"https://twitter.com/SecurityJosh/status/1283027365770276866",
+ "https://twitter.com/Flangvik/status/1283054508084473861",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml"
],
"tags": [
@@ -60861,8 +60897,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743",
"https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md",
+ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml"
],
@@ -61251,8 +61287,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961",
"https://github.com/fox-it/LDAPFragger",
+ "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961",
"https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml"
],
@@ -61627,10 +61663,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/gentilkiwi/status/1003236624925413376",
- "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r",
"https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2",
+ "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662",
+ "https://twitter.com/gentilkiwi/status/1003236624925413376",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml"
],
"tags": [
@@ -62067,8 +62103,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701",
+ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml"
],
"tags": [
@@ -62211,9 +62247,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py",
- "https://twitter.com/malmoeb/status/1511760068743766026",
"https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py",
+ "https://twitter.com/malmoeb/status/1511760068743766026",
+ "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml"
],
"tags": [
@@ -62249,8 +62285,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml",
"https://github.com/topotam/PetitPotam",
+ "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_network_share.yml"
],
"tags": [
@@ -62316,8 +62352,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673",
"https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/",
+ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_driver_loaded.yml"
],
"tags": [
@@ -62350,11 +62386,11 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776",
+ "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624",
"https://github.com/sensepost/ruler/issues/47",
+ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776",
"https://github.com/sensepost/ruler",
- "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml"
],
"tags": [
@@ -62528,8 +62564,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
"https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html",
+ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml"
],
"tags": [
@@ -62674,8 +62710,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md",
"https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit",
+ "https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml"
],
"tags": [
@@ -62944,8 +62980,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708",
"https://twitter.com/AdamTheAnalyst/status/1134394070045003776",
+ "https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml"
],
"tags": [
@@ -63064,8 +63100,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation",
"https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html",
+ "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml"
],
"tags": [
@@ -63123,9 +63159,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/",
"https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis",
"https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events",
+ "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml"
],
"tags": [
@@ -63158,11 +63194,11 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.cisecurity.org/controls/cis-controls-list/",
- "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634",
- "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730",
+ "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
+ "https://www.cisecurity.org/controls/cis-controls-list/",
+ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml"
],
"tags": [
@@ -63316,10 +63352,10 @@
"logsource.product": "windows",
"refs": [
"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729",
- "https://www.cisecurity.org/controls/cis-controls-list/",
- "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633",
+ "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
+ "https://www.cisecurity.org/controls/cis-controls-list/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml"
],
"tags": [
@@ -63352,11 +63388,11 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632",
"https://www.cisecurity.org/controls/cis-controls-list/",
"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
- "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728",
"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
+ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632",
+ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml"
],
"tags": [
@@ -63389,9 +63425,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983",
- "https://github.com/amjcyber/EDRNoiseMaker",
"https://github.com/netero1010/EDRSilencer",
+ "https://github.com/amjcyber/EDRNoiseMaker",
+ "https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml"
],
"tags": [
@@ -63424,8 +63460,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations",
"Internal Research",
+ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations",
"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml"
],
@@ -63449,8 +63485,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations",
"Internal Research",
+ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations",
"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml"
],
@@ -63474,8 +63510,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations",
"Internal Research",
+ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations",
"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml"
],
@@ -63499,8 +63535,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations",
"Internal Research",
+ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations",
"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml"
],
@@ -63524,8 +63560,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations",
"Internal Research",
+ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations",
"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml"
],
@@ -63549,8 +63585,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations",
"Internal Research",
+ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations",
"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml"
],
@@ -63574,8 +63610,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations",
"Internal Research",
+ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations",
"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml"
],
@@ -63609,8 +63645,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations",
"Internal Research",
+ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations",
"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml"
],
@@ -63635,8 +63671,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log",
- "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations",
"https://twitter.com/SBousseaden/status/1483810148602814466",
+ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations",
"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml"
],
@@ -64258,8 +64294,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/",
"https://twitter.com/KevTheHermit/status/1410203844064301056",
+ "https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/",
"https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml"
],
@@ -64326,8 +64362,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide",
"https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection",
+ "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml"
],
"tags": [
@@ -64348,7 +64384,7 @@
"value": "Microsoft Defender Tamper Protection Trigger"
},
{
- "description": "Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initaited this action you might want to reduce it to a \"medium\" level if this occurs too many times in your environment\n",
+ "description": "Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a \"medium\" level if this occurs too many times in your environment\n",
"meta": {
"author": "Ján Trenčanský, frack113",
"creation_date": "2020-07-28",
@@ -64361,9 +64397,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/",
- "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml"
],
"tags": [
@@ -64396,8 +64432,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands",
"https://twitter.com/duff22b/status/1280166329660497920",
+ "https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_asr_psexec_wmi.yml"
],
"tags": [
@@ -64507,8 +64543,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
- "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/",
"https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012",
+ "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml"
],
"tags": [
@@ -64599,8 +64635,8 @@
"logsource.product": "windows",
"refs": [
"https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010",
- "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
+ "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml"
],
"tags": [
@@ -64699,9 +64735,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/",
- "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml"
],
"tags": [
@@ -64734,9 +64770,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346",
"https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/",
"Internal Research",
+ "https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml"
],
"tags": [
@@ -64837,8 +64873,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv",
"https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies",
+ "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml"
],
"tags": [
@@ -64871,10 +64907,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01",
"https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed",
"https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31",
"https://www.nextron-systems.com/?s=antivirus",
- "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/Other/win_av_relevant_match.yml"
],
"tags": [
@@ -64950,8 +64986,8 @@
"logsource.product": "windows",
"refs": [
"https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf",
- "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55",
"https://github.com/deepinstinct/Lsass-Shtinkering",
+ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml"
],
"tags": [
@@ -65026,8 +65062,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/mgreen27/status/1558223256704122882",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)",
+ "https://twitter.com/mgreen27/status/1558223256704122882",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yml"
],
"tags": [
@@ -65060,8 +65096,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/mgreen27/status/1558223256704122882",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)",
+ "https://twitter.com/mgreen27/status/1558223256704122882",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml"
],
"tags": [
@@ -65084,11 +65120,11 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/DidierStevens/status/1217533958096924676",
- "https://twitter.com/FlemmingRiis/status/1217147415482060800",
"https://nullsec.us/windows-event-log-audit-cve/",
- "https://www.youtube.com/watch?v=ebmW42YYveI",
+ "https://twitter.com/FlemmingRiis/status/1217147415482060800",
"https://twitter.com/VM_vivisector/status/1217190929330655232",
+ "https://www.youtube.com/watch?v=ebmW42YYveI",
+ "https://twitter.com/DidierStevens/status/1217533958096924676",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml"
],
"tags": [
@@ -65428,8 +65464,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml",
"https://learn.microsoft.com/en-us/windows/win32/msi/event-logging",
+ "https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml"
],
"tags": [
@@ -65485,8 +65521,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100",
"https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx",
+ "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml"
],
"tags": [
@@ -65585,12 +65621,12 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726",
+ "https://ipurple.team/2024/07/15/sharphound-detection/",
+ "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c",
"https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs",
"https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1",
"https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427",
- "https://ipurple.team/2024/07/15/sharphound-detection/",
- "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c",
- "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml"
],
"tags": [
@@ -65639,8 +65675,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/",
"https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/",
+ "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml"
],
"tags": [
@@ -65706,8 +65742,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)",
+ "https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml"
],
"tags": [
@@ -65862,8 +65898,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.secura.com/blog/zero-logon",
"https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382",
+ "https://www.secura.com/blog/zero-logon",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml"
],
"tags": [
@@ -66436,8 +66472,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml"
],
"tags": [
@@ -66610,8 +66646,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.sans.org/webcasts/119395",
"https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/",
+ "https://www.sans.org/webcasts/119395",
"https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml"
],
@@ -67559,9 +67595,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/jonasLyk/status/1347900440000811010",
- "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/",
"https://twitter.com/wdormann/status/1347958161609809921",
+ "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/",
+ "https://twitter.com/jonasLyk/status/1347900440000811010",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml"
],
"tags": [
@@ -67627,8 +67663,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708",
"https://github.com/Ekultek/BlueKeep",
+ "https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml"
],
"tags": [
@@ -67662,9 +67698,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx",
- "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html",
"https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx",
+ "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html",
+ "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml"
],
"tags": [
@@ -67697,9 +67733,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx",
- "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html",
"https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx",
+ "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html",
+ "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml"
],
"tags": [
@@ -67951,9 +67987,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx",
- "https://twitter.com/gentilkiwi/status/861641945944391680",
"https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83",
+ "https://twitter.com/gentilkiwi/status/861641945944391680",
+ "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml"
],
"tags": [
@@ -68019,8 +68055,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"Internal Research",
+ "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml"
],
"tags": [
@@ -68068,11 +68104,11 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH",
- "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse",
- "https://winaero.com/enable-openssh-server-windows-10/",
"https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
+ "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse",
"https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx",
+ "https://winaero.com/enable-openssh-server-windows-10/",
+ "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml"
],
"tags": [
@@ -68106,8 +68142,8 @@
"logsource.product": "windows",
"refs": [
"https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection",
- "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml",
"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers",
+ "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml"
],
"tags": [
@@ -68164,8 +68200,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/",
"https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns",
+ "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml"
],
"tags": [
@@ -68400,9 +68436,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
"https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/",
"https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
- "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml"
],
"tags": [
@@ -68449,10 +68485,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
- "Internal Research",
"https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
+ "Internal Research",
"https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting",
+ "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml"
],
"tags": [
@@ -68475,10 +68511,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
- "Internal Research",
"https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
+ "Internal Research",
"https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting",
+ "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml"
],
"tags": [
@@ -68501,10 +68537,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
- "Internal Research",
"https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
+ "Internal Research",
"https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting",
+ "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml"
],
"tags": [
@@ -68527,10 +68563,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
- "Internal Research",
"https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
+ "Internal Research",
"https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting",
+ "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml"
],
"tags": [
@@ -68824,11 +68860,11 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://hijacklibs.net/",
- "https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/",
- "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/",
"https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/",
+ "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/",
"https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md",
+ "https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/",
+ "https://hijacklibs.net/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml"
],
"tags": [
@@ -69080,9 +69116,9 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/oulusoyum/status/1191329746069655553",
- "https://twitter.com/mattifestation/status/1196390321783025666",
"https://lolbas-project.github.io/lolbas/Binaries/Tttracer/",
+ "https://twitter.com/mattifestation/status/1196390321783025666",
+ "https://twitter.com/oulusoyum/status/1191329746069655553",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_tttracer_module_load.yml"
],
"tags": [
@@ -69212,9 +69248,9 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/dez_/status/986614411711442944",
"https://lolbas-project.github.io/lolbas/Binaries/Wmic/",
"https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html",
+ "https://twitter.com/dez_/status/986614411711442944",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml"
],
"tags": [
@@ -69322,12 +69358,12 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992",
- "https://github.com/Wh04m1001/SysmonEoP",
- "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/",
"https://decoded.avast.io/martinchlumecky/png-steganography/",
"https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/",
+ "https://github.com/Wh04m1001/SysmonEoP",
+ "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/",
"http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html",
+ "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml"
],
"tags": [
@@ -69371,10 +69407,10 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/",
- "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html",
- "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/",
"https://www.crowdstrike.com/blog/windows-restart-manager-part-2/",
+ "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/",
+ "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/",
+ "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml"
],
"tags": [
@@ -69484,8 +69520,8 @@
"refs": [
"https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html",
"https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008",
- "https://github.com/tyranid/DotNetToJScript",
"https://thewover.github.io/Introducing-Donut/",
+ "https://github.com/tyranid/DotNetToJScript",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml"
],
"tags": [
@@ -69628,8 +69664,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html",
"https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/",
+ "https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml"
],
"tags": [
@@ -69781,8 +69817,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/",
"http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp",
+ "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml"
],
"tags": [
@@ -69825,11 +69861,11 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/DTCERT/status/1712785426895839339",
- "https://thehackernews.com/2024/03/two-chinese-apt-groups-ramp-up-cyber.html",
"https://twitter.com/Max_Mal_/status/1775222576639291859",
+ "https://thehackernews.com/2024/03/two-chinese-apt-groups-ramp-up-cyber.html",
"https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/",
"https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/",
+ "https://twitter.com/DTCERT/status/1712785426895839339",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_keyscrambler.yml"
],
"tags": [
@@ -69871,10 +69907,10 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture",
- "https://twitter.com/chadtilbury/status/1275851297770610688",
"https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/",
+ "https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture",
"https://github.com/bohops/WSMan-WinRM",
+ "https://twitter.com/chadtilbury/status/1275851297770610688",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml"
],
"tags": [
@@ -69992,9 +70028,9 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/WhichbufferArda/status/1658829954182774784",
"https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/",
"https://securelist.com/apt-luminousmoth/103332/",
+ "https://twitter.com/WhichbufferArda/status/1658829954182774784",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_wwlib.yml"
],
"tags": [
@@ -70358,8 +70394,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html",
"https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/",
+ "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html",
"https://twitter.com/HunterPlaybook/status/1301207718355759107",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml"
],
@@ -70504,8 +70540,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/wdormann/status/1547583317410607110",
"https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC",
+ "https://twitter.com/wdormann/status/1547583317410607110",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml"
],
"tags": [
@@ -70540,8 +70576,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://adsecurity.org/?p=2921",
"https://github.com/p3nt4/PowerShdll",
+ "https://adsecurity.org/?p=2921",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml"
],
"tags": [
@@ -70574,8 +70610,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/",
"https://github.com/ly4k/SpoolFool",
+ "https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml"
],
"tags": [
@@ -70655,9 +70691,9 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true",
- "https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion",
"https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql",
+ "https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion",
+ "https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_unsigned_dll.yml"
],
"tags": [
@@ -70785,8 +70821,8 @@
"logsource.product": "windows",
"refs": [
"https://www.roboform.com/",
- "https://twitter.com/StopMalvertisin/status/1648604148848549888",
"https://twitter.com/t3ft3lb/status/1656194831830401024",
+ "https://twitter.com/StopMalvertisin/status/1648604148848549888",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_robform.yml"
],
"tags": [
@@ -70870,9 +70906,9 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa",
- "https://github.com/S12cybersecurity/RDPCredentialStealer",
"https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html",
+ "https://github.com/S12cybersecurity/RDPCredentialStealer",
+ "https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml"
],
@@ -70973,8 +71009,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6",
"https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump",
+ "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6",
"https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml"
],
@@ -71117,8 +71153,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html",
"https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html",
+ "https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_libvlc.yml"
],
"tags": [
@@ -71381,10 +71417,10 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/",
- "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html",
- "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/",
"https://www.crowdstrike.com/blog/windows-restart-manager-part-2/",
+ "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/",
+ "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/",
+ "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml"
],
"tags": [
@@ -71512,8 +71548,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/",
"https://www.mandiant.com/resources/blog/lnk-between-browsers",
+ "https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml"
],
"tags": [
@@ -71867,8 +71903,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets",
"https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/",
+ "https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_classicexplorer32.yml"
],
"tags": [
@@ -72084,8 +72120,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://github.com/gabe-k/themebleed",
"Internal Research",
+ "https://github.com/gabe-k/themebleed",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_rundll32_remote_share_load.yml"
],
"tags": [
@@ -72164,8 +72200,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/besimorhino/powercat",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md",
"https://nmap.org/ncat/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml"
],
"tags": [
@@ -72298,9 +72334,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/chadtilbury/status/1275851297770610688",
"https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/",
"https://github.com/bohops/WSMan-WinRM",
+ "https://twitter.com/chadtilbury/status/1275851297770610688",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml"
],
"tags": [
@@ -72751,8 +72787,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA",
"https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/",
+ "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml"
],
"tags": [
@@ -72820,8 +72856,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml"
],
"tags": [
@@ -72920,8 +72956,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://adsecurity.org/?p=2604",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4",
+ "https://adsecurity.org/?p=2604",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml"
],
@@ -72955,10 +72991,10 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell",
"https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps",
- "https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php",
"http://woshub.com/manage-windows-firewall-powershell/",
+ "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell",
+ "https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php",
"https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml"
],
@@ -73127,9 +73163,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges",
"https://github.com/samratashok/ADModule",
"https://twitter.com/cyb3rops/status/1617108657166061568?s=20",
+ "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml"
],
"tags": [
@@ -73230,8 +73266,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml"
],
"tags": [
@@ -73388,8 +73424,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell",
+ "https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml"
],
"tags": [
@@ -73455,8 +73491,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0",
"https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0",
+ "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml"
],
"tags": [
@@ -73587,24 +73623,24 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/DarkCoderSc/PowerRunAsSystem/",
- "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1",
- "https://github.com/besimorhino/powercat",
"https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
- "https://github.com/adrecon/ADRecon",
- "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
- "https://github.com/adrecon/AzureADRecon",
+ "https://adsecurity.org/?p=2921",
+ "https://github.com/HarmJ0y/DAMP",
"https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
"https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html",
- "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
- "https://github.com/samratashok/nishang",
- "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
- "https://github.com/HarmJ0y/DAMP",
- "https://github.com/Kevin-Robertson/Powermad",
- "https://adsecurity.org/?p=2921",
+ "https://github.com/besimorhino/powercat",
"https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
- "https://github.com/calebstewart/CVE-2021-1675",
"https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
+ "https://github.com/calebstewart/CVE-2021-1675",
+ "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
+ "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
+ "https://github.com/samratashok/nishang",
+ "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1",
+ "https://github.com/Kevin-Robertson/Powermad",
+ "https://github.com/adrecon/ADRecon",
+ "https://github.com/adrecon/AzureADRecon",
+ "https://github.com/DarkCoderSc/PowerRunAsSystem/",
+ "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml"
],
"tags": [
@@ -73903,8 +73939,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319",
"https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1",
+ "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml"
],
"tags": [
@@ -73938,8 +73974,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57",
"https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0",
+ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml"
],
"tags": [
@@ -74160,8 +74196,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_localuser.yml"
],
"tags": [
@@ -74227,8 +74263,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml"
],
"tags": [
@@ -74261,9 +74297,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus",
- "https://github.com/GhostPack/Rubeus",
"https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html",
+ "https://github.com/GhostPack/Rubeus",
+ "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml"
],
"tags": [
@@ -74591,8 +74627,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml"
],
"tags": [
@@ -74749,8 +74785,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/Arno0x/DNSExfiltrator",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh",
+ "https://github.com/Arno0x/DNSExfiltrator",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml"
],
"tags": [
@@ -74886,8 +74922,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/Alh4zr3d/status/1580925761996828672",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2",
+ "https://twitter.com/Alh4zr3d/status/1580925761996828672",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml"
],
"tags": [
@@ -75039,8 +75075,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
"http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
+ "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml"
],
"tags": [
@@ -75073,9 +75109,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
+ "https://youtu.be/5mqid-7zp8k?t=2481",
"https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1",
"https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/",
- "https://youtu.be/5mqid-7zp8k?t=2481",
"https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml"
],
@@ -75324,9 +75360,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
+ "https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13",
"https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md",
"https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing",
- "https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_packet_capture.yml"
],
"tags": [
@@ -75394,9 +75430,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
+ "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py",
"https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/",
"https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1",
- "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml"
],
"tags": [
@@ -75619,10 +75655,10 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1",
- "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1",
- "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462",
"https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7",
+ "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462",
+ "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1",
+ "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml"
],
"tags": [
@@ -75731,8 +75767,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/Alh4zr3d/status/1580925761996828672",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2",
+ "https://twitter.com/Alh4zr3d/status/1580925761996828672",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml"
],
"tags": [
@@ -75887,8 +75923,8 @@
"logsource.product": "windows",
"refs": [
"https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41",
- "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a",
"https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication",
+ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml"
],
"tags": [
@@ -75921,9 +75957,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
+ "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon",
"https://powersploit.readthedocs.io/en/stable/Recon/README",
"https://thedfirreport.com/2020/10/08/ryuks-return",
- "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon",
"https://adsecurity.org/?p=2277",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml"
],
@@ -75991,8 +76027,8 @@
"logsource.product": "windows",
"refs": [
"https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115",
- "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42",
"https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41",
+ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml"
],
"tags": [
@@ -76125,9 +76161,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md",
"https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer",
+ "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml"
],
"tags": [
@@ -76168,8 +76204,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md",
"https://www.offensive-security.com/metasploit-unleashed/timestomp/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml"
],
"tags": [
@@ -76202,8 +76238,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7",
"https://attack.mitre.org/datasources/DS0005/",
+ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml"
],
"tags": [
@@ -76269,11 +76305,11 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/S3cur3Th1sSh1t/WinPwn",
- "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md",
- "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team",
"https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841",
+ "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team",
+ "https://github.com/S3cur3Th1sSh1t/WinPwn",
"https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml"
],
"tags": [
@@ -76390,9 +76426,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
+ "https://www.shellhacks.com/clear-history-powershell/",
"https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics",
"https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/",
- "https://www.shellhacks.com/clear-history-powershell/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml"
],
"tags": [
@@ -76467,8 +76503,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
"http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
+ "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
"https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml"
],
@@ -76829,8 +76865,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine",
"https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml"
],
"tags": [
@@ -76905,8 +76941,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml"
],
"tags": [
@@ -76972,8 +77008,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml"
],
"tags": [
@@ -77007,8 +77043,8 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/oroneequalsone/status/1568432028361830402",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md",
"https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml"
],
"tags": [
@@ -77075,9 +77111,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md",
"https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml"
],
"tags": [
@@ -77110,9 +77146,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/wsl/install-on-server",
- "https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps",
"https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system",
+ "https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps",
+ "https://learn.microsoft.com/en-us/windows/wsl/install-on-server",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml"
],
"tags": [
@@ -77202,8 +77238,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md",
"https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml"
],
"tags": [
@@ -77302,8 +77338,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md",
"https://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps",
+ "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml"
],
"tags": [
@@ -77370,8 +77406,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://techgenix.com/malicious-powershell-scripts-evade-detection/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md",
+ "https://techgenix.com/malicious-powershell-scripts-evade-detection/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml"
],
"tags": [
@@ -77446,8 +77482,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/Gerenios/AADInternals",
"https://o365blog.com/aadinternals/",
+ "https://github.com/Gerenios/AADInternals",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml"
],
"tags": [
@@ -77706,9 +77742,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt",
- "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html",
"https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)",
+ "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml"
],
"tags": [
@@ -77916,9 +77952,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
+ "https://bidouillesecurity.com/disable-windows-defender-in-powershell/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps",
- "https://bidouillesecurity.com/disable-windows-defender-in-powershell/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml"
],
"tags": [
@@ -77984,10 +78020,10 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content",
- "https://twitter.com/ScumBots/status/1610626724257046529",
"https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0",
"https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content",
+ "https://twitter.com/ScumBots/status/1610626724257046529",
+ "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml"
],
"tags": [
@@ -78021,8 +78057,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso",
+ "https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml"
],
"tags": [
@@ -78229,9 +78265,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp",
"https://www.ietf.org/rfc/rfc2821.txt",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml"
],
"tags": [
@@ -78523,9 +78559,9 @@
"logsource.category": "ps_module",
"logsource.product": "windows",
"refs": [
- "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges",
"https://github.com/samratashok/ADModule",
"https://twitter.com/cyb3rops/status/1617108657166061568?s=20",
+ "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml"
],
"tags": [
@@ -78800,8 +78836,8 @@
"logsource.category": "ps_module",
"logsource.product": "windows",
"refs": [
- "https://github.com/OTRF/detection-hackathon-apt29/issues/8",
"https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md",
+ "https://github.com/OTRF/detection-hackathon-apt29/issues/8",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml"
],
"tags": [
@@ -78867,23 +78903,23 @@
"logsource.category": "ps_module",
"logsource.product": "windows",
"refs": [
+ "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
+ "https://github.com/HarmJ0y/DAMP",
"https://github.com/PowerShellMafia/PowerSploit",
- "https://github.com/DarkCoderSc/PowerRunAsSystem/",
+ "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
+ "https://github.com/nettitude/Invoke-PowerThIEf",
+ "https://github.com/NetSPI/PowerUpSQL",
+ "https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu",
+ "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
+ "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
+ "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
+ "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
+ "https://github.com/samratashok/nishang",
"https://github.com/besimorhino/powercat",
"https://github.com/S3cur3Th1sSh1t/WinPwn",
- "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
- "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
- "https://github.com/NetSPI/PowerUpSQL",
- "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
- "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
- "https://github.com/samratashok/nishang",
- "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
"https://github.com/CsEnox/EventViewer-UACBypass",
- "https://github.com/HarmJ0y/DAMP",
- "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
- "https://github.com/nettitude/Invoke-PowerThIEf",
- "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
- "https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu",
+ "https://github.com/DarkCoderSc/PowerRunAsSystem/",
+ "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml"
],
"tags": [
@@ -78916,8 +78952,8 @@
"logsource.category": "ps_module",
"logsource.product": "windows",
"refs": [
- "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md",
"https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/",
+ "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml"
],
"tags": [
@@ -79026,24 +79062,24 @@
"logsource.category": "ps_module",
"logsource.product": "windows",
"refs": [
- "https://github.com/DarkCoderSc/PowerRunAsSystem/",
- "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1",
- "https://github.com/besimorhino/powercat",
"https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
- "https://github.com/adrecon/ADRecon",
- "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
- "https://github.com/adrecon/AzureADRecon",
+ "https://adsecurity.org/?p=2921",
+ "https://github.com/HarmJ0y/DAMP",
"https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
"https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html",
- "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
- "https://github.com/samratashok/nishang",
- "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
- "https://github.com/HarmJ0y/DAMP",
- "https://github.com/Kevin-Robertson/Powermad",
- "https://adsecurity.org/?p=2921",
+ "https://github.com/besimorhino/powercat",
"https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
- "https://github.com/calebstewart/CVE-2021-1675",
"https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
+ "https://github.com/calebstewart/CVE-2021-1675",
+ "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
+ "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
+ "https://github.com/samratashok/nishang",
+ "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1",
+ "https://github.com/Kevin-Robertson/Powermad",
+ "https://github.com/adrecon/ADRecon",
+ "https://github.com/adrecon/AzureADRecon",
+ "https://github.com/DarkCoderSc/PowerRunAsSystem/",
+ "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"
],
"tags": [
@@ -79392,9 +79428,9 @@
"logsource.category": "ps_module",
"logsource.product": "windows",
"refs": [
- "https://www.mdeditor.tw/pl/pgRt",
- "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/",
"https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/",
+ "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/",
+ "https://www.mdeditor.tw/pl/pgRt",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml"
],
"tags": [
@@ -79714,17 +79750,17 @@
"logsource.category": "create_stream_hash",
"logsource.product": "windows",
"refs": [
- "https://github.com/ohpe/juicy-potato",
- "https://github.com/outflanknl/Dumpert",
- "https://github.com/gentilkiwi/mimikatz",
- "https://github.com/antonioCoco/RoguePotato",
- "https://github.com/fortra/nanodump",
- "https://github.com/wavestone-cdt/EDRSandblast",
"https://github.com/codewhitesec/HandleKatz",
+ "https://github.com/fortra/nanodump",
"https://github.com/xuanxuan0/DripLoader",
+ "https://github.com/ohpe/juicy-potato",
"https://www.tarasco.org/security/pwdump_7/",
- "https://github.com/hfiref0x/UACME",
+ "https://github.com/antonioCoco/RoguePotato",
"https://github.com/topotam/PetitPotam",
+ "https://github.com/outflanknl/Dumpert",
+ "https://github.com/hfiref0x/UACME",
+ "https://github.com/wavestone-cdt/EDRSandblast",
+ "https://github.com/gentilkiwi/mimikatz",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml"
],
"tags": [
@@ -79911,8 +79947,8 @@
"logsource.category": "create_stream_hash",
"logsource.product": "windows",
"refs": [
- "https://labs.withsecure.com/publications/detecting-onenote-abuse",
"https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md",
+ "https://labs.withsecure.com/publications/detecting-onenote-abuse",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml"
],
"tags": [
@@ -80025,8 +80061,8 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/bh4b3sh/status/1303674603819081728",
"https://github.com/skelsec/pypykatz",
+ "https://twitter.com/bh4b3sh/status/1303674603819081728",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_python_based_tool.yml"
],
"tags": [
@@ -80234,8 +80270,8 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
- "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html",
"https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158",
+ "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_generic_access.yml"
],
"tags": [
@@ -80269,9 +80305,9 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
- "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html",
- "https://twitter.com/SBousseaden/status/1541920424635912196",
"https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml",
+ "https://twitter.com/SBousseaden/status/1541920424635912196",
+ "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml"
],
"tags": [
@@ -80304,8 +80340,8 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
- "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz",
"https://twitter.com/_xpn_/status/1491557187168178176",
+ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_keyword_image.yml"
],
"tags": [
@@ -80608,9 +80644,9 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
- "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz",
"https://twitter.com/mrd0x/status/1460597833917251595",
"https://twitter.com/_xpn_/status/1491557187168178176",
+ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_whitelisted_process_names.yml"
],
"tags": [
@@ -80682,8 +80718,8 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
- "https://github.com/boku7/spawn",
"https://github.com/boku7/injectAmsiBypass",
+ "https://github.com/boku7/spawn",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml"
],
"tags": [
@@ -80999,8 +81035,8 @@
"refs": [
"https://threatpost.com/microsoft-petitpotam-poc/168163/",
"https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp",
- "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003",
"https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf",
+ "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml"
],
"tags": [
@@ -81040,9 +81076,9 @@
"logsource.category": "No established category",
"logsource.product": "zeek",
"refs": [
- "https://github.com/nknorg/nkn-sdk-go",
"https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/",
"https://github.com/Maka8ka/NGLite",
+ "https://github.com/nknorg/nkn-sdk-go",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml"
],
"tags": [
@@ -81287,12 +81323,12 @@
"logsource.category": "No established category",
"logsource.product": "zeek",
"refs": [
- "https://github.com/corelight/CVE-2021-1675",
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
- "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29",
+ "https://github.com/corelight/CVE-2021-1675",
"https://old.zeek.org/zeekweek2019/slides/bzar.pdf",
"https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/",
"https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek",
+ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml"
],
"tags": [
@@ -81319,10 +81355,10 @@
"logsource.category": "No established category",
"logsource.product": "zeek",
"refs": [
- "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma",
"https://twitter.com/neu5ron/status/1346245602502443009",
- "https://tools.ietf.org/html/rfc2929#section-2.1",
+ "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma",
"https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS",
+ "https://tools.ietf.org/html/rfc2929#section-2.1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml"
],
"tags": [
@@ -81608,8 +81644,8 @@
"logsource.category": "No established category",
"logsource.product": "cisco",
"refs": [
- "https://blog.router-switch.com/2013/11/show-running-config/",
"https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm",
+ "https://blog.router-switch.com/2013/11/show-running-config/",
"https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml"
],
@@ -82320,8 +82356,8 @@
"logsource.category": "dns",
"logsource.product": "No established product",
"refs": [
- "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/",
"https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns",
+ "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_mal_cobaltstrike.yml"
],
"tags": [
@@ -82429,8 +82465,8 @@
"logsource.category": "dns",
"logsource.product": "No established product",
"refs": [
- "https://core.telegram.org/bots/faq",
"https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/",
+ "https://core.telegram.org/bots/faq",
"https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
"https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml"
@@ -82562,8 +82598,8 @@
"logsource.product": "No established product",
"refs": [
"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
- "https://www.cisecurity.org/controls/cis-controls-list/",
"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
+ "https://www.cisecurity.org/controls/cis-controls-list/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml"
],
"tags": [
@@ -82654,11 +82690,11 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
- "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100",
- "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile",
- "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile",
"https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/",
"https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile",
+ "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile",
+ "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile",
+ "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_hktl_cobalt_strike_malleable_c2_requests.yml"
],
"tags": [
@@ -82692,10 +82728,10 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
+ "https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462",
+ "https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html",
"https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4",
"https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html",
- "https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html",
- "https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_webdav_external_execution.yml"
],
"tags": [
@@ -82770,10 +82806,10 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
+ "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/",
"https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf",
"https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap",
"https://www.spamhaus.org/statistics/tlds/",
- "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml"
],
"tags": [
@@ -82934,13 +82970,13 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
- "http://www.botopedia.org/search?searchword=scan&searchphrase=all",
"http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules",
- "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html",
- "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q",
- "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents",
"https://twitter.com/crep1x/status/1635034100213112833",
+ "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q",
+ "http://www.botopedia.org/search?searchword=scan&searchphrase=all",
"https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large",
+ "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents",
+ "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html",
"https://perishablepress.com/blacklist/ua-2013.txt",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_malware.yml"
],
@@ -82974,8 +83010,8 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
- "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h",
"https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65",
+ "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_cryptominer.yml"
],
"tags": [
@@ -83077,8 +83113,8 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
- "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone",
"https://rclone.org/",
+ "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_rclone.yml"
],
"tags": [
@@ -83111,9 +83147,9 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
+ "https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11",
"https://blog.talosintelligence.com/ipfs-abuse/",
"https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638",
- "https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml"
],
"tags": [
@@ -83196,9 +83232,9 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
- "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash",
"https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516",
"https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029",
+ "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml"
],
"tags": [
@@ -83468,8 +83504,8 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
- "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb",
"http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules",
+ "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_hacktool.yml"
],
"tags": [
@@ -83644,9 +83680,9 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
- "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/",
"https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/",
"https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
+ "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_telegram_api.yml"
],
"tags": [
@@ -83797,8 +83833,8 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html",
"https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1",
+ "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_source_code_enumeration.yml"
],
"tags": [
@@ -83831,11 +83867,11 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/",
- "https://twitter.com/httpvoid0x2f/status/1532924261035384832",
"https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035",
"https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md",
"https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/",
+ "https://twitter.com/httpvoid0x2f/status/1532924261035384832",
+ "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_java_payload_in_access_logs.yml"
],
"tags": [
@@ -83974,9 +84010,9 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb",
- "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst",
"https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92",
+ "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst",
+ "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_susp_useragents.yml"
],
"tags": [
@@ -84010,8 +84046,8 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://github.com/payloadbox/ssti-payloads",
"https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection",
+ "https://github.com/payloadbox/ssti-payloads",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_ssti_in_access_logs.yml"
],
"tags": [
@@ -84044,9 +84080,9 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash",
"https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516",
"https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029",
+ "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml"
],
"tags": [
@@ -84116,11 +84152,11 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://github.com/payloadbox/sql-injection-payload-list",
- "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/",
- "https://brightsec.com/blog/sql-injection-payloads/",
"https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/",
"https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection",
+ "https://github.com/payloadbox/sql-injection-payload-list",
+ "https://brightsec.com/blog/sql-injection-payloads/",
+ "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml"
],
"tags": [
@@ -84154,8 +84190,8 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://book.hacktricks.xyz/pentesting-web/file-inclusion",
"https://github.com/projectdiscovery/nuclei-templates",
+ "https://book.hacktricks.xyz/pentesting-web/file-inclusion",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_path_traversal_exploitation_attempt.yml"
],
"tags": [
@@ -84222,9 +84258,9 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://www.exploit-db.com/exploits/19525",
"https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml",
"https://github.com/lijiejie/IIS_shortname_Scanner",
+ "https://www.exploit-db.com/exploits/19525",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml"
],
"tags": [
@@ -84290,8 +84326,8 @@
"logsource.category": "application",
"logsource.product": "jvm",
"refs": [
- "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs",
"https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0",
+ "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml"
],
"tags": [
@@ -84358,8 +84394,8 @@
"logsource.product": "jvm",
"refs": [
"https://rules.sonarsource.com/java/RSPEC-2755",
- "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs",
"https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing",
+ "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_xxe_exploitation_attempt.yml"
],
"tags": [
@@ -84460,8 +84496,8 @@
"logsource.category": "application",
"logsource.product": "spring",
"refs": [
- "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs",
"https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection",
+ "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/spring/spring_spel_injection.yml"
],
"tags": [
@@ -84527,10 +84563,10 @@
"logsource.category": "application",
"logsource.product": "ruby_on_rails",
"refs": [
- "http://guides.rubyonrails.org/action_controller_overview.html",
- "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb",
- "http://edgeguides.rubyonrails.org/security.html",
"https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception",
+ "http://edgeguides.rubyonrails.org/security.html",
+ "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb",
+ "http://guides.rubyonrails.org/action_controller_overview.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml"
],
"tags": [
@@ -84564,8 +84600,8 @@
"logsource.category": "application",
"logsource.product": "velocity",
"refs": [
- "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs",
"https://antgarsil.github.io/posts/velocity/",
+ "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/velocity/velocity_ssti_injection.yml"
],
"tags": [
@@ -84631,8 +84667,8 @@
"logsource.category": "application",
"logsource.product": "django",
"refs": [
- "https://docs.djangoproject.com/en/1.11/topics/logging/#django-security",
"https://docs.djangoproject.com/en/1.11/ref/exceptions/",
+ "https://docs.djangoproject.com/en/1.11/topics/logging/#django-security",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/django/appframework_django_exceptions.yml"
],
"tags": [
@@ -85452,8 +85488,8 @@
"logsource.category": "No established category",
"logsource.product": "kubernetes",
"refs": [
- "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/",
"https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/",
+ "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_secrets_modified_or_deleted.yml"
],
"tags": [
@@ -85566,8 +85602,8 @@
"logsource.category": "No established category",
"logsource.product": "kubernetes",
"refs": [
- "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/",
"https://security.padok.fr/en/blog/kubernetes-webhook-attackers",
+ "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml"
],
"tags": [
@@ -85617,8 +85653,8 @@
"logsource.category": "No established category",
"logsource.product": "kubernetes",
"refs": [
- "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/",
"https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues",
+ "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_unauthorized_unauthenticated_actions.yml"
],
"tags": [
@@ -85642,8 +85678,8 @@
"logsource.category": "No established category",
"logsource.product": "kubernetes",
"refs": [
- "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/",
"https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob",
+ "https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_cronjob_modification.yml"
],
"tags": [
@@ -85805,10 +85841,10 @@
"logsource.category": "application",
"logsource.product": "kubernetes",
"refs": [
- "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/",
"https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html",
- "https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html",
+ "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/",
"https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer",
+ "https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml"
],
"tags": [
@@ -85872,8 +85908,8 @@
"logsource.category": "application",
"logsource.product": "kubernetes",
"refs": [
- "https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch",
"https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/",
+ "https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml"
],
"tags": [
@@ -85955,10 +85991,10 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
+ "https://github.com/zeronetworks/rpcfirewall",
+ "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md",
"https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
- "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942",
- "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml"
],
"tags": [
@@ -85982,8 +86018,8 @@
"logsource.product": "rpc_firewall",
"refs": [
"https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
- "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9",
"https://github.com/zeronetworks/rpcfirewall",
+ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml"
],
"tags": [
@@ -86114,8 +86150,8 @@
"refs": [
"https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://github.com/zeronetworks/rpcfirewall",
- "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md",
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3",
+ "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml"
],
"tags": [
@@ -86148,12 +86184,12 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md",
+ "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1",
"https://github.com/zeronetworks/rpcfirewall",
- "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8",
- "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
+ "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md",
"https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
+ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml"
],
"tags": [
@@ -86220,10 +86256,10 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
- "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md",
+ "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://github.com/zeronetworks/rpcfirewall",
+ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml"
],
"tags": [
@@ -86256,10 +86292,10 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN",
- "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md",
"https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://github.com/zeronetworks/rpcfirewall",
+ "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md",
+ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml"
],
"tags": [
@@ -86318,8 +86354,8 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://github.com/zeronetworks/rpcfirewall",
"https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
+ "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md",
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml"
@@ -86354,10 +86390,10 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md",
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931",
"https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://github.com/zeronetworks/rpcfirewall",
+ "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml"
],
"tags": [
@@ -86380,8 +86416,8 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://github.com/zeronetworks/rpcfirewall",
"https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
+ "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md",
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml"
@@ -86406,10 +86442,10 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md",
- "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9",
+ "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://github.com/zeronetworks/rpcfirewall",
+ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml"
],
"tags": [
@@ -86432,10 +86468,10 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183",
- "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md",
+ "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://github.com/zeronetworks/rpcfirewall",
+ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml"
],
"tags": [
@@ -86572,9 +86608,9 @@
"logsource.product": "macos",
"refs": [
"https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior",
+ "https://objective-see.org/blog/blog_0x6D.html",
"https://ss64.com/osx/csrutil.html",
"https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/",
- "https://objective-see.org/blog/blog_0x6D.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml"
],
"tags": [
@@ -86640,8 +86676,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://ss64.com/osx/osacompile.html",
"https://redcanary.com/blog/applescript/",
+ "https://ss64.com/osx/osacompile.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml"
],
"tags": [
@@ -86748,10 +86784,10 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html",
"https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior",
- "https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior",
+ "https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html",
"https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior",
+ "https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml"
],
"tags": [
@@ -86784,9 +86820,9 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97",
- "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/",
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset",
+ "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/",
+ "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml"
],
"tags": [
@@ -86877,9 +86913,9 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf",
"https://github.com/MythicAgents/typhon/",
"https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html",
+ "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml"
],
"tags": [
@@ -86939,9 +86975,9 @@
"refs": [
"https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md",
- "https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html",
- "https://www.loobins.io/binaries/launchctl/",
"https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/",
+ "https://www.loobins.io/binaries/launchctl/",
+ "https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml"
],
"tags": [
@@ -86991,9 +87027,9 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
+ "https://ss64.com/mac/hdiutil.html",
"https://www.loobins.io/binaries/hdiutil/",
"https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/",
- "https://ss64.com/mac/hdiutil.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_hdiutil_create.yml"
],
"tags": [
@@ -87016,8 +87052,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://ss64.com/osx/sysadminctl.html",
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos",
+ "https://ss64.com/osx/sysadminctl.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml"
],
"tags": [
@@ -87051,8 +87087,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md",
+ "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml"
],
"tags": [
@@ -87085,9 +87121,9 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://ss64.com/osx/sw_vers.html",
- "https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior",
"https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior",
+ "https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior",
+ "https://ss64.com/osx/sw_vers.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml"
],
"tags": [
@@ -87120,9 +87156,9 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf",
"https://github.com/MythicAgents/typhon/",
"https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html",
+ "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml"
],
"tags": [
@@ -87180,9 +87216,9 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml",
- "https://ss64.com/osx/dsenableroot.html",
"https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md",
+ "https://ss64.com/osx/dsenableroot.html",
+ "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml"
],
"tags": [
@@ -87323,9 +87359,9 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
+ "https://ss64.com/mac/hdiutil.html",
"https://www.loobins.io/binaries/hdiutil/",
"https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/",
- "https://ss64.com/mac/hdiutil.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_hdiutil_mount.yml"
],
"tags": [
@@ -87399,8 +87435,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md",
+ "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_screencapture.yml"
],
"tags": [
@@ -87499,13 +87535,13 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/",
- "https://evasions.checkpoint.com/techniques/macos.html",
"https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/",
- "https://www.loobins.io/binaries/sysctl/#",
+ "https://evasions.checkpoint.com/techniques/macos.html",
+ "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/",
"https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior",
"https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior",
"https://objective-see.org/blog/blog_0x1E.html",
+ "https://www.loobins.io/binaries/sysctl/#",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml"
],
"tags": [
@@ -87581,8 +87617,8 @@
"logsource.product": "macos",
"refs": [
"https://linux.die.net/man/1/dd",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md",
"https://linux.die.net/man/1/truncate",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml"
],
"tags": [
@@ -87683,8 +87719,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://objective-see.org/blog/blog_0x4B.html",
"https://redcanary.com/blog/applescript/",
+ "https://objective-see.org/blog/blog_0x4B.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml"
],
"tags": [
@@ -87876,9 +87912,9 @@
"logsource.product": "macos",
"refs": [
"https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior",
+ "https://objective-see.org/blog/blog_0x6D.html",
"https://ss64.com/osx/csrutil.html",
"https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/",
- "https://objective-see.org/blog/blog_0x6D.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml"
],
"tags": [
@@ -88273,8 +88309,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml",
"https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang",
+ "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml"
],
"tags": [
@@ -88324,8 +88360,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://www.loobins.io/binaries/nscurl/",
"https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl",
+ "https://www.loobins.io/binaries/nscurl/",
"https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_nscurl_usage.yml"
],
@@ -88496,9 +88532,9 @@
"refs": [
"https://ss64.com/mac/system_profiler.html",
"https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html",
+ "https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf",
"https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/",
"https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af",
- "https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf",
"https://objective-see.org/blog/blog_0x62.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml"
],
@@ -88574,10 +88610,10 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/",
- "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf",
"https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/",
"https://ss64.com/mac/chflags.html",
+ "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf",
+ "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_chflags_hidden_flag.yml"
],
"tags": [
@@ -88910,8 +88946,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://www.manpagez.com/man/8/PlistBuddy/",
"https://redcanary.com/blog/clipping-silver-sparrows-wings/",
+ "https://www.manpagez.com/man/8/PlistBuddy/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml"
],
"tags": [
@@ -88998,8 +89034,8 @@
"logsource.category": "No established category",
"logsource.product": "github",
"refs": [
- "https://thehackernews.com/2024/03/github-rolls-out-default-secret.html",
"https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations",
+ "https://thehackernews.com/2024/03/github-rolls-out-default-secret.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_push_protection_disabled.yml"
],
"tags": [
@@ -89065,8 +89101,8 @@
"logsource.category": "No established category",
"logsource.product": "github",
"refs": [
- "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization",
"https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts",
+ "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml"
],
"tags": [
@@ -89140,9 +89176,9 @@
"logsource.category": "No established category",
"logsource.product": "github",
"refs": [
+ "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions",
"https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository",
"https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization",
- "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions",
"https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disable_high_risk_configuration.yml"
],
@@ -89211,10 +89247,10 @@
"logsource.category": "No established category",
"logsource.product": "github",
"refs": [
- "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration",
+ "https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership",
"https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository",
"https://docs.github.com/en/migrations",
- "https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership",
+ "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_repo_or_org_transferred.yml"
],
"tags": [
@@ -89325,8 +89361,8 @@
"logsource.category": "No established category",
"logsource.product": "github",
"refs": [
- "https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities",
"https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority",
+ "https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_ssh_certificate_config_changed.yml"
],
"tags": [
@@ -89360,8 +89396,8 @@
"logsource.category": "No established category",
"logsource.product": "github",
"refs": [
- "https://thehackernews.com/2024/03/github-rolls-out-default-secret.html",
"https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations",
+ "https://thehackernews.com/2024/03/github-rolls-out-default-secret.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_push_protection_bypass_detected.yml"
],
"tags": [
@@ -89395,8 +89431,8 @@
"logsource.category": "No established category",
"logsource.product": "github",
"refs": [
- "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization",
"https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions",
+ "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_outside_collaborator_detected.yml"
],
"tags": [
@@ -89448,8 +89484,8 @@
"logsource.category": "No established category",
"logsource.product": "github",
"refs": [
- "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation",
"https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners",
+ "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_self_hosted_runner_changes_detected.yml"
],
"tags": [
@@ -89644,8 +89680,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_password_in_alternateid_field.yml"
],
@@ -89727,8 +89763,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml"
],
"tags": [
@@ -89762,8 +89798,8 @@
"logsource.product": "okta",
"refs": [
"https://developer.okta.com/docs/reference/api/system-log/",
- "https://developer.okta.com/docs/reference/api/event-types/",
"https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm",
+ "https://developer.okta.com/docs/reference/api/event-types/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml"
],
"tags": [
@@ -90105,8 +90141,8 @@
"logsource.category": "No established category",
"logsource.product": "cisco",
"refs": [
- "https://duo.com/docs/adminapi#logs",
"https://help.duo.com/s/article/6327?language=en_US",
+ "https://duo.com/docs/adminapi#logs",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/cisco/duo/cisco_duo_mfa_bypass_via_bypass_code.yml"
],
"tags": [
@@ -90263,8 +90299,8 @@
"logsource.category": "No established category",
"logsource.product": "aws",
"refs": [
- "https://github.com/elastic/detection-rules/pull/1213",
"https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html",
+ "https://github.com/elastic/detection-rules/pull/1213",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml"
],
"tags": [
@@ -90350,8 +90386,8 @@
"logsource.category": "No established category",
"logsource.product": "aws",
"refs": [
- "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html",
"https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/",
+ "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml"
],
"tags": [
@@ -90511,8 +90547,8 @@
"logsource.category": "No established category",
"logsource.product": "aws",
"refs": [
- "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html",
"https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html",
+ "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml"
],
"tags": [
@@ -90571,9 +90607,9 @@
"logsource.category": "No established category",
"logsource.product": "aws",
"refs": [
+ "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html",
"https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/",
"https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md",
- "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml"
],
"tags": [
@@ -90723,9 +90759,9 @@
"logsource.category": "No established category",
"logsource.product": "aws",
"refs": [
+ "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml",
"https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html",
"https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html",
- "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml"
],
"tags": [
@@ -90901,9 +90937,9 @@
"logsource.category": "No established category",
"logsource.product": "aws",
"refs": [
- "https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html",
"https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html",
"https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html",
+ "https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml"
],
"tags": [
@@ -91111,9 +91147,9 @@
"logsource.category": "No established category",
"logsource.product": "aws",
"refs": [
+ "https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/",
"https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things",
"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html",
- "https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml"
],
"tags": [
@@ -91197,9 +91233,9 @@
"logsource.category": "No established category",
"logsource.product": "aws",
"refs": [
+ "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html",
"https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py",
"https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html",
- "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml"
],
"tags": [
@@ -91388,13 +91424,13 @@
"logsource.category": "No established category",
"logsource.product": "aws",
"refs": [
- "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html",
- "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html",
- "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html",
- "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html",
- "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html",
- "https://github.com/elastic/detection-rules/pull/1145/files",
"https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html",
+ "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html",
+ "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html",
+ "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html",
+ "https://github.com/elastic/detection-rules/pull/1145/files",
+ "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html",
+ "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_s3_data_management_tampering.yml"
],
"tags": [
@@ -91750,8 +91786,8 @@
"logsource.category": "No established category",
"logsource.product": "gcp",
"refs": [
- "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html",
"https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging",
+ "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_firewall_rule_modified_or_deleted.yml"
],
"tags": [
@@ -91808,9 +91844,9 @@
"logsource.category": "No established category",
"logsource.product": "gcp",
"refs": [
- "https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog",
- "https://cloud.google.com/logging/docs/audit/understanding-audit-logs",
"https://cloud.google.com/access-context-manager/docs/audit-logging",
+ "https://cloud.google.com/logging/docs/audit/understanding-audit-logs",
+ "https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml"
],
"tags": [
@@ -92037,11 +92073,11 @@
"logsource.category": "No established category",
"logsource.product": "gcp",
"refs": [
+ "https://github.com/elastic/detection-rules/pull/1267",
+ "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole",
+ "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging",
"https://kubernetes.io/docs/reference/access-authn-authz/rbac/",
"https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control",
- "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging",
- "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole",
- "https://github.com/elastic/detection-rules/pull/1267",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_rolebinding.yml"
],
"tags": [
@@ -92065,9 +92101,9 @@
"logsource.category": "No established category",
"logsource.product": "gcp",
"refs": [
- "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/",
"https://cloud.google.com/kubernetes-engine/docs",
"https://kubernetes.io/docs/concepts/workloads/controllers/job/",
+ "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_cronjob.yml"
],
"tags": [
@@ -92160,8 +92196,8 @@
"logsource.product": "gcp",
"refs": [
"https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION",
- "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION",
"https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3",
+ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_mfa_disabled.yml"
],
"tags": [
@@ -92184,8 +92220,8 @@
"logsource.category": "No established category",
"logsource.product": "gcp",
"refs": [
- "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings",
"https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3",
+ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_privilege_deleted.yml"
],
"tags": [
@@ -92208,8 +92244,8 @@
"logsource.category": "No established category",
"logsource.product": "gcp",
"refs": [
- "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION",
"https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST",
+ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION",
"https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_removed.yml"
],
@@ -92233,8 +92269,8 @@
"logsource.category": "No established category",
"logsource.product": "gcp",
"refs": [
- "https://support.google.com/a/answer/9261439",
"https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings",
+ "https://support.google.com/a/answer/9261439",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml"
],
"tags": [
@@ -92302,8 +92338,8 @@
"logsource.category": "No established category",
"logsource.product": "gcp",
"refs": [
- "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE",
"https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3",
+ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml"
],
"tags": [
@@ -92336,8 +92372,8 @@
"logsource.category": "No established category",
"logsource.product": "gcp",
"refs": [
- "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings",
"https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3",
+ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_modified_or_deleted.yml"
],
"tags": [
@@ -92436,8 +92472,8 @@
"logsource.category": "No established category",
"logsource.product": "bitbucket",
"refs": [
- "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html",
"https://confluence.atlassian.com/bitbucketserver/global-permissions-776640369.html",
+ "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml"
],
"tags": [
@@ -92514,8 +92550,8 @@
"logsource.category": "No established category",
"logsource.product": "bitbucket",
"refs": [
- "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html",
"https://support.atlassian.com/security-and-access-policies/docs/export-user-accounts",
+ "https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml"
],
"tags": [
@@ -92902,11 +92938,11 @@
"logsource.category": "No established category",
"logsource.product": "m365",
"refs": [
- "https://o365blog.com/post/aadbackdoor/",
- "https://us-cert.cisa.gov/ncas/alerts/aa21-008a",
- "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html",
- "https://www.sygnia.co/golden-saml-advisory",
"https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf",
+ "https://www.sygnia.co/golden-saml-advisory",
+ "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html",
+ "https://us-cert.cisa.gov/ncas/alerts/aa21-008a",
+ "https://o365blog.com/post/aadbackdoor/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/exchange/microsoft365_new_federated_domain_added_exchange.yml"
],
"tags": [
@@ -94107,8 +94143,8 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/",
"https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f",
+ "https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml"
],
"tags": [
@@ -94142,9 +94178,9 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://twitter.com/NathanMcNulty/status/1785051227568632263",
- "https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487",
"https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/",
+ "https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487",
+ "https://twitter.com/NathanMcNulty/status/1785051227568632263",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml"
],
"tags": [
@@ -94715,8 +94751,8 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/",
"https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f",
+ "https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml"
],
"tags": [
@@ -96113,9 +96149,9 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
+ "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user",
"https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in",
"https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins",
- "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml"
],
"tags": [
@@ -96287,8 +96323,8 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0",
"https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address",
+ "https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml"
],
"tags": [
@@ -96359,8 +96395,8 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml",
"https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
+ "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_pods_deleted.yml"
],
"tags": [
@@ -96385,10 +96421,10 @@
"logsource.product": "azure",
"refs": [
"https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
- "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
- "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://attack.mitre.org/matrices/enterprise/cloud/",
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
+ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml"
],
"tags": [
@@ -96438,10 +96474,10 @@
"logsource.product": "azure",
"refs": [
"https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
- "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
- "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://attack.mitre.org/matrices/enterprise/cloud/",
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
+ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml"
],
"tags": [
@@ -96465,10 +96501,10 @@
"logsource.product": "azure",
"refs": [
"https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
- "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
- "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://attack.mitre.org/matrices/enterprise/cloud/",
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
+ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml"
],
"tags": [
@@ -97054,10 +97090,10 @@
"logsource.product": "azure",
"refs": [
"https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
- "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
- "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://attack.mitre.org/matrices/enterprise/cloud/",
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
+ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml"
],
"tags": [
@@ -97166,10 +97202,10 @@
"logsource.product": "azure",
"refs": [
"https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
- "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
- "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://attack.mitre.org/matrices/enterprise/cloud/",
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
+ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml"
],
"tags": [
@@ -97318,10 +97354,10 @@
"logsource.product": "azure",
"refs": [
"https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
- "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
- "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://attack.mitre.org/matrices/enterprise/cloud/",
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
+ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml"
],
"tags": [
@@ -97356,10 +97392,10 @@
"logsource.product": "azure",
"refs": [
"https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
- "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
- "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://attack.mitre.org/matrices/enterprise/cloud/",
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
+ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml"
],
"tags": [
@@ -97639,10 +97675,10 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/",
"https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
- "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://kubernetes.io/docs/concepts/workloads/controllers/job/",
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
+ "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml"
],
"tags": [
@@ -97677,8 +97713,8 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml",
"https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
+ "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml"
],
"tags": [
@@ -97956,8 +97992,8 @@
"logsource.product": "qualys",
"refs": [
"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
- "https://www.cisecurity.org/controls/cis-controls-list/",
"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
+ "https://www.cisecurity.org/controls/cis-controls-list/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml"
],
"tags": "No established tags"
@@ -97978,10 +98014,10 @@
"logsource.category": "No established category",
"logsource.product": "qualys",
"refs": [
- "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
- "https://www.cisecurity.org/controls/cis-controls-list/",
- "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
"https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists",
+ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
+ "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
+ "https://www.cisecurity.org/controls/cis-controls-list/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml"
],
"tags": [
@@ -98005,8 +98041,8 @@
"logsource.product": "No established product",
"refs": [
"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
- "https://www.cisecurity.org/controls/cis-controls-list/",
"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
+ "https://www.cisecurity.org/controls/cis-controls-list/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml"
],
"tags": [
@@ -98166,12 +98202,12 @@
"logsource.category": "antivirus",
"logsource.product": "No established product",
"refs": [
+ "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7",
"https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916",
- "https://www.nextron-systems.com/?s=antivirus",
- "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d",
"https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045",
"https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c",
- "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7",
+ "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d",
+ "https://www.nextron-systems.com/?s=antivirus",
"https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_ransomware.yml"
],
"tags": [
@@ -98237,16 +98273,16 @@
"logsource.category": "antivirus",
"logsource.product": "No established product",
"refs": [
- "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection",
- "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection",
- "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection",
- "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection",
"https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection",
- "https://github.com/tennc/webshell",
- "https://www.nextron-systems.com/?s=antivirus",
- "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection",
- "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection",
+ "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection",
+ "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection",
"https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection",
+ "https://www.nextron-systems.com/?s=antivirus",
+ "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection",
+ "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection",
+ "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection",
+ "https://github.com/tennc/webshell",
+ "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml"
],
"tags": [
@@ -98279,10 +98315,10 @@
"logsource.category": "antivirus",
"logsource.product": "No established product",
"refs": [
- "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424",
+ "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466",
"https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797",
"https://www.nextron-systems.com/?s=antivirus",
- "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466",
+ "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424",
"https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_exploiting.yml"
],
"tags": [
@@ -98415,9 +98451,9 @@
"logsource.category": "file_event",
"logsource.product": "linux",
"refs": [
- "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
+ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml"
],
@@ -98475,9 +98511,9 @@
"logsource.category": "file_event",
"logsource.product": "linux",
"refs": [
- "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
+ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml"
],
@@ -98677,9 +98713,9 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md",
"https://access.redhat.com/articles/4409591#audit-record-types-2",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md",
+ "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing",
"https://linux.die.net/man/8/pam_tty_audit",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml"
],
@@ -98855,10 +98891,10 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://man7.org/linux/man-pages/man8/getcap.8.html",
"https://mn3m.info/posts/suid-vs-capabilities/",
- "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/",
+ "https://man7.org/linux/man-pages/man8/getcap.8.html",
"https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099",
+ "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml"
],
"tags": [
@@ -99066,8 +99102,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor",
"https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/",
+ "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml"
],
"tags": [
@@ -99133,8 +99169,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://firewalld.org/documentation/man-pages/firewall-cmd.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md",
+ "https://firewalld.org/documentation/man-pages/firewall-cmd.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml"
],
"tags": [
@@ -99201,8 +99237,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor",
"https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/",
+ "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml"
],
"tags": [
@@ -99513,8 +99549,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://blog.aquasec.com/container-security-tnt-container-attack",
"https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html",
+ "https://blog.aquasec.com/container-security-tnt-container-attack",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml"
],
"tags": [
@@ -99547,9 +99583,9 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://linux.die.net/man/1/import",
"https://imagemagick.org/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md",
+ "https://linux.die.net/man/1/import",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml"
],
"tags": [
@@ -99582,9 +99618,9 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files",
- "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07",
"https://access.redhat.com/articles/4409591#audit-record-types-2",
+ "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07",
+ "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml"
],
"tags": [
@@ -99651,8 +99687,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://objective-see.org/blog/blog_0x68.html",
"https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat",
+ "https://objective-see.org/blog/blog_0x68.html",
"https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml"
],
@@ -100081,9 +100117,9 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md",
"https://linux.die.net/man/8/insmod",
"https://man7.org/linux/man-pages/man8/kmod.8.html",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml"
],
"tags": [
@@ -100216,10 +100252,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence",
"https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content",
- "https://regex101.com/r/RugQYK/1",
"https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf",
+ "https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence",
+ "https://regex101.com/r/RugQYK/1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_pnscan_binary_cli_pattern.yml"
],
"tags": [
@@ -100285,8 +100321,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk",
"https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally",
+ "https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml"
],
"tags": [
@@ -100345,8 +100381,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.revshells.com/",
"https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+ "https://www.revshells.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml"
],
"tags": [
@@ -100369,8 +100405,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk",
"https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally",
+ "https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml"
],
"tags": [
@@ -100600,8 +100636,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html",
"https://gtfobins.github.io/gtfobins/nice/#shell",
+ "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nice_shell_execution.yml"
],
"tags": [
@@ -100709,8 +100745,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md",
"https://attack.mitre.org/techniques/T1548/001/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml"
],
"tags": [
@@ -100743,9 +100779,9 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
+ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml"
],
@@ -100864,8 +100900,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://github.com/projectdiscovery/naabu",
"https://github.com/Tib3rius/AutoRecon",
+ "https://github.com/projectdiscovery/naabu",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml"
],
@@ -101033,9 +101069,9 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.revshells.com/",
"https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
"https://linux.die.net/man/1/bash",
+ "https://www.revshells.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml"
],
"tags": [
@@ -101124,9 +101160,9 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
+ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml"
],
@@ -101219,8 +101255,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.revshells.com/",
"https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+ "https://www.revshells.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml"
],
"tags": [
@@ -101288,8 +101324,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144",
"https://blogs.blackberry.com/",
+ "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml"
],
"tags": [
@@ -101421,10 +101457,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/",
- "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html",
- "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/",
"https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html",
+ "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/",
+ "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html",
+ "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml"
],
"tags": [
@@ -101541,9 +101577,9 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
+ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml"
],
@@ -101568,8 +101604,8 @@
"logsource.product": "linux",
"refs": [
"https://github.com/diego-treitos/linux-smart-enumeration",
- "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes",
"https://github.com/carlospolop/PEASS-ng",
+ "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml"
],
"tags": [
@@ -101626,9 +101662,9 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
+ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml"
],
@@ -101662,8 +101698,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html",
"https://gtfobins.github.io/gtfobins/ssh/",
+ "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ssh_shell_execution.yml"
],
"tags": [
@@ -101729,10 +101765,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/",
- "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html",
- "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/",
"https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html",
+ "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/",
+ "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html",
+ "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml"
],
"tags": [
@@ -101755,8 +101791,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py",
"https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html",
+ "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py",
"https://github.com/apache/spark/pull/36315/files",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml"
],
@@ -101791,9 +101827,9 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
+ "https://access.redhat.com/security/cve/cve-2019-14287",
"https://twitter.com/matthieugarin/status/1183970598210412546",
"https://www.openwall.com/lists/oss-security/2019/10/14/1",
- "https://access.redhat.com/security/cve/cve-2019-14287",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml"
],
"tags": [
@@ -101869,8 +101905,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144",
"https://blogs.blackberry.com/",
+ "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144",
"https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml"
],
@@ -101937,9 +101973,9 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
+ "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan",
"https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/",
"https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/",
- "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml"
],
"tags": [
@@ -102006,8 +102042,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144",
"https://blogs.blackberry.com/",
+ "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml"
],
"tags": [
@@ -102040,10 +102076,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://linuxize.com/post/how-to-delete-group-in-linux/",
+ "https://www.cyberciti.biz/faq/linux-remove-user-command/",
"https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/",
"https://linux.die.net/man/8/groupdel",
- "https://www.cyberciti.biz/faq/linux-remove-user-command/",
+ "https://linuxize.com/post/how-to-delete-group-in-linux/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml"
],
"tags": [
@@ -102099,10 +102135,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://linuxize.com/post/how-to-delete-group-in-linux/",
+ "https://www.cyberciti.biz/faq/linux-remove-user-command/",
"https://linux.die.net/man/8/userdel",
"https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/",
- "https://www.cyberciti.biz/faq/linux-remove-user-command/",
+ "https://linuxize.com/post/how-to-delete-group-in-linux/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml"
],
"tags": [
@@ -102135,9 +102171,9 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
+ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml"
],
@@ -102161,8 +102197,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html",
"https://gtfobins.github.io/gtfobins/find/#shell",
+ "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_find_shell_execution.yml"
],
"tags": [
@@ -102229,8 +102265,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144",
"https://blogs.blackberry.com/",
+ "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml"
],
"tags": [
@@ -102263,9 +102299,9 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html",
"https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vsan.html",
"https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html",
+ "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml"
],
"tags": [
@@ -102306,15 +102342,15 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://github.com/pathtofile/bad-bpf",
- "https://github.com/1N3/Sn1per",
- "https://github.com/Pennyw0rth/NetExec/",
- "https://github.com/t3l3machus/Villain",
"https://github.com/t3l3machus/hoaxshell",
- "https://github.com/HavocFramework/Havoc",
- "https://github.com/Ne0nd0g/merlin",
+ "https://github.com/t3l3machus/Villain",
"https://github.com/carlospolop/PEASS-ng",
+ "https://github.com/Ne0nd0g/merlin",
+ "https://github.com/pathtofile/bad-bpf",
+ "https://github.com/Pennyw0rth/NetExec/",
+ "https://github.com/1N3/Sn1per",
"https://github.com/Gui774ume/ebpfkit",
+ "https://github.com/HavocFramework/Havoc",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml"
],
"tags": [
@@ -102381,8 +102417,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html",
"https://gtfobins.github.io/gtfobins/flock/#shell",
+ "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_flock_shell_execution.yml"
],
"tags": [
@@ -102448,8 +102484,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
+ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml"
],
@@ -102483,8 +102519,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.revshells.com/",
"https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+ "https://www.revshells.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml"
],
"tags": [
@@ -102507,8 +102543,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/",
"https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF",
+ "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml"
],
"tags": [
@@ -102583,8 +102619,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://research.splunk.com/endpoint/linux_doas_tool_execution/",
"https://www.makeuseof.com/how-to-install-and-use-doas/",
+ "https://research.splunk.com/endpoint/linux_doas_tool_execution/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml"
],
"tags": [
@@ -102652,8 +102688,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.revshells.com/",
"https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+ "https://www.revshells.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml"
],
"tags": [
@@ -102709,10 +102745,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html",
"https://gtfobins.github.io/gtfobins/gcc/#shell",
"https://gtfobins.github.io/gtfobins/c89/#shell",
"https://gtfobins.github.io/gtfobins/c99/#shell",
+ "https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gcc_shell_execution.yml"
],
"tags": [
@@ -102813,9 +102849,9 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
+ "https://gtfobins.github.io/gtfobins/rvim/",
"https://gtfobins.github.io/gtfobins/vim/",
"https://gtfobins.github.io/gtfobins/vimdiff/",
- "https://gtfobins.github.io/gtfobins/rvim/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_vim_shell_execution.yml"
],
"tags": [
@@ -102848,11 +102884,11 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file",
- "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76",
"https://curl.se/docs/manpage.html",
"https://twitter.com/d1r4c/status/1279042657508081664",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file",
+ "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html",
+ "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml"
],
"tags": [
@@ -102992,8 +103028,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.revshells.com/",
"https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+ "https://www.revshells.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml"
],
"tags": [
@@ -103017,8 +103053,8 @@
"logsource.product": "linux",
"refs": [
"https://gtfobins.github.io/gtfobins/nohup/",
- "https://www.computerhope.com/unix/unohup.htm",
"https://en.wikipedia.org/wiki/Nohup",
+ "https://www.computerhope.com/unix/unohup.htm",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml"
],
"tags": [
@@ -103204,8 +103240,8 @@
"logsource.product": "linux",
"refs": [
"https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_storage.html",
- "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html",
"https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html",
+ "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml"
],
"tags": [
@@ -103281,10 +103317,10 @@
"logsource.product": "linux",
"refs": [
"https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
- "https://www.revshells.com/",
- "https://man7.org/linux/man-pages/man1/ncat.1.html",
"https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/",
+ "https://www.revshells.com/",
"https://www.infosecademy.com/netcat-reverse-shells/",
+ "https://man7.org/linux/man-pages/man1/ncat.1.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml"
],
"tags": [
@@ -103516,9 +103552,9 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
+ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml"
],
@@ -103576,8 +103612,8 @@
"logsource.product": "linux",
"refs": [
"https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/",
- "https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html",
"https://bpftrace.org/",
+ "https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml"
],
"tags": [
@@ -103668,9 +103704,9 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
+ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml"
],
@@ -103704,9 +103740,9 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144",
- "https://blogs.blackberry.com/",
"https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/",
+ "https://blogs.blackberry.com/",
+ "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml"
],
"tags": [
@@ -103806,10 +103842,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://sysdig.com/blog/mitre-defense-evasion-falco",
- "https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command",
"https://linuxhint.com/uninstall-debian-packages/",
+ "https://sysdig.com/blog/mitre-defense-evasion-falco",
"https://linuxhint.com/uninstall_yum_package/",
+ "https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remove_package.yml"
],
"tags": [
@@ -103967,8 +104003,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh",
"https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/",
+ "https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml"
],
"tags": [
@@ -104227,11 +104263,11 @@
"logsource.category": "network_connection",
"logsource.product": "linux",
"refs": [
+ "https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors",
+ "https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html",
+ "https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team",
"https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html",
"https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections",
- "https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html",
- "https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors",
- "https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml"
],
"tags": [
@@ -104298,9 +104334,9 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan",
"https://book.hacktricks.xyz/shells/shells/linux",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan",
+ "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml"
],
"tags": [
@@ -104323,8 +104359,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://redcanary.com/blog/ebpf-malware/",
"https://man7.org/linux/man-pages/man7/bpf-helpers.7.html",
+ "https://redcanary.com/blog/ebpf-malware/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml"
],
"tags": [
@@ -104447,10 +104483,10 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb",
"https://artkond.com/2017/03/23/pivoting-guide/",
"http://pastebin.com/FtygZ1cg",
"https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html",
+ "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml"
],
"tags": [
@@ -104506,9 +104542,9 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid",
"https://linux.die.net/man/8/useradd",
"https://digital.nhs.uk/cyber-alerts/2018/cc-2825",
- "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_privileged_user_creation.yml"
],
"tags": [
@@ -104683,9 +104719,9 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics",
"https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md",
+ "https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml"
],
"tags": [
@@ -104718,8 +104754,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/",
"https://github.com/Immersive-Labs-Sec/nimbuspwn",
+ "https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml"
],
"tags": [
@@ -104875,9 +104911,9 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
+ "https://access.redhat.com/security/cve/cve-2019-14287",
"https://twitter.com/matthieugarin/status/1183970598210412546",
"https://www.openwall.com/lists/oss-security/2019/10/14/1",
- "https://access.redhat.com/security/cve/cve-2019-14287",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml"
],
"tags": [
@@ -105051,8 +105087,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c",
"https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml",
+ "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml"
],
"tags": [
@@ -105139,5 +105175,5 @@
"value": "Modifying Crontab"
}
],
- "version": 20240919
+ "version": 20241003
}
From 59a0d9a986e3d190125357cd9df28234c7f95aeb Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Thu, 3 Oct 2024 08:40:13 +0200
Subject: [PATCH 23/42] chg: [tidal] updated to the latest version
---
README.md | 8 +-
clusters/tidal-campaigns.json | 204 +-
clusters/tidal-groups.json | 932 +++---
clusters/tidal-references.json | 2534 +++++++++------
clusters/tidal-software.json | 5238 +++++++++++---------------------
5 files changed, 3982 insertions(+), 4934 deletions(-)
diff --git a/README.md b/README.md
index 71ff208..ab7a653 100644
--- a/README.md
+++ b/README.md
@@ -607,7 +607,7 @@ Category: *actor* - source: *MISP Project* - total: *738* elements
[Tidal Campaigns](https://www.misp-galaxy.org/tidal-campaigns) - Tidal Campaigns Cluster
-Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns/* - total: *78* elements
+Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns/* - total: *83* elements
[[HTML](https://www.misp-galaxy.org/tidal-campaigns)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-campaigns.json)]
@@ -615,7 +615,7 @@ Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns
[Tidal Groups](https://www.misp-galaxy.org/tidal-groups) - Tidal Groups Galaxy
-Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/groups/* - total: *200* elements
+Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/groups/* - total: *206* elements
[[HTML](https://www.misp-galaxy.org/tidal-groups)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-groups.json)]
@@ -623,7 +623,7 @@ Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/group
[Tidal References](https://www.misp-galaxy.org/tidal-references) - Tidal References Cluster
-Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/references/* - total: *4309* elements
+Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/references/* - total: *4349* elements
[[HTML](https://www.misp-galaxy.org/tidal-references)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-references.json)]
@@ -631,7 +631,7 @@ Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/referenc
[Tidal Software](https://www.misp-galaxy.org/tidal-software) - Tidal Software Cluster
-Category: *Software* - source: *https://app-api.tidalcyber.com/api/v1/software/* - total: *1014* elements
+Category: *Software* - source: *https://app-api.tidalcyber.com/api/v1/software/* - total: *1053* elements
[[HTML](https://www.misp-galaxy.org/tidal-software)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-software.json)]
diff --git a/clusters/tidal-campaigns.json b/clusters/tidal-campaigns.json
index 996d30a..80be3e5 100644
--- a/clusters/tidal-campaigns.json
+++ b/clusters/tidal-campaigns.json
@@ -57,7 +57,7 @@
{
"description": "In July 2023, U.S. authorities released joint Cybersecurity Advisory AA23-187A, which detailed increased observations of new variants of the Truebot botnet malware infecting organizations in the United States and Canada. Authorities assessed that Truebot infections are primarily motivated around collection and exfiltration of sensitive victim data for financial gain. Officials also assessed that actors were using both spearphishing emails containing malicious hyperlinks and exploitation of CVE-2022-31199 in the IT system auditing application Netwrix Auditor to deliver Truebot during these attacks. Additional tools associated with the attacks included Raspberry Robin for initial infections, FlawedGrace and Cobalt Strike for various post-exploitation activities, and Teleport, a custom tool for data exfiltration.[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]\n\nThe Advisory did not provide specific impacted victim sectors. The Advisory referred to activity taking place “in recent months” prior to July 2023 but did not provide an estimated date when the summarized activity began. A public threat report referenced in the Advisory reported an observed increase in Truebot infections beginning in August 2022, including several compromises involving education sector organizations.[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)][[Cisco Talos Blog December 08 2022](/references/bcf92374-48a3-480f-a679-9fd34b67bcdd)]\n\n**Related Vulnerabilities**: CVE-2022-31199[[U.S. CISA Increased Truebot Activity July 6 2023](/references/6f9b8f72-c55f-4268-903e-1f8a82efa5bb)]",
"meta": {
- "campaign_attack_id": "C5000",
+ "campaign_attack_id": "C3003",
"first_seen": "2022-08-01T00:00:00Z",
"last_seen": "2023-05-31T00:00:00Z",
"owner": "TidalCyberIan",
@@ -75,7 +75,7 @@
{
"description": "In August 2023, U.S. Cybersecurity & Infrastructure Security Agency (CISA) and Norwegian National Cyber Security Centre (NCSC-NO) authorities released Cybersecurity Advisory AA23-213A, which detailed observed exploitation of two vulnerabilities, CVE-2023-35078 and CVE-2023-35081, affecting Ivanti Endpoint Manager Mobile (EPMM), a solution which provides elevated access to an organization's mobile devices. According to the Advisory, authorities observed unspecified advanced persistent threat (APT) actors exploiting CVE-2023-35078 as a zero-day from at least April 2023 in order to gather information from unspecified organizations in Norway, and to gain initial access to a Norwegian government agency.\n\nIvanti released a CVE-2023-35078 patch on July 23, but then determined that CVE-2023-35081 could be chained together with the first vulnerability, a process which can enable arbitrary upload and execution of actor files, such as web shells. Ivanti released a CVE-2023-35081 patch on July 28. The Advisory provided mitigation recommendations, vulnerability and compromise identification methods, and incident response guidance, which can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-213a).[[U.S. CISA CVE-2023-35078 Exploits](/references/62305b8a-76c8-49ec-82dc-6756643ccf7a)]\n\n**Related Vulnerabilities**: CVE-2023-35078[[U.S. CISA CVE-2023-35078 Exploits](/references/62305b8a-76c8-49ec-82dc-6756643ccf7a)], CVE-2023-35081[[U.S. CISA CVE-2023-35078 Exploits](/references/62305b8a-76c8-49ec-82dc-6756643ccf7a)]",
"meta": {
- "campaign_attack_id": "C5004",
+ "campaign_attack_id": "C3007",
"first_seen": "2023-04-01T00:00:00Z",
"last_seen": "2023-07-28T00:00:00Z",
"owner": "TidalCyberIan",
@@ -95,7 +95,7 @@
{
"description": "In September 2023, U.S. cybersecurity authorities released Cybersecurity Advisory AA23-250A, which detailed multiple intrusions in early 2023 involving an aeronautical sector organization and attributed to multiple unspecified “nation-state advanced persistent threat (APT) actors”. As early as January, one set of actors exploited CVE-2022-47966, a vulnerability in the Zoho ManageEngine ServiceDesk Plus IT service management application that allows remote code execution, to access the organization’s public-facing web servers. A separate set of actors was also observed exploiting CVE-2022-42475, a vulnerability in Fortinet, Inc.’s FortiOS SSL-VPN that also allows remote code execution, to gain access to the organization’s firewall devices.\n\nAfter gaining access, the actors downloaded malware, performed network discovery, collected administrator credentials, and moved laterally, but according to the advisory, unclear data storage records inhibited insight into whether any proprietary information was accessed, altered, or exfiltrated. A common behavior among both sets of actors was log deletion from critical servers and the use of disabled, legitimate administrator credentials, which in one case belonged to a previously employed contractor (the organization confirmed the credentials were disabled before the observed threat activity).[[U.S. CISA Zoho Exploits September 7 2023](/references/6bb581e8-ed0e-41fe-bf95-49b5d11b4e6b)]\n\nIn addition to behavioral observations and indicators of compromise, the Advisory provided detection and mitigation guidance, which can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a).\n\n**Related Vulnerabilities**: CVE-2022-47966, CVE-2022-42475, CVE-2021-44228[[U.S. CISA Zoho Exploits September 7 2023](/references/6bb581e8-ed0e-41fe-bf95-49b5d11b4e6b)]",
"meta": {
- "campaign_attack_id": "C5005",
+ "campaign_attack_id": "C3009",
"first_seen": "2023-01-01T00:00:00Z",
"last_seen": "2023-04-01T00:00:00Z",
"owner": "TidalCyberIan",
@@ -115,7 +115,7 @@
{
"description": "AMBERSQUID is a \"cloud-native\" financially motivated threat operation that specifically leverages AWS services. Researchers estimated that AMBERSQUID cryptojacking activity could cost its victims more than $10,000 per day.[[Sysdig AMBERSQUID September 18 2023](/references/7ffa880f-5854-4b8a-83f5-da42c1c39345)]",
"meta": {
- "campaign_attack_id": "C5031",
+ "campaign_attack_id": "C3030",
"first_seen": "2022-05-01T00:00:00Z",
"last_seen": "2023-03-31T00:00:00Z",
"owner": "TidalCyberIan",
@@ -134,7 +134,7 @@
{
"description": "In July 2024, U.S. cybersecurity authorities and international partners published Cybersecurity Advisory AA24-207A, which detailed North Korean state-sponsored cyber espionage activity likely intended to support the regime's military and nuclear development programs. The advisory focused on an actor group tracked as Andariel, Onyx Sleet, and APT45 and highlighted how this group has shifted from conducting destructive attacks to carrying out espionage operations that have been funded through ransomware. Where past destructive operations mainly targeted U.S. and South Korean entities, recent espionage attacks targeted various defense, aerospace, nuclear, and engineering organizations, while ransomware attacks targeted U.S. healthcare entities.\n\nAndariel actors gain initial access especially by exploiting software vulnerabilities, use widely available tools for discovery and privilege escalation, and leverage a wide range of custom as well as commodity malware. The advisory does not clearly identify the timeframe in which malicious activities were observed, although it discusses actors' exploits of vulnerabilities disclosed in 2017, 2019, and especially 2021, 2022, and 2023 and referenced public threat reporting published from March 2021 through May 2024.[[U.S. CISA Andariel July 25 2024](/references/b615953e-3c6c-4201-914c-4b75e45bb9ed)]",
"meta": {
- "campaign_attack_id": "C5048",
+ "campaign_attack_id": "C3048",
"first_seen": "2021-03-01T00:00:00Z",
"last_seen": "2024-05-30T00:00:00Z",
"owner": "TidalCyberIan",
@@ -202,7 +202,7 @@
{
"description": "Threat actors, believed to be associated with the FIN7 financially motivated adversary group, stood up malicious hosting websites impersonating prominent brands in the financial services, technology/SaaS, and media sectors, then used paid web search advertisements to direct victims to these sites. Victims were then tricked into downloading malicious binaries, which ultimately led to the ingress of the NetSupport RAT and/or DiceLoader (aka Lizar) malware (these latter tools are known to be used for a range of persistent access and malware ingress purposes).[[Esentire 5 8 2024](/references/67c3a7ed-e2e2-4566-aca7-61e766f177bf)]",
"meta": {
- "campaign_attack_id": "C5038",
+ "campaign_attack_id": "C3038",
"first_seen": "2024-04-01T00:00:00Z",
"last_seen": "2024-04-30T00:00:00Z",
"owner": "TidalCyberIan",
@@ -219,7 +219,7 @@
{
"description": "In April 2023, U.S. and UK cybersecurity authorities released joint Cybersecurity Advisory AA23-108, which detailed a campaign by Russia-backed APT28 to compromise vulnerable routers running Cisco Internetworking Operating System (IOS). Actors collected device information and conducted further network reconnaissance on victims “worldwide”, including U.S. government institutions, 250 Ukrainian entities, and “a small number” of victims elsewhere in Europe. Adversary activity occurred over an unspecified timeframe in 2021.\n\nActors exploited CVE-2017-6742, a Simple Network Management Protocol (SNMP) vulnerability for which Cisco released a patch in 2017, and used default authentication strings to gain initial access to devices and subsequently gather router information, such as router interface details. In some cases, authorities observed actors deploying Jaguar Tooth, a malicious software bundle consisting of a series of payloads and patches. Jaguar Tooth deployments allowed actors to collect further device information via execution of Cisco IOS Command Line Interface commands, discover other network devices, and achieve unauthenticated, backdoor access to victim systems.[[U.S. CISA APT28 Cisco Routers April 18 2023](/references/c532a6fc-b27f-4240-a071-3eaa866bce89)]\n\nIn addition to behavioral observations, the Advisory also provided mitigation recommendations and indicators of compromise, which can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108).\n\n**Related Vulnerabilities**: CVE-2017-6742[[U.S. CISA APT28 Cisco Routers April 18 2023](/references/c532a6fc-b27f-4240-a071-3eaa866bce89)]",
"meta": {
- "campaign_attack_id": "C5007",
+ "campaign_attack_id": "C3008",
"first_seen": "2021-01-01T00:00:00Z",
"last_seen": "2021-12-31T00:00:00Z",
"owner": "TidalCyberIan",
@@ -236,7 +236,7 @@
{
"description": "U.S. authorities and various international partners released joint cybersecurity advisory AA20-150A, which detailed a series of attacks linked to APT28 that leveraged compromised Ubiquiti EdgeRouters to facilitate the attacks. Actors used the network of compromised routers for a range of malicious activities, including harvesting credentials, proxying network traffic, and hosting fake landing pages and post-exploitation tools. Attacks targeted organizations in a wide range of sectors around the world.[[U.S. Federal Bureau of Investigation 2 27 2024](/references/962fb031-dfd1-43a7-8202-3a2231b0472b)] According to a separate U.S. Justice Department announcement, the botnet involved in these attacks differed from previous APT28-linked cases, since nation-state actors accessed routers that had been initially compromised by a separate, unspecified cybercriminal group.[[U.S. Justice Department GRU Botnet February 2024](/references/26a554dc-39c0-4638-902d-7e84fe01b961)]",
"meta": {
- "campaign_attack_id": "C5015",
+ "campaign_attack_id": "C3027",
"first_seen": "2022-12-01T00:00:00Z",
"last_seen": "2024-01-01T00:00:00Z",
"owner": "TidalCyberIan",
@@ -260,7 +260,7 @@
{
"description": "UK cybersecurity authorities and international partners published Cybersecurity Advisory AA24-057A (February 2024), which detailed recent tactics, techniques, and procedures (TTPs) used by Russian state-backed adversary group APT29 to target cloud environments. The advisory indicated that as more government agencies and enterprises move elements of their operations to cloud infrastructure, APT29 actors have especially adapted their TTPs for gaining initial access into these cloud environments.[[U.S. CISA APT29 Cloud Access](/references/e9e08eca-1e01-4ff0-a8ef-49ecf66aaf3d)]",
"meta": {
- "campaign_attack_id": "C5016",
+ "campaign_attack_id": "C3028",
"first_seen": "2023-02-26T00:00:00Z",
"last_seen": "2024-02-26T00:00:00Z",
"owner": "TidalCyberIan",
@@ -277,7 +277,7 @@
{
"description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nIn December 2023, U.S. cybersecurity authorities and international partners released Cybersecurity Advisory AA23-347A, which detailed large-scale observed exploitation of CVE-2023-42793 since September 2023 by cyber threat actors associated with Russia’s Foreign Intelligence Service (SVR). According to the advisory, these actors are also known as APT29, the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard.\n\nCVE-2023-42793 is an authentication bypass vulnerability in the JetBrains TeamCity software development program. After exploiting the vulnerability to gain access into victim networks, SVR actors were then observed escalating privileges, moving laterally, and deploying additional backdoors in an apparent effort to maintain long-term persistent access to victim environments. The advisory noted how SVR actors used access gained during the 2020 compromise of SolarWinds, another software company, to conduct supply chain operations affecting SolarWinds customers, but it also noted that such activity has not been observed in this case to date.\n\nJetBrains released a patch for CVE-2023-42793 in September 2023. The advisory indicated that the compromises observed to date appear to be opportunistic, impacting unpatched, internet-accessible TeamCity servers. “A few dozen” compromised entities have been identified so far (companies in disparate sectors in the United States, Europe, Asia, and Australia), but authorities assess that this tally does not represent the full number of compromised victims. Indicators of compromise, mitigation guidance, and detection resources – including Sigma and YARA rules – can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a).[[U.S. CISA SVR TeamCity Exploits December 2023](/references/5f66f864-58c2-4b41-8011-61f954e04b7e)]",
"meta": {
- "campaign_attack_id": "C5012",
+ "campaign_attack_id": "C3017",
"first_seen": "2023-09-01T00:00:00Z",
"last_seen": "2023-12-14T00:00:00Z",
"owner": "TidalCyberIan",
@@ -294,7 +294,7 @@
{
"description": "On July 8, 2024, international authorities published an advisory (CISA Alert AA24-190A) that detailed recent activity associated with APT40, a Chinese state-sponsored cyber espionage group. The advisory covers observed attacks on Australian organizations, but the group has been recently active elsewhere (Tidal metadata shows observed activity historically across East/Southeast Asia, the Middle East, Europe, and North America). The advisory emphasized that the recently published TTPs are relevant for defenders at organizations “globally”.\n\nThe advisory spotlighted the group's efforts to compromise outdated small-office/home-office (SOHO) routers via vulnerability exploits, using the routers as infrastructure to carry out further attacks. However, the advisory also summarized a range of other Techniques not previously associated with APT40, which were used at phases across the attack chain, including for persistence, credential access, lateral movement, collection, and exfiltration.[[U.S. CISA APT40 July 8 2024](/references/3bf90a48-caf6-4b9d-adc2-3d1176f49ffc)]",
"meta": {
- "campaign_attack_id": "C5047",
+ "campaign_attack_id": "C3047",
"first_seen": "2022-04-01T00:00:00Z",
"last_seen": "2022-09-30T00:00:00Z",
"owner": "TidalCyberIan",
@@ -325,7 +325,7 @@
{
"description": "In July 2024, security researchers publicized a campaign attributed to Chinese state-sponsored espionage group APT41, where actors gained and maintained long-term access to various organizations' networks in multiple sectors around the world. Victims belonged to the shipping/logistics, media, entertainment, technology, and automotive industries and were located in western Europe, the Middle East, and East and Southeast Asia. Actors used a combination of red teaming tools, publicly available software, and custom malware for persistence, command and control, data collection, and exfiltration to Microsoft OneDrive accounts. The intrusions were notable for featuring the reemergence of DUSTPAN, a dropper not observed since a series of older APT41 compromises in 2021 & 2022.[[Mandiant APT41 July 18 2024](/references/34ee3a7c-27c0-492f-a3c6-a5a3e86915f0)]",
"meta": {
- "campaign_attack_id": "C5049",
+ "campaign_attack_id": "C3049",
"first_seen": "2023-03-21T00:00:00Z",
"last_seen": "2024-07-16T00:00:00Z",
"owner": "TidalCyberIan",
@@ -342,7 +342,7 @@
{
"description": "ArcaneDoor was a campaign, which likely ran from November 2023 until around February 2024, that targeted Cisco Adaptive Security Appliances (ASAs). ASAs are network devices that combine firewall, VPN, and other functionality. The campaign targeted unspecified government institutions around the world and was believed to have been conducted for espionage purposes.[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]\n\nResearchers attributed the campaign to UAT4356 (aka Storm-1849), a possible China-linked adversary.[[Wired ArcaneDoor April 24 2024](/references/05a8afd3-0173-41ca-b23b-196ea0f3b1c1)] The initial access vector for the ArcaneDoor attacks remains unclear. After gaining a foothold, actors used the Line Dancer tool to upload Line Runner, a persistence and arbitrary code execution capability, to compromised ASAs (Cisco assigned two vulnerabilities, CVE-2024-20359 and CVE-2024-20353, to these activities). Responders observed various actions on objectives during the attacks, including device configuration modification, network traffic capture, and possible lateral movement.[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)]",
"meta": {
- "campaign_attack_id": "C5019",
+ "campaign_attack_id": "C3036",
"first_seen": "2023-11-01T00:00:00Z",
"last_seen": "2024-02-29T00:00:00Z",
"owner": "TidalCyberIan",
@@ -365,7 +365,7 @@
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker used exposed cloud credentials to gain access to an AWS environment and ultimately collect and exfiltrate data before deleting files and leaving a ransom note extorting the victim to recover the stolen data.[[Www.invictus-ir.com 1 11 2024](/references/5e2a0756-d8f6-4359-9ca3-1e96fb8b5ac9)]",
"meta": {
- "campaign_attack_id": "C5035",
+ "campaign_attack_id": "C3034",
"first_seen": "2024-01-01T00:00:00Z",
"last_seen": "2024-01-01T00:00:00Z",
"owner": "TidalCyberIan",
@@ -385,7 +385,7 @@
{
"description": "Security researchers observed adversary activity that involved deployment of hundreds of AWS ECS Fargate clusters used to run XMRig cryptomining software. Researchers assessed that the activity was likely part of a wider campaign involving potentially hundreds of thousands of environments.[[Datadog ECS January 19 2024](/references/7e4e44a7-b079-41af-b41d-176ba7e99563)]",
"meta": {
- "campaign_attack_id": "C5032",
+ "campaign_attack_id": "C3031",
"first_seen": "2023-12-01T00:00:00Z",
"last_seen": "2024-01-19T00:00:00Z",
"owner": "TidalCyberIan",
@@ -404,7 +404,7 @@
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker was able to steal AWS Lambda credentials, use them to execute various API calls and enumerate various cloud services, and ultimately perform a cloud-based phishing attack, which reportedly cost the target organization considerable financial damage.[[Unit 42 12 8 2022](/references/e7a4a0cf-ffa2-48cc-9b21-a2333592c773)]",
"meta": {
- "campaign_attack_id": "C5033",
+ "campaign_attack_id": "C3032",
"first_seen": "2022-05-20T00:00:00Z",
"last_seen": "2022-05-20T00:00:00Z",
"owner": "TidalCyberIan",
@@ -422,7 +422,7 @@
{
"description": "Adversaries used email bombing and subsequent voice phishing to convince target users into granting the actors remote access to victim systems via legitimate tools including AnyDesk and the built-in Windows Quick Assist utility. The actors then used malicious remote access tools to access other assets within compromised environments, in some cases followed by deployment of Black Basta ransomware.[[Rapid7 Blog 5 10 2024](/references/ba749fe0-1ac7-4767-85df-97e6351c37f9)][[Microsoft Security Blog 5 15 2024](/references/0876de6e-ea0c-4717-89a4-9c7baed53b6f)]",
"meta": {
- "campaign_attack_id": "C5037",
+ "campaign_attack_id": "C3037",
"first_seen": "2024-04-15T00:00:00Z",
"last_seen": "2024-05-15T00:00:00Z",
"owner": "TidalCyberIan",
@@ -442,7 +442,7 @@
{
"description": "This object represents observed pre-attack, initial access, execution, and other techniques used to distribute Bumblebee malware in 2023 and early 2024. Further background & contextual details can be found in the References tab below, and additional techniques associated with the technical mechanics of Bumblebee binaries can be found in the relevant Software object.",
"meta": {
- "campaign_attack_id": "C5029",
+ "campaign_attack_id": "C3025",
"first_seen": "2023-03-01T00:00:00Z",
"last_seen": "2024-02-01T00:00:00Z",
"owner": "TidalCyberIan",
@@ -592,7 +592,7 @@
{
"description": "In June 2023, U.S. authorities released Cybersecurity Advisory AA23-158A, which detailed observed exploits of a zero-day SQL injection vulnerability (CVE-2023-34362) affecting Progress Software's managed file transfer (MFT) solution, MOVEit Transfer. According to the Advisory, exploit activity began on May 27, 2023, as threat actors, which the Advisory attributed to \"CL0P Ransomware Gang, also known as TA505\", began compromising internet-facing MOVEit Transfer web applications. Actors deployed web shells, dubbed LEMURLOOT, on compromised MOVEit applications, which enabled persistence, discovery of files and folders stored on MOVEit servers, and staging and exfiltration of compressed victim data. Authorities indicated they expected to see \"widespread exploitation of unpatched software services in both private and public networks\".[[U.S. CISA CL0P CVE-2023-34362 Exploitation](/references/07e48ca8-b965-4234-b04a-dfad45d58b22)] Progress Software acknowledged the vulnerability and issued guidance on known affected versions, software upgrades, and patching.[[Progress Software MOVEit Transfer Critical Vulnerability](/references/9f364e22-b73c-4f3a-902c-a3f0eb01a2b9)]\n\n**Related Vulnerabilities**: CVE-2023-34362[[U.S. CISA CL0P CVE-2023-34362 Exploitation](/references/07e48ca8-b965-4234-b04a-dfad45d58b22)]",
"meta": {
- "campaign_attack_id": "C5002",
+ "campaign_attack_id": "C3005",
"first_seen": "2023-05-27T00:00:00Z",
"last_seen": "2023-06-16T00:00:00Z",
"owner": "TidalCyberIan",
@@ -610,7 +610,7 @@
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.",
"meta": {
- "campaign_attack_id": "C5026",
+ "campaign_attack_id": "C3022",
"first_seen": "2023-11-14T00:00:00Z",
"last_seen": "2023-11-24T00:00:00Z",
"owner": "TidalCyberIan",
@@ -625,6 +625,28 @@
"uuid": "bbbdc2a2-bd7e-4251-a064-b7f4997ac2a4",
"value": "Cloudflare Thanksgiving 2023 security incident"
},
+ {
+ "description": "Actors deploying a variant of the Mirai botnet, known as Corona, were observed exploiting a zero-day vulnerability (CVE-2024-7029) to achieve initial infection of new devices with the botnet. The vulnerability enables remote code execution on affected devices (AVTECH closed-circuit television (CCTV) cameras), which actors abused to ingress their main payloads.[[Akamai Corona Zero-Day August 28 2024](/references/140284f8-075c-4225-99dd-519ba5cebabe)]",
+ "meta": {
+ "campaign_attack_id": "C3051",
+ "first_seen": "2024-03-18T00:00:00Z",
+ "last_seen": "2024-08-28T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "source": "Tidal Cyber",
+ "tags": [
+ "55cb344a-cbd5-4fd1-a1e9-30bbc956527e",
+ "f925e659-1120-4b76-92b6-071a7fb757d6",
+ "06236145-e9d6-461c-b7e4-284b3de5f561",
+ "a98d7a43-f227-478e-81de-e7299639a355",
+ "33d35d5e-f0cf-4c66-9be3-a3ffe6610b1a",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ]
+ },
+ "related": [],
+ "uuid": "4f1823b1-80ad-4f5d-ba04-a4d4baf37e72",
+ "value": "Corona Mirai Botnet Zero-Day Exploit Campaign"
+ },
{
"description": "[CostaRicto](https://app.tidalcyber.com/campaigns/fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48) was a suspected hacker-for-hire cyber espionage campaign that targeted multiple industries worldwide, with a large number being financial institutions. [CostaRicto](https://app.tidalcyber.com/campaigns/fb011ed2-bfb9-4f0f-bd88-8b3fa0cf9b48) actors targeted organizations in Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia (especially India, Bangladesh, and Singapore), using custom malware, open source tools, and a complex network of proxies and SSH tunnels.[[BlackBerry CostaRicto November 2020](https://app.tidalcyber.com/references/93a23447-641c-4ee2-9fbd-64b2adea8a5f)]",
"meta": {
@@ -664,7 +686,7 @@
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques related to an incident response where an attacker gained initial access to an AWS environment using an \"accidentally exposed long term access key belonging to an IAM user\". The actor persisted for approximately a month and ultimately used their access to carry out limited cryptomining acitivty, conduct phishing and spam email attacks via AWS SES, and establish domains for further phishing/spam campaigns.[[Www.invictus-ir.com 1 31 2024](/references/803a084a-0468-4c43-9843-a0b5652acdba)]",
"meta": {
- "campaign_attack_id": "C5034",
+ "campaign_attack_id": "C3033",
"first_seen": "2024-01-01T00:00:00Z",
"last_seen": "2024-01-31T00:00:00Z",
"owner": "TidalCyberIan",
@@ -682,7 +704,7 @@
{
"description": "German and South Korean cybersecurity authorities published an advisory highlighting recent attempts by North Korea-linked cyber actors to target enterprises and research centers in the defense sector. The advisory detailed a supply chain attack, attributed to an unnamed threat group, in which actors compromised a company that maintained a defense sector research center's web servers, then used stolen SSH credentials to remotely access the research center's network. The actors then used various methods to evade defenses, including impersonating security staff, deployed malware via a patch management system, and stole account information and email contents before being evicted from the network.[[BfV North Korea February 17 2024](/references/cc76be15-6d9d-40b2-b7f3-196bb0a7106a)]",
"meta": {
- "campaign_attack_id": "C5014",
+ "campaign_attack_id": "C3026",
"first_seen": "2022-12-01T00:00:00Z",
"last_seen": "2022-12-31T00:00:00Z",
"owner": "TidalCyberIan",
@@ -700,7 +722,7 @@
{
"description": "In September 2023, French cybersecurity authorities released advisory CERTFR-2023-CTI-007, which detailed a network intrusion of the Regional and University Hospital Center of Brest, in northwestern France. Actors used valid credentials belonging to a healthcare professional to connect to a remote desktop service exposed to the Internet, then installed Cobalt Strike and SystemBC to provide backdoor network access. Authorities indicated that the credentials were likely compromised via unspecified infostealer malware.\n\nThe actors used multiple third-party tools for credential access and discovery, and they attempted to exploit at least five vulnerabilities for privilege escalation and lateral movement. Authorities worked with hospital personnel to isolate affected systems and disrupt the intrusion before suspected data exfiltration and encryption could take place. Based on infrastructural and behavioral overlaps with other incidents, officials attributed the intrusion to the FIN12 financially motivated actor group and indicated the same actors are responsible for dozens of attacks on French victims in recent years.\n\nAdditional details, indicators of compromise, and the observed Cobalt Strike configuration can be found in the [source report](https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf).[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]\n\n**Related Vulnerabilities**: CVE-2023-21746, CVE-2022-24521, CVE-2021-34527, CVE-2019-0708, CVE-2020-1472[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]",
"meta": {
- "campaign_attack_id": "C5006",
+ "campaign_attack_id": "C3010",
"first_seen": "2023-03-01T00:00:00Z",
"last_seen": "2023-03-31T00:00:00Z",
"owner": "TidalCyberIan",
@@ -745,7 +767,7 @@
{
"description": "U.S. cybersecurity authorities released an advisory that warned of recent attacks targeting healthcare entities and providers, which leveraged social engineering techniques for initial access and ultimately led to financial theft. The attacks used voice phishing and phishing domains, and sometimes bypassed multi-factor authentication measures, to gain footholds. Actors often used information gathered through extensive reconnaissance to facilitate these efforts.\n\nActors then used \"living off the land\" (LOTL) techniques to persist stealthily in compromised environments. Ultimately, actors sought to modify patient automated clearinghouse (ACH) account information to divert payments to actor-controlled bank accounts. The advisory did not attribute the recent campaign to a named adversary group.[[FBI Social Engineering Attacks June 24 2024](/references/527ac41a-a65e-4cf9-a9c9-194443b37c5b)]",
"meta": {
- "campaign_attack_id": "C5042",
+ "campaign_attack_id": "C3042",
"first_seen": "2023-08-01T00:00:00Z",
"last_seen": "2024-06-24T00:00:00Z",
"owner": "TidalCyberIan",
@@ -762,7 +784,7 @@
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.",
"meta": {
- "campaign_attack_id": "C5025",
+ "campaign_attack_id": "C3021",
"first_seen": "2023-05-01T00:00:00Z",
"last_seen": "2023-12-12T00:00:00Z",
"owner": "TidalCyberIan",
@@ -780,7 +802,7 @@
{
"description": "In November 2022, U.S. cybersecurity authorities released Cybersecurity Advisory AA22-320A, which detailed an incident response engagement at an unspecified U.S. Federal Civilian Executive Branch organization. Authorities assessed that the network compromise was carried out by unspecified Iranian government-sponsored advanced persistent threat (APT) actors. The actors achieved initial network access by exploiting the Log4Shell vulnerability in an unpatched VMware Horizon server. Post-exploit activities included installing XMRig crypto mining software and executing Mimikatz to harvest credentials, as well as moving laterally to the domain controller and implanting Ngrok reverse proxies on multiple hosts to maintain persistence.\n\nAdditional details, including incident response guidance and relevant mitigations, can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a).[[U.S. CISA Advisory November 25 2022](/references/daae1f54-8471-4620-82d5-023d04144acd)]\n\n**Related Vulnerabilities**: CVE-2021-44228[[U.S. CISA Advisory November 25 2022](/references/daae1f54-8471-4620-82d5-023d04144acd)]",
"meta": {
- "campaign_attack_id": "C5008",
+ "campaign_attack_id": "C3012",
"first_seen": "2022-06-15T00:00:00Z",
"last_seen": "2022-07-15T00:00:00Z",
"owner": "TidalCyberIan",
@@ -797,7 +819,7 @@
{
"description": "In November 2020, U.S. cybersecurity authorities released joint Cybersecurity Advisory AA20-304A, which detailed efforts by an unspecified Iranian advanced persistent threat (APT) actor to target U.S. state websites, including election-related sites, with the goal of obtaining voter registration data. The actors used a legitimate vulnerability scanner, Acunetix, to scan state election websites, and they attempted to exploit sites with directory traversal, SQL injection, and web shell upload attacks. Authorities confirmed the actors successfully obtained voter registration data in at least one state – after abusing a website misconfiguration, they used a cURL-based scripting tool to iterate through and retrieve voter records. Officials assessed that the actor behind the website attacks is responsible for mass dissemination of intimidation emails to U.S. citizens and a disinformation campaign featuring a U.S. election-related propaganda video in mid-October 2020. Authorities furthermore assessed that information obtained during the website attacks was featured in the propaganda video.[[U.S. CISA Iran Voter Data November 3 2020](/references/be89be75-c33f-4c58-8bf0-979c1debaad7)]",
"meta": {
- "campaign_attack_id": "C5010",
+ "campaign_attack_id": "C3014",
"first_seen": "2020-09-20T00:00:00Z",
"last_seen": "2020-10-20T00:00:00Z",
"owner": "TidalCyberIan",
@@ -810,7 +832,7 @@
{
"description": "In September 2022, U.S., Canadian, United Kingdom, and Australian cybersecurity authorities released joint Cybersecurity Advisory AA22-257A, which detailed malicious cyber activity attributed to advanced persistent threat (APT) actors affiliated with the Iranian government’s Islamic Revolutionary Guard Corps (IRGC). The advisory updated a previous alert (AA21-321A), published in November 2021, and summarized recent activities linked to the actors. Since at least March 2021, the actors were observed targeting victims in a wide range of U.S. critical infrastructure sectors, including transportation and healthcare, and victims in unspecified sectors in Australia, Canada, and the United Kingdom.\n\nThe actors typically exploited vulnerabilities to gain initial network access. They were observed exploiting vulnerabilities in Microsoft Exchange servers (ProxyShell) and Fortinet devices in 2021, and VMware Horizon (Log4j) in 2022. After gaining access, the actors typically evaluated the perceived value of data held within a victim network and either encrypted it for ransom and/or exfiltrated it. The actors are believed to have sold some exfiltrated data or used it as leverage to further pressure victims into paying a ransom.\n\nIn addition to behavioral observations and indicators of compromise, the advisories provided detection and mitigation guidance, which can be found in the source reports [here](https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-257a) and [here](https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a).\n\n**Related Vulnerabilities**: CVE-2021-34523, CVE-2021-31207, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105[[U.S. CISA IRGC Actors September 14 2022](/references/728b20b0-f702-4dbe-afea-50270648a3a2)], CVE-2021-34473, CVE-2018-13379, CVE-2020-12812, CVE-2019-5591[[U.S. CISA Iranian Government Actors November 19 2021](/references/d7014279-bc6a-43d4-953a-a6bc1d97a13b)]",
"meta": {
- "campaign_attack_id": "C5009",
+ "campaign_attack_id": "C3013",
"first_seen": "2021-03-01T00:00:00Z",
"last_seen": "2022-09-14T00:00:00Z",
"owner": "TidalCyberIan",
@@ -865,7 +887,7 @@
{
"description": "JOKERSPY (aka REF9134) was an intrusion involving a Python-based backdoor, which was used to deploy a malicious macOS-based enumeration tool called Swiftbelt and other open-source tools.[[elastic.co 6 21 2023](/references/42c40ec8-f46a-48fa-bd97-818e3d3d320e)]",
"meta": {
- "campaign_attack_id": "C5036",
+ "campaign_attack_id": "C3035",
"first_seen": "2023-05-31T00:00:00Z",
"last_seen": "2023-06-01T00:00:00Z",
"owner": "TidalCyberIan",
@@ -882,7 +904,7 @@
{
"description": "In July 2023, U.S. Cybersecurity & Infrastructure Security Agency authorities released Cybersecurity Advisory AA23-201A, which detailed an observed exploit of a zero-day vulnerability (CVE-2023-3519) affecting NetScaler (formerly Citrix) Application Delivery Controller (\"ADC\") and NetScaler Gateway appliances. According to the Advisory, the exploitation activity occurred in June 2023, and the victim (an undisclosed entity in the critical infrastructure sector) reported it in July 2023.[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)] Citrix acknowledged the reported exploit of the vulnerability, which enables unauthenticated remote code execution, and released a patch on July 18, 2023.[[Citrix Bulletin CVE-2023-3519](/references/245ef1b7-778d-4df2-99a9-b51c95c57580)]\n\nAfter achieving initial access via exploit of CVE-2023-3519, threat actors dropped a web shell on the vulnerable ADC appliance, which was present on a non-production environment. The web shell enabled subsequent information discovery on the victim's Active Directory (\"AD\"), followed by collection and exfiltration of AD-related data. The actors also attempted lateral movement to a domain controller, but the Advisory indicated that network segementation controls for the ADC appliance blocked this attempted activity.[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)] Separately, in a blog on CVE-2023-3519 exploit investigations released the day after the CISA Advisory, Mandiant indicated that the type of activity observed is \"consistent with previous operations by China-nexus actors\".[[Mandiant CVE-2023-3519 Exploitation](/references/4404ed65-3020-453d-8c51-2885018ba03b)]\n\n**Related Vulnerabilities**: CVE-2023-3519[[U.S. CISA CVE-2023-3519 Exploits](/references/021c4caa-7a7a-4e49-9c5c-6eec176bf923)]",
"meta": {
- "campaign_attack_id": "C5001",
+ "campaign_attack_id": "C3004",
"first_seen": "2023-06-01T00:00:00Z",
"last_seen": "2023-06-30T00:00:00Z",
"owner": "TidalCyberIan",
@@ -900,7 +922,7 @@
{
"description": "In November 2023, U.S. cybersecurity authorities and international partners released Cybersecurity Advisory AA23-325A, which detailed observed exploitation of CVE-2023-4966 (known colloquially as the “Citrix Bleed” vulnerability) by threat actors believed to be affiliated with the LockBit ransomware operation.\n\nCitrix Bleed is a vulnerability in Citrix NetScaler web application delivery control (“ADC”) and NetScaler Gateway appliances, which allows adversaries to bypass password requirements and multifactor authentication, enabling hijacking of legitimate user sessions and subsequent credential harvesting, lateral movement, and data or resource access. Authorities indicated that they expected “widespread” Citrix Bleed exploitation on unpatched services due to the ease of carrying out the exploit.\n\nAfter successful Citrix Bleed exploitation, LockBit affiliates were observed using a variety of follow-on TTPs and using a range of software, including abuse of native utilities and popular legitimate remote management and monitoring (“RMM”) tools. Indicators of compromise associated with recent intrusions and further incident response and mitigation guidance can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a).[[U.S. CISA LockBit Citrix Bleed November 21 2023](/references/21f56e0c-9605-4fbb-9cb1-f868ba6eb053)] Public reporting suggested that actors associated with the Medusa and Qilin ransomware operations, plus other unknown ransomware and uncategorized actors, had also exploited Citrix Bleed as part of their operations.[[Malwarebytes Citrix Bleed November 24 2023](/references/fdc86cea-0015-48d1-934f-b22244de6306)][[Cybernews Yanfeng Qilin November 2023](/references/93c89ca5-1863-4ee2-9fff-258f94f655c4)]",
"meta": {
- "campaign_attack_id": "C5011",
+ "campaign_attack_id": "C3016",
"first_seen": "2023-08-01T00:00:00Z",
"last_seen": "2023-11-16T00:00:00Z",
"owner": "TidalCyberIan",
@@ -917,10 +939,27 @@
"uuid": "f4225d6a-8734-401f-aa2a-1a73c23b16e6",
"value": "LockBit Affiliate Citrix Bleed Exploits"
},
+ {
+ "description": "Researchers discovered the existence of a newly identified red teaming framework used to generate attack payloads, called \"MacroPack\". The framework was used to deploy the Brute Ratel and Havoc post-exploitation frameworks and the PhantomCore remote access trojan. In addition to red teaming applications, researchers assessed that MacroPack is also being abused by threat actors.[[Cisco Talos Blog September 3 2024](/references/b222cabd-347d-45d4-aeaf-4135795d944d)]",
+ "meta": {
+ "campaign_attack_id": "C3052",
+ "first_seen": "2024-05-01T00:00:00Z",
+ "last_seen": "2024-07-01T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "source": "Tidal Cyber",
+ "tags": [
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ]
+ },
+ "related": [],
+ "uuid": "2229e945-ec3d-4e20-ad4a-bd12741a6724",
+ "value": "MacroPack Payload Delivery Activity"
+ },
{
"description": "The DFIR Report researchers reported about activity taking place in May 2023, which saw an adversary, attributed to FIN11 and Lace Tempest, achieve initial access into a victim environment via a spearphishing email, leading to the download of Truebot malware. Several other tools and malware were then subsequently used to move laterally, discover and collect victim information, exfiltrate it, and ultimately deploy a wiper. These included: FlawedGrace, Cobalt Strike, Impacket, various native utilities, and MBR Killer. In total, the activity lasted for 29 hours.[[The DFIR Report Truebot June 12 2023](/references/a6311a66-bb36-4cad-a98f-2b0b89aafa3d)]",
"meta": {
- "campaign_attack_id": "C5021",
+ "campaign_attack_id": "C3002",
"first_seen": "2023-05-01T00:00:00Z",
"last_seen": "2023-05-31T00:00:00Z",
"owner": "TidalCyberIan",
@@ -937,7 +976,7 @@
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.",
"meta": {
- "campaign_attack_id": "C5027",
+ "campaign_attack_id": "C3023",
"first_seen": "2023-11-30T00:00:00Z",
"last_seen": "2024-01-12T00:00:00Z",
"owner": "TidalCyberIan",
@@ -955,7 +994,7 @@
{
"description": "Researchers observed a campaign that took place in the latter half of 2021, apparently directed at individuals representing financial and political figures in Palestine and Tukery, that used malicious, macro-based Microsoft Office files to compromise victim systems with the aim of installing a .NET-based backdoor tool. Researchers attributed the activity to the Molerats APT group.[[Zscaler Molerats Campaign](/references/3b39e73e-229f-4ff4-bec3-d83e6364a66e)]",
"meta": {
- "campaign_attack_id": "C5022",
+ "campaign_attack_id": "C3011",
"first_seen": "2021-07-01T00:00:00Z",
"last_seen": "2021-12-01T00:00:00Z",
"owner": "TidalCyberIan",
@@ -972,7 +1011,7 @@
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques related to multiple incidents attributed to the North Korean actor group Moonstone Sleet that took place from August 2023 through May 2024. Attacks targeted individuals and organizations related to the software, information technology, education, and defense industrial base sectors, and are believed to have been carried out for both financial gain and espionage purposes.[[Microsoft Security Blog 5 28 2024](/references/faf315ed-71f7-4e29-8334-701da35a69ad)]",
"meta": {
- "campaign_attack_id": "C5039",
+ "campaign_attack_id": "C3039",
"first_seen": "2023-08-01T00:00:00Z",
"last_seen": "2024-05-28T00:00:00Z",
"owner": "TidalCyberIan",
@@ -1001,7 +1040,7 @@
{
"description": "According to details published by Okta Security, threat actors gained unauthorized access to Okta’s customer support management system from September 28 to October 17, 2023. Initial access to the system was believed to have been achieved after an employee signed into a personal cloud account on their Okta-managed laptop and saved the legitimate credentials for an Okta service account into that cloud profile. Okta Security believes the personal cloud account was most likely compromised (through unspecified means), exposing the Okta service account credentials.\n\nAfter gaining access to the Okta customer support management system using the valid service account credentials, the threat actor accessed HTTP Archive (HAR) files provided by Okta customers, which can contain cookies and session tokens. Okta indicated that the threat actor used session tokens compromised during the incident to hijack the legitimate Okta sessions of at least five customers. The threat actor is also believed to have run and downloaded a report that contained the names and email addresses of all Okta customer support system users. Considering that customers’ names and email addresses were downloaded, Okta Security indicated that they assessed there is an increased risk of phishing and social engineering attacks directed at those users following the incident.[[Okta HAR Files Incident Notice](/references/14855034-494e-477d-8c91-fc534fd7790d)][[Okta HAR Files RCA](/references/742d095c-9bd1-4f4a-8bc6-16db6d15a9f4)][[Okta HAR Files Incident Update](/references/5e09ab9c-8cb2-49f5-b65f-fd5447e71ef4)]",
"meta": {
- "campaign_attack_id": "C5023",
+ "campaign_attack_id": "C3018",
"first_seen": "2023-09-28T00:00:00Z",
"last_seen": "2023-10-17T00:00:00Z",
"owner": "TidalCyberIan",
@@ -1019,7 +1058,7 @@
{
"description": "\"Operation Bearded Barbie\" was a suspected AridViper (aka APT-C-23/Desert Falcon) campaign that appeared to target Israeli individuals, especially \"high-profile\" defense, law enforcement, and other government service personnel. The campaign heavily relied upon social engineering techniques, including the use of well-developed social media personas, aimed at tricking targets into installing backdoors for Windows and Android devices. The campaign appeared to be motivated by information collection for espionage purposes.[[Cybereason Operation Bearded Barbie April 5 2022](/references/7d71b7c9-531e-4e4f-ab85-df2380555b7a)]",
"meta": {
- "campaign_attack_id": "C5018",
+ "campaign_attack_id": "C3015",
"first_seen": "2022-03-01T00:00:00Z",
"last_seen": "2022-04-01T00:00:00Z",
"owner": "TidalCyberIan",
@@ -1096,7 +1135,7 @@
{
"description": "Operation In(ter)ception refers to a series of threat activities attributed to Lazarus Group dating back to at least late 2019. Operation In(ter)ception campaigns are considered a sub-component of broader Lazarus Group espionage activities known as Operation Dream Job. Operation In(ter)ception attacks typically feature social engineering lures containing fake job vacany announcements for cryptocurrency companies. They are designed to ultimately infect targets with macOS malware.[[SentinelOne 9 26 2022](/references/973a110c-f1cd-46cd-b92b-5c7d8e7492b1)]",
"meta": {
- "campaign_attack_id": "C5040",
+ "campaign_attack_id": "C3040",
"first_seen": "2019-12-01T00:00:00Z",
"last_seen": "2022-09-26T00:00:00Z",
"owner": "TidalCyberIan",
@@ -1149,7 +1188,7 @@
{
"description": "In May 2023, U.S. Cybersecurity & Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) authorities released Cybersecurity Advisory AA23-131A, which detailed observed exploits of a vulnerability, CVE-2023-27350, affecting certain versions of PaperCut NG and PaperCut MF, software applications for print management. PaperCut released a patch for the vulnerability in March 2023.[[PaperCut MF/NG vulnerability bulletin](/references/d6e71b45-fc91-40f4-8201-2186994ae42a)] According to the Advisory, authorities observed unspecified threat actors exploiting the vulnerability in mid-April 2023, followed by exploitation by the self-identified Bl00dy Ransomware Gang the following month.[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]\n\nCVE-2023-27350 allows a remote actor to bypass authentication and remotely execute code on servers running affected versions of PaperCut software. In May, U.S. authorities observed Bl00dy Ransomware Gang actors exploiting the vulnerability to achieve initial access into education sector entities' networks and ingressing both legitimate remote management and maintenance (RMM) tools and several other command and control-related malware, including Lizar, Truebot, and Cobalt Strike. In some cases, the actors ultimately exfiltrated victim data and encrypted files, demanding payment in order to decrypt affected systems (the Advisory did not indicate how precisely actors encrypted data). The Advisory indicated that the \"Education Facilities Subsector\" maintains nearly 70% of exposed (but not necessarily vulnerable) U.S.-based PaperCut servers.[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]\n\nThe Advisory instructed defenders to focus CVE-2023-27350 detection efforts on three areas: network traffic signatures, system monitoring, and server settings and log files. More details and resources for detection can be found in the [source report](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a).\n\n**Related Vulnerabilities**: CVE-2023-27350[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]",
"meta": {
- "campaign_attack_id": "C5003",
+ "campaign_attack_id": "C3006",
"first_seen": "2023-04-15T00:00:00Z",
"last_seen": "2023-05-30T00:00:00Z",
"owner": "TidalCyberIan",
@@ -1169,7 +1208,7 @@
{
"description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nThis is a single object to represent the initial access and delivery methods observed with Pikabot distribution in the first year after its discovery. Distribution campaigns have been linked to the TA577 threat actor (previously known for distributing payloads including QakBot, IcedID, SystemBC, and Cobalt Strike)[[Malwarebytes Pikabot December 15 2023](/references/50b29ef4-7ade-4672-99b6-fdf367170a5b)][[Unit42 Malware Roundup December 29 2023](/references/a18e19b5-9046-4c2c-bd94-2cd5061064bf)]; however, the Technique- and Procedure level intelligence associated with these campaigns that is provided below was not explicitly linked to that group, so we are providing this intelligence to users in this Campaign form. The Water Curupira intrusion set (affiliated with the Black Basta ransomware operation) has also been observed distributing Pikabot.[[Trend Micro Pikabot January 9 2024](/references/dc7d882b-4e83-42da-8e2f-f557b675930a)]",
"meta": {
- "campaign_attack_id": "C5013",
+ "campaign_attack_id": "C3019",
"first_seen": "2023-02-01T00:00:00Z",
"last_seen": "2023-12-31T00:00:00Z",
"owner": "TidalCyberIan",
@@ -1186,7 +1225,7 @@
{
"description": "Researchers observed a campaign, with activity occurring between March and at least June 2024, where multiple discrete threat actor clusters used similar social engineering techniques to trick users into copying and executing PowerShell scripts, which ultimately led to malware deployment on the victim's system. Payloads included droppers, RATs, and information stealer malware.\n\nInitial contact with the victim occurred through both malspam email campaigns and web browser injects, which would trigger a popup claiming an error occurred when trying to open a document or webpage. The popup would prompt the user to run a script in the PowerShell terminal or Windows Run dialog box. Researchers attributed these campaigns to TA571, an initial access broker, a known intrusion set (ClearFake), and a newer group dubbed ClickFix.[[Proofpoint June 17 2024](/references/a65d7492-04a4-46d4-85ed-134786c6828b)][[BleepingComputer Fake Chrome Errors June 17 2024](/references/6efa70e3-d8eb-4260-b0ab-62335681e6fd)]",
"meta": {
- "campaign_attack_id": "C5045",
+ "campaign_attack_id": "C3045",
"first_seen": "2024-03-01T00:00:00Z",
"last_seen": "2024-06-07T00:00:00Z",
"owner": "TidalCyberIan",
@@ -1203,7 +1242,7 @@
{
"description": "A collections of TTPs associated with a phishing-based campaign that resulted in QakBot deployments. The campaign comes about four months after the reported disruption of QakBot distribution networks in an international law enforcement operation.[[K7 QakBot Returns January 4 2024](/references/5cb5e645-b77b-4bd1-a742-c8f53f234713)]",
"meta": {
- "campaign_attack_id": "C5024",
+ "campaign_attack_id": "C3020",
"first_seen": "2023-12-11T00:00:00Z",
"last_seen": "2024-01-04T00:00:00Z",
"owner": "TidalCyberIan",
@@ -1221,7 +1260,7 @@
{
"description": "Independent investigators reported details about a response to a compromise involving Quantum ransomware. The date of the attack was not disclosed, but the incident was reported in April 2022. IcedID was used to gain an initial foothold, Cobalt Strike and RDP were leveraged for lateral movement, and WMI and PsExec were used to deploy the ransomware payload. The incident was described as \"one of the fastest ransomware cases\" the investigators had handled, with domain-wide encryption occurring within four hours of initial access.[[The DFIR Report April 25 2022](/references/2e28c754-911a-4f08-a7bd-4580f5283571)]",
"meta": {
- "campaign_attack_id": "C5043",
+ "campaign_attack_id": "C3043",
"first_seen": "2022-04-01T00:00:00Z",
"last_seen": "2022-04-25T00:00:00Z",
"owner": "TidalCyberIan",
@@ -1240,7 +1279,7 @@
{
"description": "Researchers have observed an evolution in Scattered Spider's/UNC3944's TTPs since the second half of 2023, with actors especially focusing on gaining wide access to victim SaaS environments for reconnaissance, data theft, and subsequent extortion purposes. This object reflects the MITRE ATT&CK® Techniques associated with this activity.[[Google Cloud June 13 2024](/references/161423a2-165d-448f-90e9-0c53e319a125)]\n\nNotable Techniques newly associated with Scattered Spider via this Campaign object include Forge Web Credentials: SAML Tokens (T1606.002), Impair Defenses: Disable or Modify Tools (T1562.001), Indicator Removal: Clear Windows Event Logs (T1070.001), Software Discovery: Security Software Discovery (T1518.001), and Pre-OS Boot: System Firmware (T1542.001).",
"meta": {
- "campaign_attack_id": "C5041",
+ "campaign_attack_id": "C3041",
"first_seen": "2023-08-13T00:00:00Z",
"last_seen": "2024-06-13T00:00:00Z",
"owner": "TidalCyberIan",
@@ -1258,7 +1297,7 @@
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to recently reported attacks that featured exploits of recently disclosed vulnerabilities in the ConnectWise ScreenConnect utility (CVE-2024-1709 and CVE-2024-1708, aka \"SlashAndGrab\"). Several of the observed attacks saw the ingress of various malicious tools, including suspected ransomware.\n\nFurther background & contextual details can be found in the References tab below.",
"meta": {
- "campaign_attack_id": "C5028",
+ "campaign_attack_id": "C3024",
"first_seen": "2024-02-19T00:00:00Z",
"last_seen": "2024-02-23T00:00:00Z",
"owner": "TidalCyberIan",
@@ -1296,7 +1335,7 @@
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Groups and/or Software) related to the specified threat activity. Further background & contextual details can be found in the References tab below.",
"meta": {
- "campaign_attack_id": "C5030",
+ "campaign_attack_id": "C3029",
"first_seen": "2024-02-26T00:00:00Z",
"last_seen": "2024-02-27T00:00:00Z",
"owner": "TidalCyberIan",
@@ -1325,10 +1364,38 @@
"uuid": "6c7185e1-bd46-5a80-9a76-a376b16fbc7b",
"value": "Triton Safety Instrumented System Attack"
},
+ {
+ "description": "On September 5, 2024, international authorities published joint Cybersecurity Advisory AA24-249A, which detailed recent activity linked to cyber actors affiliated with the 161st Specialist Training Center (aka Unit 29155) of the Russian General Staff Main Intelligence Directorate (GRU), the foreign military intelligence agency of Russia's armed forces. The advisory highlighted Unit 29155 espionage, sabotage, and reputational cyber attacks carried out against targets around the world since 2020.\n\nWhile Unit 29155 had been previously linked to influence, interference, and physical sabotage operations, the advisory noted how the group has expanded its tradecraft to now include offensive cyber operations. The advisory indicated that several groups tracked by the cybersecurity community relate to Unit 29155 cyber actors but may not be directly synonyms with all parts of the Unit (or each other), including: Cadet Blizzard, DEV-0586, Ember Bear, Bleeding Bear, Frozenvista, UNC2589, and UAC-0056.[[U.S. CISA Unit 29155 September 5 2024](/references/9631a46d-3e0a-4f25-962b-0b2501c47926)]",
+ "meta": {
+ "campaign_attack_id": "C3053",
+ "first_seen": "2020-08-03T00:00:00Z",
+ "last_seen": "2024-09-05T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "source": "Tidal Cyber",
+ "tags": [
+ "af5e9be5-b86e-47af-91dd-966a5e34a186",
+ "35e694ec-5133-46e3-b7e1-5831867c3b55",
+ "d8f7e071-fbfd-46f8-b431-e241bb1513ac",
+ "61cdbb28-cbfd-498b-9ab1-1f14337f9524",
+ "e551ae97-d1b4-484e-9267-89f33829ec2c",
+ "15787198-6c8b-4f79-bf50-258d55072fee",
+ "5b8371c5-1173-4496-82c7-5f0433987e77",
+ "f18e6c1d-d2ee-4eda-8172-67dcbc4e59ed",
+ "9e4936f0-e3b7-4721-a638-58b2d093b2f2",
+ "1281067e-4a7e-4003-acf8-e436105bf395",
+ "7c67d99a-fc8a-4463-8f46-45e9a39fe6b0",
+ "fe28cf32-a15c-44cf-892c-faa0360d6109",
+ "15f2277a-a17e-4d85-8acd-480bf84f16b4"
+ ]
+ },
+ "related": [],
+ "uuid": "5e1bc9d2-1f2e-4ba3-b6b8-8d4e1f635762",
+ "value": "Unit 29155 Russian Military Cyber Activity"
+ },
{
"description": "Researchers observed suspected \"China-nexus\" actor Velvet Ant exploiting CVE-2024-20399 in Cisco Nexus network switch devices in order to upload and execute \"previously unknown custom malware\" on the devices' operating systems. Researchers first observed \"zero-day\" exploit activity in the wild at an undisclosed point \"during the past year\", and after they shared the findings, Cisco acknowledged the vulnerability in an advisory published on July 1, 2024.\n\nThe vulnerability's overall risk is mitigated by the fact that it requires valid administrator-level credentials and network access to the target switch for successful exploitation. However, researchers highlighted how sophisticated threat groups are increasingly targeting network appliances as means of network access and persistence, since those appliances \"are often not sufficiently protected and monitored\". This exploit campaign was discovered as part of a larger investigation into Velvet Ant, which was previously observed targeting F5 load balancer devices for persistence.[[The Hacker News Velvet Ant Cisco July 2 2024](/references/e3949201-c949-4126-9e02-34bfad4713c0)][[Sygnia Velvet Ant July 1 2024](/references/a0cfeeb6-4617-4dea-80d2-290eaf2bcf5b)]",
"meta": {
- "campaign_attack_id": "C5046",
+ "campaign_attack_id": "C3046",
"first_seen": "2023-07-01T00:00:00Z",
"last_seen": "2024-07-01T00:00:00Z",
"owner": "TidalCyberIan",
@@ -1348,7 +1415,7 @@
{
"description": "This object reflects the tools & TTPs associated with a campaign attributed to Velvet Ant, a suspected \"China-nexus\" state-sponsored threat group. Researchers believe the actor managed to maintain extremely prolonged access to a victim network – residing and remaining active there for around three years – notably by abusing a legacy, internet-exposed F5 BIG-IP load balancer appliance as an internal command and control mechanism. Researchers assess the intrusion was carried out for espionage purposes.[[Sygnia Velvet Ant June 17 2024](/references/5c313af4-61a8-449d-a6c7-f7ead6c72e19)][[BleepingComputer Velvet Ant June 17 2024](/references/70235e47-f8bb-4d16-9933-9f4923f08f5d)]",
"meta": {
- "campaign_attack_id": "C5044",
+ "campaign_attack_id": "C3044",
"first_seen": "2020-12-01T00:00:00Z",
"last_seen": "2023-12-01T00:00:00Z",
"owner": "TidalCyberIan",
@@ -1363,10 +1430,49 @@
"uuid": "b78565ce-8eec-49ad-b762-8d2107fa9ce7",
"value": "Velvet Ant F5 BIG-IP Espionage Activity"
},
+ {
+ "description": "Void Banshee is an advanced persistent threat (APT) group identified by Trend Micro researchers, which is known to target victims in North America, Europe, and Southeast Asia for information theft and financial gain. In May 2024, researchers observed Void Banshee actors exploiting CVE-2024-38112, a remote code execution vulnerability in the \"MSHTML\" web browser software component. The vulnerability had not been previously disclosed, so the campaign was characterized as \"zero-day\" exploit activity. Actors delivered the Atlantida infostealer malware during the observed attacks.[[Trend Micro Void Banshee July 15 2024](/references/02c4dda2-3aae-43ec-9b14-df282b200def)]\n\nLater, researchers noted that Void Banshee also exploited a separate MSHTML-related vulnerability, CVE-2024-43461, as a zero-day during attacks culminating in Atlantida infostealer deployments.[[BleepingComputer Void Banshee September 16 2024](/references/2c9a2355-02c5-4718-ad6e-b2fac9ad4096)]",
+ "meta": {
+ "campaign_attack_id": "C3054",
+ "first_seen": "2024-05-15T00:00:00Z",
+ "last_seen": "2024-07-15T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "source": "Tidal Cyber",
+ "tags": [
+ "0281a78d-1eb1-4e10-9327-2032928e37d9",
+ "ff8a2e10-4bf7-45f0-954c-8847fdcb9612",
+ "a98d7a43-f227-478e-81de-e7299639a355",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ]
+ },
+ "related": [],
+ "uuid": "dbe34d5d-91b0-4a50-98c7-4e36ba0bcda6",
+ "value": "Void Banshee Zero-Day Exploit Activity"
+ },
+ {
+ "description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.",
+ "meta": {
+ "campaign_attack_id": "C3050",
+ "first_seen": "2024-08-05T00:00:00Z",
+ "last_seen": "2024-08-29T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "source": "Tidal Cyber",
+ "tags": [
+ "fe28cf32-a15c-44cf-892c-faa0360d6109",
+ "82009876-294a-4e06-8cfc-3236a429bda4",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ]
+ },
+ "related": [],
+ "uuid": "e740e392-98cb-428a-ab92-b0a4d1d546b7",
+ "value": "Voldemort Malware Delivery Campaign"
+ },
{
"description": "A suspected affiliate of the Zloader operation carried out attacks mainly affecting financial institutions. Intrusions typically came via drive-by compromise and initiallly saw the installation of the Atera software, which was then used to load Zloader, and in some cases, Ursnif.[[WeLiveSecurity April 19 2022](/references/f86845b9-03c4-446b-845f-b31b79b247ee)]",
"meta": {
- "campaign_attack_id": "C5020",
+ "campaign_attack_id": "C3001",
"first_seen": "2020-10-01T00:00:00Z",
"last_seen": "2022-04-13T00:00:00Z",
"owner": "TidalCyberIan",
diff --git a/clusters/tidal-groups.json b/clusters/tidal-groups.json
index b3b4666..344c6f0 100644
--- a/clusters/tidal-groups.json
+++ b/clusters/tidal-groups.json
@@ -12,7 +12,7 @@
{
"description": "This object represents the behaviors associated with operators of 8Base ransomware, who may or may not operate as a cohesive unit. Behaviors associated with samples of 8Base ransomware are represented in the \"8Base Ransomware\" Software object.\n \nThe 8Base ransomware operation began claiming significant numbers of victims on its data leak site in June 2023, including organizations in a range of sectors. Researchers have observed considerable similarities between aspects of 8Base's operations and those of other ransomware groups, leading them to suspect that 8Base may be an evolution or offshoot of existing operations. The language in 8Base's ransom notes is similar to the language seen in RansomHouse's notes, and there is strong overlap between the code of Phobos ransomware and 8Base.[[VMWare 8Base June 28 2023](/references/573e9520-6181-4535-9ed3-2338688a8e9f)][[Acronis 8Base July 17 2023](/references/c9822477-1578-4068-9882-41e4d6eaee3f)]",
"meta": {
- "group_attack_id": "G5030",
+ "group_attack_id": "G3014",
"observed_motivations": [
"Financial Gain"
],
@@ -54,12 +54,7 @@
"Financial Services"
]
},
- "related": [
- {
- "dest-uuid": "ac4bce1f-b3ec-4c44-bd36-b6cc986b319b",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "8567136b-f84a-45ed-8cce-46324c7da60e",
"value": "admin@338"
},
@@ -100,6 +95,7 @@
],
"source": "MITRE",
"tags": [
+ "fde14c10-e749-4c04-b97f-1d9fbd6e72e7",
"0580d361-b60b-4664-9b2e-6d737e495cc1",
"9768aada-9d63-4d46-ab9f-d41b8c8e4010",
"a159c91c-5258-49ea-af7d-e803008d97d3",
@@ -114,6 +110,7 @@
"562e535e-19f5-4d6c-81ed-ce2aec544f09"
],
"target_categories": [
+ "Aerospace",
"Agriculture",
"Banks",
"Construction",
@@ -128,7 +125,8 @@
"Non Profit",
"Retail",
"Technology",
- "Telecommunications"
+ "Telecommunications",
+ "Transportation"
]
},
"related": [],
@@ -310,7 +308,7 @@
{
"description": "AnonGhost is an apparent hacktivist collective. In October 2023, following a series of air- and land-based attacks in the Gaza Strip, AnonGhost was one of several hacktivist groups that claimed responsibility for disruptive attacks against computer networks in Israel. Researchers indicated that they observed AnonGhost actors exploit an undisclosed API vulnerability in Red Alert, an application that provides warning of projectile attacks in Israel, using Python scripts to intercept web requests and send spam messages to the app's users.[[Group-IB Threat Intelligence Tweet October 9 2023](/references/2df546ed-6577-44b2-9b26-0a17c3622df7)]",
"meta": {
- "group_attack_id": "G5011",
+ "group_attack_id": "G3024",
"observed_countries": [
"IL",
"US"
@@ -330,7 +328,7 @@
{
"description": "Anonymous Sudan is an apparent hacktivist collective that has primarily used distributed denial of service (DDoS) and website defacement attacks in support of its ideology, which appears to largely align with Russian state interests. The group regularly cross-promotes communications with Killnet, another hacktivist group that appears to share similar ideologies and methods of operation.[[Flashpoint Anonymous Sudan Timeline](/references/2e7060d2-f7bc-457e-a2e6-12897d503ea6)] Researchers assess that the group is affiliated with neither the Anonymous hacktivist group nor Sudan.[[CyberCX Anonymous Sudan June 19 2023](/references/68ded9b7-3042-44e0-8bf7-cdba2174a3d8)]\n\nSince emerging in January 2023, Anonymous Sudan has claimed and is believed to be responsible for a considerable number of DDoS attacks affecting victims in a wide range of geographic locations and sectors.[[Flashpoint Anonymous Sudan Timeline](/references/2e7060d2-f7bc-457e-a2e6-12897d503ea6)] It claimed responsibility for a series of early June 2023 DDoS attacks that caused temporary interruptions to Microsoft Azure, Outlook, and OneDrive services. Microsoft security researchers attributed those attacks to the Storm-1359 group.[[The Hacker News Microsoft DDoS June 19 2023](/references/2ee27b55-b7a7-40a8-8c0b-5e28943cd273)][[Microsoft DDoS Attacks Response June 2023](/references/d64e941e-785b-4b23-a7d0-04f12024b033)] Like Killnet, Anonymous Sudan claimed responsibility for disruptive attacks against computer networks in Israel following a series of air- and land-based attacks in the Gaza Strip in October 2023.[[FalconFeedsio Tweet October 9 2023](/references/e9810a28-f060-468b-b4ea-ffed9403ae8b)]",
"meta": {
- "group_attack_id": "G5010",
+ "group_attack_id": "G3023",
"observed_countries": [
"AU",
"DK",
@@ -419,12 +417,7 @@
"Transportation"
]
},
- "related": [
- {
- "dest-uuid": "1cb7e1cc-d695-42b1-92f4-fd0112a3c9be",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f",
"value": "APT1"
},
@@ -466,12 +459,7 @@
"Technology"
]
},
- "related": [
- {
- "dest-uuid": "1f73e14f-b882-4032-a565-26dc653b0daf",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "06a05175-0812-44f5-a529-30eba07d1762",
"value": "APT16"
},
@@ -503,12 +491,7 @@
"Technology"
]
},
- "related": [
- {
- "dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "5f083251-f5dc-459a-abfc-47a1aa7f5094",
"value": "APT17"
},
@@ -526,12 +509,7 @@
"Technology"
]
},
- "related": [
- {
- "dest-uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "a0c31021-b281-4c41-9855-436768299fe7",
"value": "APT18"
},
@@ -557,12 +535,7 @@
"Telecommunications"
]
},
- "related": [
- {
- "dest-uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "713e2963-fbf4-406f-a8cf-6a4489d90439",
"value": "APT19"
},
@@ -570,7 +543,7 @@
"description": "APT20 is a suspected China-attributed espionage actor. It has attacked organizations in a wide range of verticals for data theft. These operations appear to be motivated by the acquisition of intellectual property but also collection of information around individuals with particular political interests.[[Mandiant APT Groups List](/references/c984fcfc-1bfd-4b1e-9034-a6ff3e6ebf97)] Researchers attributed, with medium confidence, the years-long Operation Wocao espionage campaign to APT20.[[FoxIT Wocao December 2019](/references/aa3e31c7-71cd-4a3f-b482-9049c9abb631)]",
"meta": {
"country": "CN",
- "group_attack_id": "G5006",
+ "group_attack_id": "G3020",
"observed_countries": [
"BR",
"CN",
@@ -705,12 +678,7 @@
"Utilities"
]
},
- "related": [
- {
- "dest-uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5",
"value": "APT28"
},
@@ -800,12 +768,7 @@
"Video Games"
]
},
- "related": [
- {
- "dest-uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"value": "APT29"
},
@@ -864,12 +827,7 @@
"Media"
]
},
- "related": [
- {
- "dest-uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "be45ff95-6c74-4000-bc39-63044673d82f",
"value": "APT30"
},
@@ -907,12 +865,7 @@
"Technology"
]
},
- "related": [
- {
- "dest-uuid": "aa29ae56-e54b-47a2-ad16-d3ab0242d5d7",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145",
"value": "APT32"
},
@@ -927,6 +880,7 @@
"IL",
"KR",
"SA",
+ "AE",
"GB",
"US"
],
@@ -935,20 +889,23 @@
],
"source": "MITRE",
"tags": [
+ "cb5803f0-8ab4-4ada-8540-7758dfc126e2",
+ "0f1b7cb0-c4de-485e-8ff5-fe12ffccd738",
+ "dd24557e-a8e8-4202-872d-c2f411974cad",
"c9c73000-30a5-4a16-8c8b-79169f9c24aa",
"3ed3f7a6-b446-4fbc-a433-ff1d63c0e647"
],
"target_categories": [
"Aerospace",
- "Energy"
+ "Defense",
+ "Education",
+ "Energy",
+ "Government",
+ "Pharmaceuticals",
+ "Telecommunications"
]
},
- "related": [
- {
- "dest-uuid": "4f69ec6d-cb6b-42af-b8e2-920a2aa4be10",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac",
"value": "APT33"
},
@@ -983,12 +940,7 @@
"Technology"
]
},
- "related": [
- {
- "dest-uuid": "50cd027f-df14-40b2-aa22-bf5de5061163",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66",
"value": "APT37"
},
@@ -1054,12 +1006,7 @@
"Media"
]
},
- "related": [
- {
- "dest-uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "dfbce236-735c-436d-b433-933bd6eae17b",
"value": "APT38"
},
@@ -1078,6 +1025,9 @@
"AE",
"US"
],
+ "observed_motivations": [
+ "Cyber Espionage"
+ ],
"source": "MITRE",
"target_categories": [
"Education",
@@ -1086,12 +1036,7 @@
"Travel Services"
]
},
- "related": [
- {
- "dest-uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1",
"value": "APT39"
},
@@ -1167,12 +1112,7 @@
"Video Games"
]
},
- "related": [
- {
- "dest-uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9",
"value": "APT41"
},
@@ -1180,7 +1120,7 @@
"description": "APT42 is an Iranian state-sponsored espionage group believed to operate on behalf of the Islamic Revolutionary Guard Corps (IRGC) Intelligence Organization (IRGC-IO). APT42 primarily focuses on collecting information on and surveilling its targets, mainly individuals and organizations with strategic significance to Iran's government. The group's operations are characterized by targeted spear-phishing attacks and surveillance activity. Mandiant researchers acknowledged overlaps between APT42 and APT35, which both likely operate on behalf of the IRGC, but noted that the groups display \"substantial differences\" in targeting patterns and TTPs.[[Mandiant Crooked Charms August 12 2022](/references/53bab956-be5b-4d8d-b553-9926bc5d9fee)]",
"meta": {
"country": "IR",
- "group_attack_id": "G5051",
+ "group_attack_id": "G3050",
"observed_countries": [
"AU",
"BG",
@@ -1327,12 +1267,7 @@
"Telecommunications"
]
},
- "related": [
- {
- "dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca",
"value": "Axiom"
},
@@ -1373,7 +1308,7 @@
{
"description": "BianLian is an extortion-focused threat actor group. The group originally used double-extortion methods when it began its operations in June 2022, demanding payment in exchange for decrypting locked files while also threatening to leak exfiltrated data. U.S. & Australian cybersecurity officials observed BianLian actors shifting almost exclusively to exfiltration-focused extortion schemes in 2023.[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)]\n\n**Related Vulnerabilities**: CVE-2020-1472[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)], CVE-2021-34473[[BianLian Ransomware Gang Gives It a Go! | [redacted]](/references/fc1aa979-7dbc-4fff-a8d1-b35a3b2bec3d)], CVE-2021-34523[[BianLian Ransomware Gang Gives It a Go! | [redacted]](/references/fc1aa979-7dbc-4fff-a8d1-b35a3b2bec3d)], CVE-2021-31207[[BianLian Ransomware Gang Gives It a Go! | [redacted]](/references/fc1aa979-7dbc-4fff-a8d1-b35a3b2bec3d)]\n\n**PulseDive (IOCs)**: https://pulsedive.com/threat/BianLian",
"meta": {
- "group_attack_id": "G5000",
+ "group_attack_id": "G3002",
"observed_countries": [
"AU",
"CA",
@@ -1438,7 +1373,7 @@
{
"description": "Bl00dy self-identifies as a ransomware group. It gained attention in May 2023 for a series of data exfiltration and encryption attacks against education entities in the United States that featured exploit of vulnerabilities in PaperCut print management software, which is prevalent in the sector.[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]\n\n**Related Vulnerabilities**: CVE-2023-27350[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]",
"meta": {
- "group_attack_id": "G5002",
+ "group_attack_id": "G3010",
"observed_countries": [
"US"
],
@@ -1472,7 +1407,7 @@
{
"description": "This Group object reflects the tools & TTPs associated with threat actors known to deploy Black Basta, a ransomware-as-a-service (RaaS) variant that researchers believe has been used since at least April 2022. Black Basta affiliates have attacked a very wide range of targets, including organizations in at least 12 out of 16 U.S. critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.[[U.S. CISA Black Basta May 10 2024](/references/10fed6c7-4d73-49cd-9170-3f67d06365ca)]\n\nSpecific pre- and post-exploit behaviors may vary among intrusions carried out by different Black Basta affiliates. TTPs associated with the Black Basta ransomware binary itself can be found in the separate dedicated Software object.",
"meta": {
- "group_attack_id": "G5023",
+ "group_attack_id": "G3037",
"observed_countries": [
"AU",
"AT",
@@ -1522,7 +1457,7 @@
{
"description": "This object represents the BlackCat/ALPHV Ransomware-as-a-Service (“RaaS”) apex group and the behaviors associated with its various affiliate ransomware operators. Specific affiliate operations defined by the research community will be tracked as separate objects.\n\nResearchers first observed BlackCat ransomware (AKA ALPHV or Noberus) in November 2021. An April 2022 U.S. FBI advisory linked BlackCat’s developers and money launderers to the defunct Blackmatter and Darkside ransomware operations (the latter was responsible for the major 2021 Colonial Pipeline incident).[[FBI BlackCat April 19 2022](/references/2640b58c-8413-4691-80e1-33aec9b6c7f6)] As of September 2023, BlackCat is believed to be responsible for attacking organizations globally and in virtually every major sector, and it consistently claims some of the highest victim tallies of any RaaS. According to data collected by the [ransomwatch project](https://github.com/joshhighet/ransomwatch) and analyzed by Tidal, BlackCat actors publicly claimed 233 victims in 2022, the third most of any ransomware operation in the dataset (considerably below Clop (558) but well above Hive (181)), and it already surpassed that number by July of 2023.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)] Like many RaaS, BlackCat actors threaten to leak exfiltrated victim data, but they also threaten to carry out denial of service attacks if victims do not pay timely ransoms.[[BlackBerry BlackCat Threat Overview](/references/59f98ae1-c62d-460f-8d2a-9ae287b59953)]\n\nBlackCat developers have regularly evolved the namesake ransomware over time, and collaboration with affiliates means that a large number and variety of tools & TTPs are observed during intrusions involving BlackCat. BlackCat became the first prominent ransomware family to transition to the Rust programming language in 2022, which researchers assess provides greater customization and defense evasion capabilities and faster performance.[[X-Force BlackCat May 30 2023](/references/b80c1f70-9d05-4f4b-bdc2-6157c6837202)][[FBI BlackCat April 19 2022](/references/2640b58c-8413-4691-80e1-33aec9b6c7f6)] A BlackCat variant named Sphynx emerged in early 2023, featuring multiple defense evasion-focused enhancements. In Q3 2023, public reports suggested that Scattered Spider (AKA 0ktapus or UNC3944), a group attributed to several prominent intrusions involving telecommunications, technology, and casino entities, had begun to use BlackCat/Sphynx ransomware during its operations.[[Caesars Scattered Spider September 13 2023](/references/6915c003-7c8b-451c-8fb1-3541f00c14fb)][[BushidoToken Scattered Spider August 16 2023](/references/621a8320-0e3c-444f-b82a-7fd4fdf9fb67)]",
"meta": {
- "group_attack_id": "G5005",
+ "group_attack_id": "G3019",
"observed_countries": [
"AU",
"AT",
@@ -1639,19 +1574,14 @@
],
"source": "MITRE"
},
- "related": [
- {
- "dest-uuid": "8fbd195f-5e03-4e85-8ca5-4f1dff300bec",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "428dc121-a593-4981-9127-f958ae0a0fdd",
"value": "BlackOasis"
},
{
"description": "This object reflects the ATT&CK Techniques associated with threat actors who deploy BlackSuit, a ransomware capable of running on Windows and Linux systems. BlackSuit is believed to be a successor to Royal, a ransomware operation which itself derives from the notorious Russia-based Conti gang. BlackSuit operations were first observed in May 2023, and although they were relatively low in number, U.S. authorities issued a warning for healthcare sector organizations due to the ransomware's suspected pedigree.[[HC3 Analyst Note BlackSuit Ransomware November 2023](/references/d956f0c6-d90e-49e8-a64c-a46bfc177cc6)] The number of attacks claimed by BlackSuit operators increased notably in Q2 2024.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]\n\nATT&CK Techniques associated with the BlackSuit ransomware binary are tracked in a separate \"BlackSuit Ransomware\" Software object.",
"meta": {
- "group_attack_id": "G5048",
+ "group_attack_id": "G3047",
"observed_countries": [
"AU",
"BR",
@@ -1731,12 +1661,7 @@
"Telecommunications"
]
},
- "related": [
- {
- "dest-uuid": "320c42f7-eab7-4ef9-b09a-74396caa6c3e",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb",
"value": "BlackTech"
},
@@ -1780,19 +1705,14 @@
"Manufacturing"
]
},
- "related": [
- {
- "dest-uuid": "add6554a-815a-4ac3-9b22-9337b9661ab8",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb",
"value": "BRONZE BUTLER"
},
{
"description": "This Group object reflects the tools & TTPs observed in use by threat actors known to deploy CACTUS, a ransomware that researchers believe has been used since at least March 2023.[[Kroll CACTUS Ransomware May 10 2023](/references/f50de2f6-465f-4cae-a79c-cc135ebfee4f)] Specific pre- and post-exploit behaviors may vary among intrusions carried out by distinct actors or actor clusters. TTPs associated with the CACTUS ransomware binary itself can be found in the separate dedicated Software object.",
"meta": {
- "group_attack_id": "G5035",
+ "group_attack_id": "G3030",
"observed_countries": [
"AU",
"BE",
@@ -1814,6 +1734,7 @@
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
+ "0bcc4824-7e68-4aac-b883-935e62b5be39",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"3b615816-3403-46a4-bd7e-f7a723fc56da",
"a2e000da-8181-4327-bacd-32013dbd3654",
@@ -1877,15 +1798,33 @@
"Financial Services"
]
},
- "related": [
- {
- "dest-uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "72d9bea7-9ca1-43e6-8702-2fb7fb1355de",
"value": "Carbanak"
},
+ {
+ "description": "Charcoal Stork is a threat actor believed to provide content used to fuel malvertising and search engine optimization (SEO) operations, which affiliates ultimately use to deliver malware to victim systems. Charcoal Stork is thought to be financially motivated, operating on a pay-per-install basis.[[Red Canary March 18 2024](/references/a86131cd-1a42-4222-9d39-221dd6e054ba)]",
+ "meta": {
+ "group_attack_id": "G5022",
+ "observed_motivations": [
+ "Financial Gain"
+ ],
+ "owner": "TidalCyberIan",
+ "source": "Tidal Cyber",
+ "tags": [
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "target_categories": [
+ "Commercial",
+ "Healthcare",
+ "Manufacturing"
+ ]
+ },
+ "related": [],
+ "uuid": "6d23e83f-fd4f-4802-bd01-daff7348741d",
+ "value": "Charcoal Stork"
+ },
{
"description": "[Chimera](https://app.tidalcyber.com/groups/ca93af75-0ffa-4df4-b86a-92d4d50e496e) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.[[Cycraft Chimera April 2020](https://app.tidalcyber.com/references/a5a14a4e-2214-44ab-9067-75429409d744)][[NCC Group Chimera January 2021](https://app.tidalcyber.com/references/70c217c3-83a2-40f2-8f47-b68d8bd4cdf0)]",
"meta": {
@@ -1895,6 +1834,9 @@
"TW"
],
"source": "MITRE",
+ "tags": [
+ "ff873c9d-468f-46c4-a6ee-c8c707df0be7"
+ ],
"target_categories": [
"Semi Conductors",
"Travel Services"
@@ -1904,6 +1846,35 @@
"uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e",
"value": "Chimera"
},
+ {
+ "description": "A suspected ransomware-as-a-service (\"RaaS\") group first observed in June 2024, which extorts victims via traditional ransomware encryption and by threatening to leak allegedly exfiltrated data onto the web.[[Truesec AB August 30 2024](/references/de2de0a9-17d2-41c2-838b-7850762b80ae)]",
+ "meta": {
+ "group_attack_id": "G3051",
+ "observed_countries": [
+ "GB",
+ "US"
+ ],
+ "observed_motivations": [
+ "Financial Gain"
+ ],
+ "owner": "TidalCyberIan",
+ "source": "Tidal Cyber",
+ "tags": [
+ "a2e000da-8181-4327-bacd-32013dbd3654",
+ "562e535e-19f5-4d6c-81ed-ce2aec544f09",
+ "5e7433ad-a894-4489-93bc-41e90da90019",
+ "7e7b0c67-bb85-4996-a289-da0e792d7172",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "target_categories": [
+ "Manufacturing"
+ ]
+ },
+ "related": [],
+ "uuid": "7a28cff6-80df-49e1-8457-a0305e736897",
+ "value": "Cicada3301 Ransomware Group"
+ },
{
"description": "[Cinnamon Tempest](https://app.tidalcyber.com/groups/8e059c6b-d278-5454-a234-a8ad69feb66c) is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked [Babuk](https://app.tidalcyber.com/software/0dc07eb9-66df-4116-b1bc-7020ca6395a1) source code. [Cinnamon Tempest](https://app.tidalcyber.com/groups/8e059c6b-d278-5454-a234-a8ad69feb66c) does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, [Cinnamon Tempest](https://app.tidalcyber.com/groups/8e059c6b-d278-5454-a234-a8ad69feb66c) may be motivated by intellectual property theft or cyberespionage rather than financial gain.[[Microsoft Ransomware as a Service](https://app.tidalcyber.com/references/833018b5-6ef6-5327-9af5-1a551df25cd2)][[Microsoft Threat Actor Naming July 2023](https://app.tidalcyber.com/references/78a8137d-694e-533d-aed3-6bd48fc0cd4a)][[Trend Micro Cheerscrypt May 2022](https://app.tidalcyber.com/references/ca7ccf2c-37f3-522a-acfb-09daa16e23d8)][[SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022](https://app.tidalcyber.com/references/0b275cf9-a885-58cc-b859-112090a711e3)]",
"meta": {
@@ -1952,12 +1923,7 @@
"Telecommunications"
]
},
- "related": [
- {
- "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07",
"value": "Cleaver"
},
@@ -1993,12 +1959,7 @@
"Financial Services"
]
},
- "related": [
- {
- "dest-uuid": "01967480-c49b-4d4a-a7fa-aef0eaf535fe",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "58db02e6-d908-47c2-bc82-ed58ada61331",
"value": "Cobalt Group"
},
@@ -2046,19 +2007,67 @@
"Technology"
]
},
- "related": [
- {
- "dest-uuid": "8cca9a1d-66e4-4bc4-ad49-95f759f4c1ae",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b",
"value": "CopyKittens"
},
+ {
+ "description": "CosmicBeetle is a threat actor, active since 2020, that has been associated with multiple ransomware families. Originally known for using a set of custom tools, including ScRansom (a successor to the \"Scarab\" encryptor), researchers reported in September 2024 that they observed a suspected CosmicBeetle attack that involved deployment of tools and malware associated with the RansomHub ransomware-as-a-service operation.[[WeLiveSecurity CosmicBeetle September 10 2024](/references/8debba29-4d6d-41d2-8772-f97c7d49056b)][[BleepingComputer NoName September 10 2024](/references/79752048-f2fd-4357-9e0a-15b9a2927852)]",
+ "meta": {
+ "group_attack_id": "G3053",
+ "observed_countries": [
+ "AT",
+ "CZ",
+ "FR",
+ "GF",
+ "GE",
+ "GT",
+ "IN",
+ "PE",
+ "PL",
+ "ZA",
+ "ES",
+ "CH",
+ "TR"
+ ],
+ "observed_motivations": [
+ "Financial Gain"
+ ],
+ "owner": "TidalCyberIan",
+ "source": "Tidal Cyber",
+ "tags": [
+ "55ba9d29-7185-40eb-ba10-874cb3997a0f",
+ "793f4441-3916-4b3d-a3fd-686a59dc3de2",
+ "c40971d6-ad75-4b2d-be6c-5353c96a232d",
+ "3adcb409-166d-4465-ba1f-ddaecaff8282",
+ "33d22eff-59a1-47e0-b9eb-615dee314595",
+ "89c5b94b-ecf4-4d53-9b74-3465086d4565",
+ "09de661e-60c4-43fb-bfef-df017215d1d8",
+ "5e7433ad-a894-4489-93bc-41e90da90019",
+ "7e7b0c67-bb85-4996-a289-da0e792d7172",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "target_categories": [
+ "Education",
+ "Financial Services",
+ "Government",
+ "Healthcare",
+ "Hospitality Leisure",
+ "Legal",
+ "Manufacturing",
+ "Pharmaceuticals",
+ "Technology"
+ ]
+ },
+ "related": [],
+ "uuid": "04b73cf2-33f4-4206-be9e-c80c4c9b54e8",
+ "value": "CosmicBeetle"
+ },
{
"description": "A Group object to represent actors that deploy Cuba Ransomware in victim environments.[[U.S. CISA Cuba Ransomware October 2022](/references/d6ed5172-a319-45b0-b1cb-d270a2a48fa3)]",
"meta": {
- "group_attack_id": "G5026",
+ "group_attack_id": "G3008",
"observed_motivations": [
"Financial Gain"
],
@@ -2090,7 +2099,7 @@
"description": "The Cyber Army of Russia is a threat group that appears to carry out cyber attacks in line with Russian strategic interests. The group has claimed many distributed denial of service (DDoS) attacks against a variety of targets perceived as opposed to Russian interests. More recently, it has claimed disruptive industrial software-based attacks against water utilities in the United States, France, and Poland. Researchers link the Cyber Army of Russia to APT44 / Sandworm Team, although it remains unclear what level of direct support, if any, is provided by the latter group.[[Wired Cyber Army of Russia April 17 2024](/references/53583baf-4e09-4d19-9348-6110206b88be)][[Mandiant APT44 April 17 2024](/references/a64f689e-2bb4-4253-86cd-545e7f633a7e)]",
"meta": {
"country": "RU",
- "group_attack_id": "G5038",
+ "group_attack_id": "G3035",
"observed_countries": [
"FR",
"PL",
@@ -2124,7 +2133,7 @@
"description": "CyberAv3ngers is a cyber actor group that has claimed responsibility for numerous disruption-focused attacks against critical infrastructure organizations, including an oil refinery and electric utility in Israel and water/wastewater utilities in the United States. According to a joint advisory released by U.S. & Israeli cybersecurity authorities in December 2023, CyberAv3ngers (aka Cyber Av3ngers or Cyber Avengers) is a “cyber persona” of advanced persistent threat actors affiliated with the Iranian Islamic Revolutionary Guard Corps (IRGC). The advisory detailed how suspected CyberAv3ngers actors compromised programmable logic controller (PLC) devices that were exposed to the internet and used the vendor's default passwords and ports, leaving defacement images and possibly rendering the devices inoperable. The defacement messages suggested that the group or affiliates might carry out attacks against other technological equipment produced in or associated with Israel.[[U.S. CISA IRGC-Affiliated PLC Activity December 2023](/references/51a18523-5276-4a67-8644-2bc6997d043c)]",
"meta": {
"country": "IR",
- "group_attack_id": "G5016",
+ "group_attack_id": "G3028",
"observed_countries": [
"IL",
"US"
@@ -2152,7 +2161,7 @@
{
"description": "Cyber Toufan is an apparently politically motivated, destruction-focused threat actor group that has predominantly targeted organizations based in or perceived to be aligned with Israel. Cyber Toufan publicizes many of their cyber operations and in some cases has leaked victim data allegedly exfiltrated during their attacks.[[SOCRadar Cyber Toufan Profile](/references/a9aa6361-8c4d-4456-bb3f-c64ca5260695)] Check Point researchers labeled Cyber Toufan as an \"Iranian-affiliated\", \"hacktivist proxy\" group.[[Check Point Iranian Proxies December 4 2023](/references/60432d84-8f46-4934-951f-df8e0f297ff0)]",
"meta": {
- "group_attack_id": "G5049",
+ "group_attack_id": "G3048",
"observed_countries": [
"IL",
"GB",
@@ -2181,7 +2190,7 @@
{
"description": "Daixin Team is a ransomware- and data extortion-focused threat group first observed in mid-2022. Daixin Team is known to publicly extort its victims to pressure them into paying a ransom. It has used ransomware (believed to be based on the leaked source code for Babuk Locker) to encrypt victim data and has also exfiltrated sensitive data from victim environments and threatened to publicly leak that data.\n\nMany of Daixin Team’s victims belong to critical infrastructure sectors, especially the Healthcare and Public Health (“HPH”) sector. An October 2022 joint Cybersecurity Advisory noted Daixin Team attacks on multiple U.S. HPH organizations.[[U.S. CISA Daixin Team October 2022](/references/cbf5ecfb-de79-41cc-8250-01790ff6e89b)] Alleged victims referenced on the threat group’s extortion website belong to the healthcare, utilities, transportation (airline), automobile manufacturing, information technology, retail, and media sectors in the United States, Europe, and Asia.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]",
"meta": {
- "group_attack_id": "G5015",
+ "group_attack_id": "G3007",
"observed_countries": [
"CA",
"DE",
@@ -2248,12 +2257,7 @@
],
"source": "MITRE"
},
- "related": [
- {
- "dest-uuid": "3d449c83-4426-431a-b06a-cb4f8a0fca94",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "7ad94dbf-9909-42dd-8b62-a435481bdb14",
"value": "Dark Caracal"
},
@@ -2287,12 +2291,7 @@
"Non Profit"
]
},
- "related": [
- {
- "dest-uuid": "b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "efa1d922-8f48-43a6-89fe-237e1f3812c8",
"value": "Darkhotel"
},
@@ -2306,12 +2305,7 @@
"Government"
]
},
- "related": [
- {
- "dest-uuid": "ce2c2dfd-2445-4fbc-a747-9e7092e383f9",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "f2b31240-0b4a-4fa4-82a4-6bb00e146e75",
"value": "DarkHydrus"
},
@@ -2362,12 +2356,7 @@
"Telecommunications"
]
},
- "related": [
- {
- "dest-uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b",
"value": "Deep Panda"
},
@@ -2407,12 +2396,7 @@
"Travel Services"
]
},
- "related": [
- {
- "dest-uuid": "64d6559c-6d5c-4585-bbf9-c17868f763ee",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "472080b0-e3d4-4546-9272-c4359fe856e1",
"value": "Dragonfly"
},
@@ -2433,12 +2417,7 @@
"Technology"
]
},
- "related": [
- {
- "dest-uuid": "a9b44750-992c-4743-8922-129880d277ea",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "f2c2db08-624c-46b9-b7ed-b22c21b81813",
"value": "DragonOK"
},
@@ -2479,19 +2458,14 @@
"Technology"
]
},
- "related": [
- {
- "dest-uuid": "da754aeb-a86d-4874-b388-d1d2028a56be",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "51146bb6-7478-44a3-8f08-19adcdceffca",
"value": "Elderwood"
},
{
"description": "This object reflects the ATT&CK Techniques associated with threat actors who deploy Eldorado, a ransomware-as-a-service (\"RaaS\") first advertised for sale on cybercrime forums in March 2024. Researchers assess that Eldorado is a \"unique\" ransomware strain that is likely not derived from previously leaked ransomware source code.[[Group-IB July 3 2024](/references/50148a85-314c-4b29-bdfc-913ab647dadf)]\n\nWindows and Linux-focused versions of the ransomware are known to exist. (ATT&CK Techniques associated with these malware binaries are tracked in a separate \"Eldorado Ransomware\" Software object.)",
"meta": {
- "group_attack_id": "G5046",
+ "group_attack_id": "G3045",
"observed_motivations": [
"Financial Gain"
],
@@ -2576,12 +2550,7 @@
"Telecommunications"
]
},
- "related": [
- {
- "dest-uuid": "7036fb3d-86b7-4d9c-bc66-1e1ead8b7840",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "a4704485-65b5-49ec-bebe-5cc932362dd2",
"value": "Equation"
},
@@ -2651,19 +2620,14 @@
"Mining"
]
},
- "related": [
- {
- "dest-uuid": "f2d02410-8c2c-11e9-8df1-a31c1fb33d79",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "345e553a-164d-4c9d-8bf9-19fcf8a51533",
"value": "FIN10"
},
{
"description": "FIN11 is a financially motivated adversary identified by Mandiant in 2020. Originally known for high-volume phishing campaigns leading to ransomware and data theft, the group more recently is known for carrying out wide-ranging exploitation of multiple vulnerabilities in 2023, including vulnerabilities affecting PaperCut print management software and MOVEit Transfer file transfer software to deliver Clop ransomware and for more general data theft, respectively, as well as GoAnywhere file transfer software exploits.[[Microsoft Threat Intelligence Tweet April 26 2023](/references/3b5a2349-e10c-422b-91e3-20e9033fdb60)][[Mandiant MOVEit Transfer June 2 2023](/references/232c7555-0483-4a57-88cb-71a990f7d683)]. Microsoft Threat Intelligence reports overlaps between FIN11 and Lace Tempest (DEV-0950), which it identifies as a Clop ransomware affiliate. The DFIR Report researchers attributed a May 2023 data theft and wiper campaign to FIN11 and Lace Tempest.[[The DFIR Report Truebot June 12 2023](/references/a6311a66-bb36-4cad-a98f-2b0b89aafa3d)]",
"meta": {
- "group_attack_id": "G5028",
+ "group_attack_id": "G3011",
"observed_countries": [
"CA",
"IN",
@@ -2696,7 +2660,7 @@
{
"description": "FIN12 is a financially motivated threat actor group believed to be responsible for multiple high-profile ransomware attacks since 2018. The group has attacked victims in various sectors and locations, including multiple attacks on healthcare entities. An October 2021 Mandiant assessment indicated 85% of the group's victims were U.S.-based, and the large majority of them were large enterprises with more than $300 million in annual revenue. The report also assessed that initial access brokers partnering with FIN12 target a wider range of organizations and allow FIN12 actors to select victims for further malicious activity.[[Mandiant FIN12 Group Profile October 07 2021](/references/7af84b3d-bbd6-449f-b29b-2f14591c9f05)]\n\nFIN12's toolset has reportedly shifted over time. Cobalt Strike has been observed in most intrusions. While TrickBot and Empire were common post-exploitation tools historically, French authorities observed the group using SystemBC alongside Cobalt Strike during a March 2023 hospital center intrusion. Ryuk, and to a lesser degree Conti, were traditionally used ransomware payloads, with the former used in a series of attacks on U.S. healthcare entities in 2020. However, a French CERT assessment published in 2023 linked the group to multiple more recent incidents it investigated and analyzed, which featured deployment of various ransomware families, including Hive, Nokoyawa, Play, Royal, and BlackCat, along with Emotet and BazarLoader malware for initial footholds.[[Mandiant FIN12 Group Profile October 07 2021](/references/7af84b3d-bbd6-449f-b29b-2f14591c9f05)][[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]\n\n**Related Vulnerabilities**: CVE-2023-21746, CVE-2022-24521, CVE-2021-34527, CVE-2019-0708, CVE-2020-1472[[CERTFR-2023-CTI-007](/references/0f4a03c5-79b3-418e-a77d-305d5a32caca)]",
"meta": {
- "group_attack_id": "G5008",
+ "group_attack_id": "G3005",
"observed_countries": [
"AU",
"CA",
@@ -2773,12 +2737,7 @@
"Pharmaceuticals"
]
},
- "related": [
- {
- "dest-uuid": "ff449346-aa9f-45f6-b482-71e886a5cf57",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "4b6531dc-5b29-4577-8b54-fa99229ab0ca",
"value": "FIN4"
},
@@ -2795,12 +2754,7 @@
"Hospitality Leisure"
]
},
- "related": [
- {
- "dest-uuid": "44dc2f9c-8c28-11e9-9b9a-7fdced8cbf70",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83",
"value": "FIN5"
},
@@ -2821,12 +2775,7 @@
"Retail"
]
},
- "related": [
- {
- "dest-uuid": "647894f6-1723-4cba-aba4-0ef0966d5302",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c",
"value": "FIN6"
},
@@ -2880,12 +2829,7 @@
"Transportation"
]
},
- "related": [
- {
- "dest-uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff",
"value": "FIN7"
},
@@ -2915,12 +2859,7 @@
"Technology"
]
},
- "related": [
- {
- "dest-uuid": "a78ae9fe-71cd-4563-9213-7b6260bd9a73",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f",
"value": "FIN8"
},
@@ -2928,9 +2867,10 @@
"description": "Researchers assess that Flax Typhoon is a nation-state-sponsored espionage group based in China that has targeted government, education, manufacturing, and IT organizations in Taiwan, elsewhere in Southeast Asia, North America, and Africa. Flax Typhoon is believed to overlap with the ETHEREAL PANDA group and has been active since mid-2021. Flax Typhoon has been seen establishing persistence, moving laterally, and accessing victim credentials after achieving network access, but to date, researchers have not observed the actors acting on final objectives during intrusions. Microsoft researchers assess that Flax Typhoon's techniques, which lean on legitimate, often built-in tools & utilities, could be used in attacks on victims in other regions.[[Microsoft Flax Typhoon August 24 2023](/references/ec962b72-7b7f-4f7e-b6d6-7c5380b07201)]",
"meta": {
"country": "CN",
- "group_attack_id": "G5031",
+ "group_attack_id": "G3018",
"observed_countries": [
- "TW"
+ "TW",
+ "US"
],
"observed_motivations": [
"Cyber Espionage"
@@ -2938,14 +2878,22 @@
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
+ "61cdbb28-cbfd-498b-9ab1-1f14337f9524",
+ "e551ae97-d1b4-484e-9267-89f33829ec2c",
+ "33d35d5e-f0cf-4c66-9be3-a3ffe6610b1a",
+ "a159c91c-5258-49ea-af7d-e803008d97d3",
+ "70dc52b0-f317-4134-8a42-71aea1443707",
+ "b20e7912-6a8d-46e3-8e13-9a3fc4813852",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2feda37d-5579-4102-a073-aa02e82cb49f"
],
"target_categories": [
+ "Defense",
"Education",
"Government",
"Manufacturing",
- "Technology"
+ "Technology",
+ "Telecommunications"
]
},
"related": [],
@@ -2960,6 +2908,7 @@
"observed_countries": [
"AU",
"AT",
+ "AZ",
"FI",
"FR",
"DE",
@@ -2982,6 +2931,17 @@
],
"source": "MITRE",
"tags": [
+ "07f09197-1847-411e-a451-d37211ead1b2",
+ "0e1abd50-26be-43e7-b8f6-40f8a6aee148",
+ "1ff4614e-0ee6-4e04-921d-61abba7fcdb7",
+ "c475ad68-3fdc-4725-8abc-784c56125e96",
+ "45c5f939-56c4-4d12-844d-578f32d535c3",
+ "5e42e064-1065-44c6-836e-7dc0a2976bd4",
+ "ab64f2d8-8da3-48de-ac66-0fd91d634b22",
+ "cc370970-a67c-4c74-95e3-4fe053e9bfa9",
+ "0e948c57-6c10-4576-ad27-9832cc2af3a1",
+ "a159c91c-5258-49ea-af7d-e803008d97d3",
+ "fe984a01-910d-4e39-9c49-179aa03f75ab",
"e551ae97-d1b4-484e-9267-89f33829ec2c",
"15787198-6c8b-4f79-bf50-258d55072fee",
"9768aada-9d63-4d46-ab9f-d41b8c8e4010",
@@ -3101,12 +3061,7 @@
"Non Profit"
]
},
- "related": [
- {
- "dest-uuid": "1a77e156-76bc-43f5-bdd7-bd67f30fbbbb",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067",
"value": "Gamaredon Group"
},
@@ -3122,12 +3077,7 @@
"Financial Services"
]
},
- "related": [
- {
- "dest-uuid": "d93889de-b4bc-4a29-9ce7-d67717c140a0",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "dbc85db0-937d-47d7-9002-7364d41be48a",
"value": "GCMAN"
},
@@ -3166,19 +3116,14 @@
"Government"
]
},
- "related": [
- {
- "dest-uuid": "e47c2c4d-706b-4098-92a2-b93e7103e131",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "efb3b5ac-cd86-44a2-9de1-02e4612b8cc2",
"value": "Gorgon Group"
},
{
"description": "GreenMwizi is assessed to be an actor based in Nairobi, Kenya that has carried out scam campaigns involving social media bots. A campaign observed in May 2023 appeared to target customers of a major online travel/hospitality booking brand.[[GreenMwizi - Kenyan scamming campaign using Twitter bots](/references/3b09696a-1345-4283-a59b-e9a13124ef59)]",
"meta": {
- "group_attack_id": "G5024",
+ "group_attack_id": "G3001",
"observed_motivations": [
"Financial Gain"
],
@@ -3203,19 +3148,14 @@
"group_attack_id": "G0043",
"source": "MITRE"
},
- "related": [
- {
- "dest-uuid": "bc8390aa-8c4e-11e9-a9cb-e37c361210af",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "fcc6d937-8cd6-4f2c-adb8-48caedbde70a",
"value": "Group5"
},
{
"description": "H0lyGh0st is a North Korea-based ransomware-focused threat actor group.[[H0lyGh0st - North Korean Threat Group Strikes Back With New Ransomware](/references/3f66ef62-ac0d-4ece-9a4b-917ae70f1617)]",
"meta": {
- "group_attack_id": "G5025",
+ "group_attack_id": "G3006",
"observed_motivations": [
"Financial Gain"
],
@@ -3252,12 +3192,7 @@
"Think Tanks"
]
},
- "related": [
- {
- "dest-uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "1bcc9382-ccfe-4b04-91f3-ef1250df5e5b",
"value": "HAFNIUM"
},
@@ -3298,7 +3233,7 @@
{
"description": "This Group object reflects the tools & TTPs associated with threat actors known to deploy Hive, a ransomware-as-a-service (RaaS) variant first observed in June 2021.[[U.S. CISA Hive November 25 2022](/references/fce322e6-5e23-404a-acf8-cd003f00c79d)] Specific pre- and post-compromise behaviors may vary among intrusions carried out by different Hive affiliates.\n\nHive actors have targeted victims in a wide range of verticals, including the government, communications, manufacturing, information technology, financial services, education, and especially the healthcare sectors. In January 2023, international authorities announced they disrupted Hive ransomware operations, seizing control of servers and websites used for communication among Hive actors and capturing Hive decryption keys.[[U.S. Justice Department Hive January 2023](/references/81bd5579-6a8a-40d2-b7b7-5cdb879ebdf0)]",
"meta": {
- "group_attack_id": "G5042",
+ "group_attack_id": "G3041",
"observed_countries": [
"DE",
"NL",
@@ -3374,12 +3309,7 @@
"Media"
]
},
- "related": [
- {
- "dest-uuid": "71ef51ca-a791-11e8-a026-07980ca910ca",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6",
"value": "Inception"
},
@@ -3493,19 +3423,14 @@
"NGOs"
]
},
- "related": [
- {
- "dest-uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8",
"value": "Ke3chang"
},
{
"description": "Killnet is an apparent hacktivist collective that has primarily used distributed denial of service (DDoS) attacks in support of its ideology, which appears to largely align with Russian state interests. The group emerged in October 2021, initially offering DDoS capabilities as a for-hire service. However, after the February 2022 Russian invasion of Ukraine, Killnet explicitly pledged allegiance to Russia and began to threaten and claim responsibility for attacks on targets in Ukraine and in countries perceived to support Ukraine. To date, the group has claimed and is believed to be responsible for a considerable number of DDoS attacks on government and private sector targets in a range of sectors, using a variety of discrete techniques to carry them out. It is also believed to be behind a smaller number of data exfiltration-focused attacks, and it has promoted the use of defacement tools in its communication channels with supporters.[[Flashpoint Glossary Killnet](/references/502cc03b-350b-4e2d-9436-364c43a0a203)]\n\nIn October 2023, following a series of air- and land-based attacks in the Gaza Strip, researchers observed Killnet claiming responsibility for disruptive attacks against computer networks in Israel and pledging explicit support for Palestinian interests.[[RyanW3stman Tweet October 10 2023](/references/cfd0ad64-54b2-446f-9624-9c90a9a94f52)]",
"meta": {
- "group_attack_id": "G5009",
+ "group_attack_id": "G3022",
"observed_countries": [
"BE",
"CZ",
@@ -3620,12 +3545,7 @@
"Infrastructure"
]
},
- "related": [
- {
- "dest-uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "0bc66e95-de93-4de7-b415-4041b7191f08",
"value": "Lazarus Group"
},
@@ -3732,19 +3652,14 @@
"Transportation"
]
},
- "related": [
- {
- "dest-uuid": "5b4b6980-3bc7-11e8-84d6-879aaac37dd9",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "eadd78e3-3b5d-430a-b994-4360b172c871",
"value": "Leviathan"
},
{
"description": "This object represents the LockBit Ransomware-as-a-Service (\"RaaS\") apex group and the behaviors associated with its various affiliate ransomware operators. Specific affiliate operations defined by the research community will be tracked as separate objects.\n\nRansomware labeled \"LockBit\" was first observed in 2020. LockBit developers have introduced multiple versions of the LockBit encryption tool. According to the U.S. Cybersecurity and Infrastructure Security Agency (\"CISA\"), the following major LockBit variants have been observed (first-observed dates in parentheses): ABCD (LockBit malware's predecessor; September 2019), LockBit (January 2020), LockBit 2.0 (June 2021), LockBit Linux-ESXi Locker (October 2021), LockBit 3.0 (March 2022), LockBit Green (a variant that incorporates source code from Conti ransomware; January 2023), and variants capable of targeting macOS environments (April 2023). As of June 2023, CISA reported that the web panel that offers affiliates access to LockBit malware explicitly listed the LockBit 2.0, LockBit 3.0, LockBit Green, and LockBit Linux-ESXi Locker variants.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]\n\nSince emerging in 2020, the LockBit group and its affiliates have carried out a very large number of attacks involving a wide range of victims around the world. In June 2023, the U.S. Federal Bureau of Investigation reported it had identified 1,700 LockBit attacks since 2020.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)] According to data collected by the [ransomwatch project](https://github.com/joshhighet/ransomwatch) and analyzed by Tidal, LockBit actors publicly claimed 970 victims in 2022 (576 associated with the LockBit 2.0 variant and 394 associated with LockBit 3.0), the most of any extortion threat that year. Through April 2023, LockBit had claimed 406 victims, more than double the number of the next threat (Clop, with 179 victims).[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)] CISA reported in June 2023 that U.S. ransoms paid to LockBit since January 2020 totaled $91 million.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]\n\nLockBit affiliate operators are known to use a wide variety of techniques during their attacks. Initial access for LockBit infections has occurred via most methods (including a number of vulnerability exploits), and operators are known to abuse a range of free and open-source software tools for a variety of post-exploitation activities. In addition to victim data encryption, LockBit actors routinely exfiltrate victim data and threaten to leak this data for extortion purposes.\n\n**Related Vulnerabilities**: CVE-2021-22986, CVE-2023-0669, CVE-2023-27350, CVE-2021-44228, CVE-2021-22986, CVE-2020-1472, CVE-2019-0708, CVE-2018-13379[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]",
"meta": {
- "group_attack_id": "G5004",
+ "group_attack_id": "G3013",
"observed_countries": [
"AR",
"AU",
@@ -3875,12 +3790,7 @@
"Government"
]
},
- "related": [
- {
- "dest-uuid": "32fafa69-fe3c-49db-afd4-aac2664bcf0d",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "2849455a-cf39-4a9f-bd89-c2b3c1e5dd52",
"value": "Lotus Blossom"
},
@@ -3897,7 +3807,7 @@
{
"description": "Luna Moth (aka Silent Ransom Group) is a financially-motivated, extortion-focused adversary active since at least March 2022 and through at least June 2023. The group is known for carrying out \"callback phishing\" attacks, where actors entice victims to call an actor-controlled number, for example by sending a fraudulent email that claims the victim recently registered for a popular subscription service. Once connected, actors would convince victims to join a live, actor-connected sessions with legitimate remote access tools provided via a link in a subsequent email, then install other legitimate remote administration software used to support further discovery and exfiltration activity.[[Sygnia Luna Moth July 1 2022](/references/115590b2-ab57-432c-900e-000627464a11)][[FBI Ransomware Tools November 7 2023](/references/e096e1f4-6b62-4756-8811-f263cf1dcecc)]",
"meta": {
- "group_attack_id": "G5043",
+ "group_attack_id": "G3042",
"observed_motivations": [
"Financial Gain"
],
@@ -3958,12 +3868,7 @@
"Utilities"
]
},
- "related": [
- {
- "dest-uuid": "827c17e0-c3f5-4ad1-a4f4-30a40ed0a2d3",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "a3be79a2-3d4f-4697-a8a1-83f0884220af",
"value": "Machete"
},
@@ -3997,6 +3902,17 @@
"Cyber Espionage"
],
"source": "MITRE",
+ "tags": [
+ "24448a05-2337-4bc9-a889-a83f2fd1f3ad",
+ "3ed2343c-a29c-42e2-8259-410381164c6a",
+ "375983b3-6e87-4281-99e2-1561519dd17b",
+ "64d3f7d8-30b7-4b03-bee2-a6029672216c",
+ "915e7ac2-b266-45d7-945c-cb04327d6246",
+ "e499005b-adba-45bb-85e3-07043fd9edf9",
+ "8b1cb0dc-dd3e-44ba-828c-55c040e93b93",
+ "5f5e40cd-0732-4eb4-a083-06940623c3f9",
+ "1b98f09a-7d93-4abb-8f3e-1eacdb9f9871"
+ ],
"target_categories": [
"Construction",
"Defense",
@@ -4009,12 +3925,7 @@
"Telecommunications"
]
},
- "related": [
- {
- "dest-uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4",
"value": "Magic Hound"
},
@@ -4048,13 +3959,14 @@
{
"description": "MedusaLocker is a ransomware-as-a-service (\"RaaS\") operation that has been active since September 2019. U.S. cybersecurity authorities indicate that MedusaLocker operators have primarily targeted victims in the healthcare sector, among other unspecified sectors. Initial access for MedusaLocker intrusions originally came via phishing and spam email campaigns, but since 2022 has typically occurred via exploit of vulnerable Remote Desktop Protocol devices.[[HC3 Analyst Note MedusaLocker Ransomware February 2023](/references/49e314d6-5324-41e0-8bee-2b3e08d5e12f)]\n \nThis object represents behaviors associated with operators of MedusaLocker ransomware. As MedusaLocker is licensed on a RaaS model, affiliates likely do not act as a single cohesive unit, and behaviors observed during particular attacks may vary. Behaviors associated with samples of MedusaLocker ransomware are represented in the \"MedusaLocker Ransomware\" Software object.\n\n**Malpedia (Research)**: https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker",
"meta": {
- "group_attack_id": "G5003",
+ "group_attack_id": "G3015",
"observed_motivations": [
"Financial Gain"
],
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
+ "65cf80be-342d-4eba-bf8d-2477923f0ce4",
"562e535e-19f5-4d6c-81ed-ce2aec544f09",
"15787198-6c8b-4f79-bf50-258d55072fee",
"5e7433ad-a894-4489-93bc-41e90da90019",
@@ -4071,7 +3983,7 @@
{
"description": "Medusa is a ransomware operation that reportedly launched in June 2021. In 2023, the group launched a website used to publicize alleged victims. The group appears to be independent of the similarly named \"MedusaLocker\" operation.[[Bleeping Computer Medusa Ransomware March 12 2023](/references/21fe1d9e-17f1-49e2-b05f-78e9160f5414)]\n\nAccording to data collected by the [ransomwatch project](https://github.com/joshhighet/ransomwatch) and analyzed by Tidal, Medusa actors publicly claimed around 90 victims through September 2023, ranking it ninth out of the 50+ ransomware operations in the dataset. These victims come from a wide variety of industry sectors and localities.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]",
"meta": {
- "group_attack_id": "G5007",
+ "group_attack_id": "G3021",
"observed_countries": [
"CA",
"CL",
@@ -4180,12 +4092,7 @@
"Technology"
]
},
- "related": [
- {
- "dest-uuid": "56b37b05-72e7-4a89-ba8a-61ce45269a8c",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322",
"value": "menuPass"
},
@@ -4219,12 +4126,7 @@
"Manufacturing"
]
},
- "related": [
- {
- "dest-uuid": "a9b44750-992c-4743-8922-129880d277ea",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "4510ce41-27b9-479c-9bf3-a328b77bae29",
"value": "Moafee"
},
@@ -4282,12 +4184,7 @@
"NGOs"
]
},
- "related": [
- {
- "dest-uuid": "f7c2e501-73b1-400f-a5d9-2e2e07b7dfde",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6",
"value": "Molerats"
},
@@ -4295,7 +4192,7 @@
"description": "Moonstone Sleet is a North Korea state-aligned threat actor group that has targeted individuals and organizations related to the software, information technology, education, and defense industrial base sectors, for both financial gain and espionage purposes. The group is believed to be well-resourced, capable of conducting multiple distinct campaigns simultaneously. Microsoft security researchers assess that Moonstone Sleet has expanded its capabilities, with possible goals of enabling disruptive operations and/or software supply chain attacks.[[Microsoft Security Blog 5 28 2024](/references/faf315ed-71f7-4e29-8334-701da35a69ad)]",
"meta": {
"country": "KP",
- "group_attack_id": "G5040",
+ "group_attack_id": "G3039",
"observed_motivations": [
"Cyber Espionage",
"Financial Gain"
@@ -4410,6 +4307,9 @@
],
"source": "MITRE",
"tags": [
+ "ee3188ce-20e9-4e8e-bbfd-cdc527d5a2b2",
+ "89c5b94b-ecf4-4d53-9b74-3465086d4565",
+ "0eab0089-86a5-43b1-9ddb-8960f1005267",
"992bdd33-4a47-495d-883a-58010a2f0efb"
],
"target_categories": [
@@ -4420,12 +4320,7 @@
"Telecommunications"
]
},
- "related": [
- {
- "dest-uuid": "a29af069-03c3-4534-b78b-7d1a77ea085b",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6",
"value": "MuddyWater"
},
@@ -4519,12 +4414,7 @@
"Government"
]
},
- "related": [
- {
- "dest-uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d",
"value": "Naikon"
},
@@ -4540,12 +4430,7 @@
],
"source": "MITRE"
},
- "related": [
- {
- "dest-uuid": "ada08ea8-4517-4eea-aff1-3ad69e5466bb",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "3a660ef3-9954-4252-8946-f903f3f42d0c",
"value": "NEODYMIUM"
},
@@ -4585,8 +4470,13 @@
"GB",
"US"
],
+ "observed_motivations": [
+ "Cyber Espionage"
+ ],
"source": "MITRE",
"tags": [
+ "0f1b7cb0-c4de-485e-8ff5-fe12ffccd738",
+ "15f2277a-a17e-4d85-8acd-480bf84f16b4",
"3ed3f7a6-b446-4fbc-a433-ff1d63c0e647"
],
"target_categories": [
@@ -4599,12 +4489,7 @@
"Telecommunications"
]
},
- "related": [
- {
- "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2",
"value": "OilRig"
},
@@ -4672,19 +4557,14 @@
"Think Tanks"
]
},
- "related": [
- {
- "dest-uuid": "18d473a5-831b-47a5-97a1-a32156299825",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "32385eba-7bbf-439e-acf2-83040e97165a",
"value": "Patchwork"
},
{
"description": "This object represents a collection of MITRE ATT&CK® Techniques and other objects (Software and/or Campaigns) related to the Phobos ransomware-as-a-service (\"RaaS\") operation. Further background & contextual details can be found in the References tab below.",
"meta": {
- "group_attack_id": "G5020",
+ "group_attack_id": "G3033",
"observed_countries": [
"US"
],
@@ -4694,6 +4574,7 @@
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
+ "ee8be47a-dbd8-4067-8785-2fc1450587eb",
"562e535e-19f5-4d6c-81ed-ce2aec544f09",
"d819ae1a-e385-49fd-88d5-f66660729ecb",
"e551ae97-d1b4-484e-9267-89f33829ec2c",
@@ -4727,12 +4608,7 @@
"Telecommunications"
]
},
- "related": [
- {
- "dest-uuid": "4d37813c-b8e9-4e58-a758-03168d8aa189",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "60936d3c-37ed-4116-a407-868da3aa4446",
"value": "PittyTiger"
},
@@ -4756,19 +4632,14 @@
"Telecommunications"
]
},
- "related": [
- {
- "dest-uuid": "1fc5671f-5757-43bf-8d6d-a9a93b03713a",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "f036b992-4c3f-47b7-a458-94ac133bce74",
"value": "PLATINUM"
},
{
"description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nPlay is a ransomware operation first observed in mid-2022. Security researchers have observed filename, filepath, and TTP overlaps between Play and Hive and Nokoyawa ransomwares, which themselves are believed to be linked.[[Trend Micro Play Playbook September 06 2022](/references/2d2b527d-25b0-4b58-9ae6-c87060b64069)] According to publicly available ransomware extortion threat data, Play has claimed more than 300 victims from a wide range of sectors on its data leak site since December 2022.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]\n\n**Malpedia (Research)**: https://malpedia.caad.fkie.fraunhofer.de/details/win.play\n\n**PulseDive (IOCs)**: https://pulsedive.com/threat/PlayCrypt",
"meta": {
- "group_attack_id": "G5018",
+ "group_attack_id": "G3016",
"observed_countries": [
"AR",
"BE",
@@ -4791,6 +4662,7 @@
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
+ "a2e000da-8181-4327-bacd-32013dbd3654",
"89c5b94b-ecf4-4d53-9b74-3465086d4565",
"5e7433ad-a894-4489-93bc-41e90da90019",
"7e7b0c67-bb85-4996-a289-da0e792d7172",
@@ -4853,12 +4725,7 @@
"Utilities"
]
},
- "related": [
- {
- "dest-uuid": "5fc09923-fcff-4e81-9cae-4518ef31cf4d",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "553e2b7b-170c-4eb5-812b-ea33fe1dd4a0",
"value": "Poseidon Group"
},
@@ -4874,12 +4741,7 @@
],
"source": "MITRE"
},
- "related": [
- {
- "dest-uuid": "43894e2a-174e-4931-94a8-2296afe8f650",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "cc798766-8662-4b55-8536-6d057fbc58f0",
"value": "PROMETHIUM"
},
@@ -4901,19 +4763,30 @@
"Telecommunications"
]
},
- "related": [
- {
- "dest-uuid": "0ca45163-e223-4167-b1af-f088ed14a93d",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c",
"value": "Putter Panda"
},
+ {
+ "description": "7777 or Quad7 is a botnet used to compromise network devices such as TP-LINK small office/home office (\"SOHO\") routers and use the infected devices to relay password spraying attacks against Microsoft 365 accounts.[[Sekoia.io Blog July 23 2024](/references/ae84e72a-56b3-4dc4-b053-d3766764ac0d)][[Sekoia.io Blog September 9 2024](/references/eb4a1888-3b04-449b-9738-d96ae26adfee)] This object reflects the various Techniques observed in use by the threat actors known to operate this botnet.",
+ "meta": {
+ "group_attack_id": "G3052",
+ "owner": "TidalCyberIan",
+ "source": "Tidal Cyber",
+ "tags": [
+ "15f2277a-a17e-4d85-8acd-480bf84f16b4",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ]
+ },
+ "related": [],
+ "uuid": "bf3d1108-0bcd-47ae-8d71-4df48e3e2b43",
+ "value": "Quad7 Botnet Operators"
+ },
{
"description": "This Group object reflects the tools & TTPs associated with threat actors known to deploy Quantum ransomware (aka Quantum Locker, which derives from the MountLocker, AstroLocker, and XingLocker ransomware families). The Quantum group is known to publicly extort its victims.[[Cybereason Quantum Ransomware May 9 2022](/references/19027620-216a-4921-8d78-f56377778a12)] Researchers indicate the group is a rebranding of the \"Conti Team Two\" that formed after the fragmenting of the Ryuk/Conti ransom group in early 2022.[[AdvIntel Bazar Call August 10 2022](/references/5d3dff70-28c2-42a5-bf58-211fe6491fd2)]",
"meta": {
- "group_attack_id": "G5044",
+ "group_attack_id": "G3043",
"observed_motivations": [
"Financial Gain"
],
@@ -4944,29 +4817,50 @@
],
"source": "MITRE"
},
- "related": [
- {
- "dest-uuid": "79c7c7e0-79d5-11e8-9b9c-1ff96be20c0b",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "021b3c71-6467-4e46-a413-8b726f066f2c",
"value": "Rancor"
},
{
"description": "RansomHub is an extortion group that regularly republicizes victim data allegedly stolen in other ransomware groups' attacks, but it is also believed to have developed an original ransomware payload.[[BroadcomSW June 5 2024](/references/3fa49490-cb22-4362-bf48-eaba9e83e6f5)][[The Record RansomHub June 3 2024](/references/1e474240-bd12-4472-8e69-1631b0e4c102)] This object reflects the ATT&CK Techniques and/or associated Software & Campaigns linked to attacks by actors deploying RansomHub ransomware.",
"meta": {
- "group_attack_id": "G5050",
+ "group_attack_id": "G3049",
+ "observed_countries": [
+ "US"
+ ],
"observed_motivations": [
"Financial Gain"
],
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
+ "d903e38b-600d-4736-9e3b-cf1a6e436481",
+ "d819ae1a-e385-49fd-88d5-f66660729ecb",
+ "15787198-6c8b-4f79-bf50-258d55072fee",
+ "32b1a271-7856-4dda-a802-42325f465d36",
+ "89c5b94b-ecf4-4d53-9b74-3465086d4565",
+ "09de661e-60c4-43fb-bfef-df017215d1d8",
+ "8046a757-48f0-4787-81ab-9dc8c1eb77cd",
+ "abe1c785-4f3a-4f4f-96eb-c47da570face",
+ "9794c389-183b-4d6b-bd59-95cfa4a5afc7",
+ "4ac8dcde-2665-4066-9ad9-b5572d5f0d28",
+ "b8448700-7ed0-48b8-85f5-ed23e0d9ab97",
+ "c475ad68-3fdc-4725-8abc-784c56125e96",
+ "562e535e-19f5-4d6c-81ed-ce2aec544f09",
"5e7433ad-a894-4489-93bc-41e90da90019",
- "7e7b0c67-bb85-4996-a289-da0e792d7172",
- "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
- "2feda37d-5579-4102-a073-aa02e82cb49f"
+ "7e7b0c67-bb85-4996-a289-da0e792d7172"
+ ],
+ "target_categories": [
+ "Agriculture",
+ "Financial Services",
+ "Government",
+ "Healthcare",
+ "Manufacturing",
+ "Technology",
+ "Telecommunications",
+ "Transportation",
+ "Utilities",
+ "Water"
]
},
"related": [],
@@ -4976,7 +4870,7 @@
{
"description": "This object represents the behaviors associated with operators of Rhysida ransomware, which is licensed on a ransomware-as-a-service (\"RaaS\") basis. Various affiliated ransomware operators likely do not operate as a cohesive unit. The Rhysida RaaS operation has been active since May 2023, claiming attacks on multiple sectors in several countries in North and South America, Western Europe, and Australia. Many alleged victims are education sector entities. Security researchers have observed TTP and victimology overlaps with the Vice Society extortion group.[[HC3 Analyst Note Rhysida Ransomware August 2023](/references/3f6e2821-5073-4382-b5dd-08676eaa2240)]\n\n**Related Vulnerabilities**: CVE-2020-1472[[U.S. CISA Rhysida Ransomware November 15 2023](/references/6d902955-d9a9-4ec1-8dd4-264f7594605e)]",
"meta": {
- "group_attack_id": "G5013",
+ "group_attack_id": "G3017",
"observed_countries": [
"AU",
"AT",
@@ -5002,6 +4896,7 @@
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
+ "1bafa336-67a8-4094-bb2e-2079a7bdaab5",
"562e535e-19f5-4d6c-81ed-ce2aec544f09",
"15787198-6c8b-4f79-bf50-258d55072fee",
"2743d495-7728-4a75-9e5f-b64854039792",
@@ -5039,7 +4934,7 @@
{
"description": "Royal is a ransomware group believed to be responsible for hundreds of attacks on victims worldwide, including those in critical infrastructure sectors including manufacturing, communications, healthcare, and education. The actors that comprise the Royal ransomware operation are believed to be former members of other cybercriminal groups linked to Roy/Zeon ransomware, Conti ransomware, and TrickBot. Unlike many of the other most prominent ransomware groups in recent years, the developers of Royal ransomware are not known to lease the malware to affiliates as a service.[[Kroll Royal Deep Dive February 2023](/references/dcdcc965-56d0-58e6-996b-d8bd40916745)]\n\nThe Royal group often pressures victims into paying ransom demands by threatening to leak data exfiltrated during intrusions. While public data from the [ransomwatch project](https://github.com/joshhighet/ransomwatch) suggest the group has claimed roughly 200 victims since Q4 2022, a November 2023 U.S. government advisory indicated that Royal “has targeted over 350 known victims worldwide” since September 2022, with extortion demands at times exceeding $250 million.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)][[CISA Royal AA23-061A March 2023](/references/81baa61e-13c3-51e0-bf22-08383dbfb2a1)]",
"meta": {
- "group_attack_id": "G5014",
+ "group_attack_id": "G3003",
"observed_countries": [
"AU",
"BR",
@@ -5102,12 +4997,7 @@
],
"source": "MITRE"
},
- "related": [
- {
- "dest-uuid": "88100602-8e8b-11e9-bb7c-1bf20b58e305",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "666ab5f0-3ef1-4e74-8a10-65c60a7d1acd",
"value": "RTM"
},
@@ -5151,19 +5041,14 @@
"Transportation"
]
},
- "related": [
- {
- "dest-uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666",
"value": "Sandworm Team"
},
{
"description": "SCARLETEEL is a threat actor known to leverage various cloud-based technologies in order to steal proprietary software and other data from victim environments.[[Sysdig Scarleteel February 28 2023](/references/18931f81-51bf-44af-9573-512ccb66c238)]",
"meta": {
- "group_attack_id": "G5036",
+ "group_attack_id": "G3032",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
@@ -5179,6 +5064,21 @@
"uuid": "788ffbf6-1a36-481a-a504-bbcd9f907886",
"value": "SCARLETEEL"
},
+ {
+ "description": "Scarlet Goldfinch is a threat activity cluster that typically tricks victims into downloading files that appear to be web browser updates, with the file ultimately leading to the deployment of NetSupport Manager, a remote monitoring and management (RMM) utility that has been heavily abused by adversaries.[[Red Canary June 26 2024](/references/e0d62504-6fec-4d95-9f4a-e0dda7e7b6d9)]",
+ "meta": {
+ "group_attack_id": "G5023",
+ "owner": "TidalCyberIan",
+ "source": "Tidal Cyber",
+ "tags": [
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ]
+ },
+ "related": [],
+ "uuid": "54a13c54-a1d5-46e9-b155-56d981a5ad8f",
+ "value": "Scarlet Goldfinch"
+ },
{
"description": "[Scarlet Mimic](https://app.tidalcyber.com/groups/6c1bdc51-f633-4512-8b20-04a11c2d97f4) is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by [Scarlet Mimic](https://app.tidalcyber.com/groups/6c1bdc51-f633-4512-8b20-04a11c2d97f4) and [Putter Panda](https://app.tidalcyber.com/groups/6005f4a9-fe26-4237-a44e-3f6cbb1fe75c), it has not been concluded that the groups are the same. [[Scarlet Mimic Jan 2016](https://app.tidalcyber.com/references/f84a5b6d-3af1-45b1-ac55-69ceced8735f)]",
"meta": {
@@ -5191,12 +5091,7 @@
"Human Rights"
]
},
- "related": [
- {
- "dest-uuid": "0da10682-85c6-4c0b-bace-ba1f7adfb63e",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4",
"value": "Scarlet Mimic"
},
@@ -5405,19 +5300,14 @@
"Government"
]
},
- "related": [
- {
- "dest-uuid": "1ca3b039-404e-4132-88c2-4e41235cd2f5",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "6632f07f-7c6b-4d12-8544-82edc6a7a577",
"value": "Sowbug"
},
{
"description": "Spandex Tempest is a financially motivated adversary group associated with Dudear campaigns, which deliver the FlawedGrace remote access Trojan for information theft purposes.[[Microsoft Threat Actor Naming](/references/de9cda86-0b23-4bc8-b524-e74fecf99448)] The group has evolved initial access techniques observed during these campaigns to evade defenses.[[Microsoft Threat Intelligence Tweet June 17 2020](/references/98fc7485-9424-412f-8162-a69d6c10c243)]",
"meta": {
- "group_attack_id": "G5029",
+ "group_attack_id": "G3012",
"observed_motivations": [
"Financial Gain"
],
@@ -5436,7 +5326,7 @@
"description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nStar Blizzard is believed to be a Russia-based cyber threat actor group. According to joint Cybersecurity Advisory AA23-341A (December 2023), U.S. and international authorities assess that Star Blizzard is “almost certainly” a subordinate of the Russian Federal Security Service (FSB) Centre 18. Star Blizzard is known to successfully use spear-phishing attacks against its targets for information-gathering purposes. The advisory indicated that authorities observed these spear-phishing attacks occurring through 2023. Star Blizzard has traditionally targeted academic, defense, government, non-governmental (NGO), and think tank organizations (and associated personnel) in the United States and United Kingdom, other NATO nations, and countries neighboring Russia. Politicians have also been targeted. According to the advisory, beginning in 2022, authorities witnessed Star Blizzard targeting expand to targets in the defense-industrial sector and U.S. Department of Energy facilities.[[U.S. CISA Star Blizzard December 2023](/references/3d53c154-8ced-4dbe-ab4e-db3bc15bfe4b)]",
"meta": {
"country": "RU",
- "group_attack_id": "G5017",
+ "group_attack_id": "G3029",
"observed_countries": [
"GB",
"US"
@@ -5476,19 +5366,14 @@
"Human Rights"
]
},
- "related": [
- {
- "dest-uuid": "dab75e38-6969-4e78-9304-dc269c3cbcf0",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "ca3016f3-642a-4ae0-86bc-7258475d6937",
"value": "Stealth Falcon"
},
{
"description": "Storm-0844 is a threat actor originally known for distributing Akira ransomware, and more recently, for distributing Fog ransomware. The actor gains initial access likely by abusing valid accounts, then uses freely available tools for discovery, lateral movement, and exfiltration prior to ransomware deployment.[[Microsoft Threat Intelligence LinkedIn July 15 2024](/references/0e7ea8d0-bdb8-48a6-9718-703f64d16460)]",
"meta": {
- "group_attack_id": "G5047",
+ "group_attack_id": "G3046",
"observed_motivations": [
"Financial Gain"
],
@@ -5509,7 +5394,7 @@
{
"description": "According to Microsoft security researchers, Storm-1811 is a \"financially motivated cybercriminal group known to deploy Black Basta ransomware\".[[Microsoft Security Blog 5 15 2024](/references/0876de6e-ea0c-4717-89a4-9c7baed53b6f)]",
"meta": {
- "group_attack_id": "G5039",
+ "group_attack_id": "G3038",
"observed_motivations": [
"Financial Gain"
],
@@ -5551,12 +5436,7 @@
"Telecommunications"
]
},
- "related": [
- {
- "dest-uuid": "f3179cfb-9c86-4980-bd6b-e4fa74adaaa7",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "deb573c6-071a-4b50-9e92-4aa648d8bdc1",
"value": "Strider"
},
@@ -5573,12 +5453,7 @@
],
"source": "MITRE"
},
- "related": [
- {
- "dest-uuid": "5abb12e7-5066-4f84-a109-49a037205c76",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "06549082-ff70-43bf-985e-88c695c7113c",
"value": "Suckfly"
},
@@ -5616,12 +5491,7 @@
],
"source": "MITRE"
},
- "related": [
- {
- "dest-uuid": "c6472ae1-c6ad-4cf1-8d6e-8c94b94fe314",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "e343c1f1-458c-467b-bc4a-c1b97b2127e3",
"value": "TA459"
},
@@ -5646,12 +5516,7 @@
"a98d7a43-f227-478e-81de-e7299639a355"
]
},
- "related": [
- {
- "dest-uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1",
"value": "TA505"
},
@@ -5664,19 +5529,14 @@
],
"source": "MITRE"
},
- "related": [
- {
- "dest-uuid": "36e8c848-4d20-47ea-9fc2-31aa17bf82d1",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2",
"value": "TA551"
},
{
"description": "*Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the **Add to Matrix** button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a [60-second tutorial here](https://www.youtube.com/watch?v=4jBo3XLO01E)).*\n\nTA577 is a cybercriminal actor that has remained highly active since mid-2020. The actor is known for carrying out email-based campaigns that result in the delivery of a wide range of payloads, including at least one leading to ransomware (REvil) deployment. These campaigns are known to impact organizations in a wide range of sectors and geographic locations.[[Proofpoint Ransomware Initial Access June 2021](/references/3b0631ae-f589-4b7c-a00a-04dcd5f3a77b)] The actor appears adept at shifting payloads in response to external factors, for example moving to deliver DarkGate and Pikabot shortly after international authorities disrupted the QakBot botnet in August 2023.[[Malwarebytes Pikabot December 15 2023](/references/50b29ef4-7ade-4672-99b6-fdf367170a5b)]",
"meta": {
- "group_attack_id": "G5019",
+ "group_attack_id": "G3031",
"observed_motivations": [
"Financial Gain"
],
@@ -5727,12 +5587,7 @@
"Infrastructure"
]
},
- "related": [
- {
- "dest-uuid": "90abfc42-91c6-11e9-89b1-af58de8f7ec2",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "3a54b8dc-a231-4db8-96da-1c0c1aa396f6",
"value": "TEMP.Veles"
},
@@ -5810,12 +5665,7 @@
"Technology"
]
},
- "related": [
- {
- "dest-uuid": "834e0acd-d92a-4e38-bb14-dc4159d7cb32",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5",
"value": "Threat Group-3390"
},
@@ -5835,12 +5685,7 @@
"Telecommunications"
]
},
- "related": [
- {
- "dest-uuid": "98be4300-a9ef-11e8-9a95-bb9221083cfc",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "a3b39b07-0bfa-4c69-9f01-acf7dc6033b4",
"value": "Thrip"
},
@@ -5880,12 +5725,7 @@
"Telecommunications"
]
},
- "related": [
- {
- "dest-uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c",
"value": "Tonto Team"
},
@@ -5958,12 +5798,7 @@
"Transportation"
]
},
- "related": [
- {
- "dest-uuid": "7f16d1f5-04ee-4d99-abf0-87e1f23f9fee",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b",
"value": "Tropic Trooper"
},
@@ -6061,12 +5896,7 @@
"Telecommunications"
]
},
- "related": [
- {
- "dest-uuid": "fa80877c-f509-4daf-8b62-20aba1635f68",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2",
"value": "Turla"
},
@@ -6074,7 +5904,7 @@
"description": "UAT4356 (aka Storm-1849) is an actor attributed to the ArcaneDoor campaign targeting Cisco Adaptive Security Appliance (ASA) network devices. The suspected espionage activity targeted unspecified government institutions around the world.[[Cisco Talos ArcaneDoor April 24 2024](/references/531c3f6f-2d2b-4774-b069-e2b7a13602c1)] Anonymous sources indicated that the ArcaneDoor campaign appeared aligned with China's state interests.[[Wired ArcaneDoor April 24 2024](/references/05a8afd3-0173-41ca-b23b-196ea0f3b1c1)]",
"meta": {
"country": "CN",
- "group_attack_id": "G5022",
+ "group_attack_id": "G3036",
"observed_motivations": [
"Cyber Espionage"
],
@@ -6097,7 +5927,7 @@
{
"description": "UNC3966 is a threat actor group tracked by Mandiant. In an intrusion documented in March 2023, UNC3966 received access to a victim network initially compromised by the group UNC961. UNC3966 primary motivations remain unclear. During the intrusion, the group was observed collecting and exfiltrating victim data. While a ransom note was also discovered, UNC3966 did not appear to deploy ransomware encryption software and did not appear to demand a ransom payment.[[Mandiant UNC961 March 23 2023](/references/cef19ceb-179f-4d49-acba-5ce40ab9f65e)]",
"meta": {
- "group_attack_id": "G5034",
+ "group_attack_id": "G3027",
"owner": "TidalCyberIan",
"source": "Tidal Cyber",
"tags": [
@@ -6112,7 +5942,7 @@
{
"description": "UNC5537 is a threat actor believed to be responsible for compromising a large number of database instances belonging to customers of Snowflake, a multi-cloud data warehousing platform, in Q2 2024. Initial access was largely achieved using stolen customer credentials compromised previously via infostealer malware. Actors sought to monetize their access by selling victim data on underground forums and by extorting victims. Researchers believe UNC5537 is comprised of members based in North America and at least one member in Turkey, and it has targeted hundreds of organizations globally.[[Google Cloud June 10 2024](/references/0afe3662-b55c-4189-9c9a-2be55a9b6a70)]",
"meta": {
- "group_attack_id": "G5041",
+ "group_attack_id": "G3040",
"observed_countries": [
"ES",
"US"
@@ -6143,7 +5973,7 @@
{
"description": "UNC961 is a financially motivated group active since at least 2018. It traditionally targeted retail and \"business services\" organizations based in North America, until expanding its targeting in 2020 to also include victims in a range of additional sectors in Northern Europe and Western Asia. In all known intrusions, UNC961 gained initial access by exploiting web-facing applications.[[Mandiant Log4Shell March 28 2022](/references/62d4d685-09c4-47b6-865c-4a6096e551cd)]",
"meta": {
- "group_attack_id": "G5033",
+ "group_attack_id": "G3026",
"observed_motivations": [
"Financial Gain"
],
@@ -6177,11 +6007,40 @@
"uuid": "e47b2958-b7c4-4fe1-a006-03137db91963",
"value": "UNC961"
},
+ {
+ "description": "Vanilla Tempest is a financially motivated threat actor that has been active since July 2022, which has used a variety of ransomware payloads during observed attacks. Microsoft Threat Intelligence researchers indicate that Vanilla Tempest, which was previously tracked under the moniker DEV-0832, \"overlaps with\" activity tracked by other research teams as the Vice Society ransomware/extortion group.[[MSTIC Vanilla Tempest September 18 2024](/references/24c11dff-21df-4ce9-b3df-2e0a886339ff)]",
+ "meta": {
+ "group_attack_id": "G3054",
+ "observed_countries": [
+ "US"
+ ],
+ "observed_motivations": [
+ "Financial Gain"
+ ],
+ "owner": "TidalCyberIan",
+ "source": "Tidal Cyber",
+ "tags": [
+ "5e7433ad-a894-4489-93bc-41e90da90019",
+ "7e7b0c67-bb85-4996-a289-da0e792d7172",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "target_categories": [
+ "Education",
+ "Healthcare",
+ "Manufacturing",
+ "Technology"
+ ]
+ },
+ "related": [],
+ "uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f",
+ "value": "Vanilla Tempest"
+ },
{
"description": "Velvet Ant is a suspected \"China-nexus\" espionage group that has notably targeted network devices as part of its operations. In one case involving an unspecified victim located in East Asia, the group was seen abusing a legacy, internet-exposed F5 BIG-IP load balancer appliance as a command-and-control mechanism, managing to maintain network persistence for a period of three years. As part of the broader investigation into the group, researchers also observed cases of zero-day exploitation of CVE-2024-20399 in Cisco Nexus network switch devices, which allowed actors to upload and execute previously unknown, custom malware. The researchers highlighted how sophisticated threat groups are increasingly targeting network appliances as means of network access and persistence, since those appliances \"are often not sufficiently protected and monitored\".[[Sygnia Velvet Ant June 17 2024](/references/5c313af4-61a8-449d-a6c7-f7ead6c72e19)][[Sygnia Velvet Ant July 1 2024](/references/a0cfeeb6-4617-4dea-80d2-290eaf2bcf5b)]",
"meta": {
"country": "CN",
- "group_attack_id": "G5045",
+ "group_attack_id": "G3044",
"observed_motivations": [
"Cyber Espionage"
],
@@ -6202,7 +6061,7 @@
{
"description": "Vice Society is an extortion-focused threat actor group first observed in mid-2021. The group gained notoriety after targeting a considerable number of educational institutions, especially lower education institutions. Although the education sector accounts for a disproportionate amount of the group’s victims, Vice Society has claimed victims in multiple other industries too, including the healthcare, retail, financial, insurance, and public services sectors. The group regularly pressures victims into paying a ransom by threatening to leak data exfiltrated during its intrusions. Vice Society is not known to have developed its own ransomware, instead deploying other existing families, including HELLOKITTY/FIVEHANDS and Zeppelin.[[U.S. CISA Vice Society September 2022](/references/0a754513-5f20-44a0-8cea-c5d9519106c8)]\n\n**Related Vulnerabilities**: CVE-2021-1675[[Unit 42 Vice Society December 6 2022](/references/6abf7387-0857-4938-b36e-1374a66d4ed8)], CVE-2021-34527[[Unit 42 Vice Society December 6 2022](/references/6abf7387-0857-4938-b36e-1374a66d4ed8)]",
"meta": {
- "group_attack_id": "G5012",
+ "group_attack_id": "G3004",
"observed_countries": [
"AR",
"AU",
@@ -6273,7 +6132,7 @@
{
"description": "Void Rabisu is a threat actor believed be responsible for distributing Cuba ransomware.[[Unit 42 Cuba August 9 2022](/references/06f668d9-9a68-4d2f-b9a0-b92beb3b75d6)] Trend Micro researchers assess that, since October 2022, Void Rabisu's use of the RomCom backdoor during attacks could suggest a shift in its motivation towards more geopolitically motivated activity.[[Trend Micro Void Rabisu May 30 2023](/references/5fd628ca-f366-4f0d-b493-8be19fa4dd4e)]",
"meta": {
- "group_attack_id": "G5027",
+ "group_attack_id": "G3009",
"observed_countries": [
"UA",
"US"
@@ -6317,10 +6176,6 @@
"Cyber Espionage"
],
"source": "MITRE",
- "tags": [
- "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
- "2feda37d-5579-4102-a073-aa02e82cb49f"
- ],
"target_categories": [
"Defense",
"Education",
@@ -6486,12 +6341,7 @@
"Entertainment"
]
},
- "related": [
- {
- "dest-uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "6932662a-53a7-4e43-877f-6e940e2d744b",
"value": "Winnti Group"
},
@@ -6578,7 +6428,7 @@
"description": "Yellow Liderc (aka Imperial Kitten, Tortoiseshell, TA456, Crimson Sandstorm) is a threat actor group based in Iran that is believed to be aligned with the Iranian Islamic Revolutionary Guard Corp (IRGC). Researchers have observed the group targeting victims in a range of sectors in the United States, Europe, the Middle East and Mediterranean, and South Asia.[[PwC Yellow Liderc October 25 2023](/references/cbeaf9b5-865f-44a1-a913-9eec28d7a5ff)]",
"meta": {
"country": "IR",
- "group_attack_id": "G5032",
+ "group_attack_id": "G3025",
"observed_countries": [
"US"
],
@@ -6646,7 +6496,7 @@
{
"description": "This object reflects the TTPs used by threat actors to distribute and deploy the Zloader trojan malware. Researchers have observed actors distributing Zloader in campaigns without attributing the activity to named adversaries, such as the operations described by ESET researchers cited in the References.[[WeLiveSecurity April 19 2022](/references/f86845b9-03c4-446b-845f-b31b79b247ee)]\n\nTTPs associated with Zloader binaries themselves can be found in the separate \"Zloader\" Software object.",
"meta": {
- "group_attack_id": "G5037",
+ "group_attack_id": "G3034",
"observed_countries": [
"AF",
"AR",
diff --git a/clusters/tidal-references.json b/clusters/tidal-references.json
index 115d356..8cbd3d7 100644
--- a/clusters/tidal-references.json
+++ b/clusters/tidal-references.json
@@ -1933,20 +1933,6 @@
"uuid": "5b6b909d-870a-4d14-85ec-6aa14e598740",
"value": "FireEye APT Groups"
},
- {
- "description": "Mandiant. (n.d.). Advanced Persistent Threats (APTs). Retrieved February 14, 2024.",
- "meta": {
- "date_accessed": "2024-02-14T00:00:00Z",
- "refs": [
- "https://www.mandiant.com/resources/insights/apt-groups"
- ],
- "source": "MITRE",
- "title": "Advanced Persistent Threats (APTs)"
- },
- "related": [],
- "uuid": "2d16615b-09fc-5925-8f59-6d20f334d236",
- "value": "Mandiant Advanced Persistent Threats"
- },
{
"description": "Mandiant. (n.d.). Advanced Persistent Threats (APTs). Retrieved September 14, 2023.",
"meta": {
@@ -1962,6 +1948,20 @@
"uuid": "c984fcfc-1bfd-4b1e-9034-a6ff3e6ebf97",
"value": "Mandiant APT Groups List"
},
+ {
+ "description": "Mandiant. (n.d.). Advanced Persistent Threats (APTs). Retrieved February 14, 2024.",
+ "meta": {
+ "date_accessed": "2024-02-14T00:00:00Z",
+ "refs": [
+ "https://www.mandiant.com/resources/insights/apt-groups"
+ ],
+ "source": "MITRE",
+ "title": "Advanced Persistent Threats (APTs)"
+ },
+ "related": [],
+ "uuid": "2d16615b-09fc-5925-8f59-6d20f334d236",
+ "value": "Mandiant Advanced Persistent Threats"
+ },
{
"description": "Simpson, D. et al. (2017, April 19). Advanced security audit policy settings. Retrieved September 14, 2021.",
"meta": {
@@ -2221,6 +2221,22 @@
"uuid": "28bfb97b-4b58-408a-bef9-9081f6ddedb8",
"value": "LogPoint Agent Tesla March 23 2023"
},
+ {
+ "description": "Sekoia TDR; Felix Aimé; Pierre-Antoine D; Charles M. (2024, September 9). A glimpse into the Quad7 operators' next moves and associated botnets. Retrieved September 11, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-11T00:00:00Z",
+ "date_published": "2024-09-09T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://blog.sekoia.io/a-glimpse-into-the-quad7-operators-next-moves-and-associated-botnets/"
+ ],
+ "source": "Tidal Cyber",
+ "title": "A glimpse into the Quad7 operators' next moves and associated botnets"
+ },
+ "related": [],
+ "uuid": "eb4a1888-3b04-449b-9738-d96ae26adfee",
+ "value": "Sekoia.io Blog September 9 2024"
+ },
{
"description": "Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.",
"meta": {
@@ -2358,6 +2374,22 @@
"uuid": "1343b052-b158-4dad-9ed4-9dbb7bb778dd",
"value": "Sophos Akira May 9 2023"
},
+ {
+ "description": "BlackBerry Research and Intelligence Team. (2024, July 11). Akira Ransomware Targets the LATAM Airline Industry. Retrieved September 16, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-16T00:00:00Z",
+ "date_published": "2024-07-11T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry"
+ ],
+ "source": "Tidal Cyber",
+ "title": "Akira Ransomware Targets the LATAM Airline Industry"
+ },
+ "related": [],
+ "uuid": "59a1bd0f-a907-4918-90e1-d163bf84f927",
+ "value": "BlackBerry Akira July 11 2024"
+ },
{
"description": "Microsoft. (2023, February 27). AKS-managed Azure Active Directory integration. Retrieved March 8, 2023.",
"meta": {
@@ -3469,21 +3501,6 @@
"uuid": "03eb080d-0b83-5cbb-9317-c50b35996c9b",
"value": "SecureList Fileless"
},
- {
- "description": "M.Léveillé, M. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved January 8, 2018.",
- "meta": {
- "date_accessed": "2018-01-08T00:00:00Z",
- "date_published": "2014-02-21T00:00:00Z",
- "refs": [
- "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/"
- ],
- "source": "MITRE",
- "title": "An In-depth Analysis of Linux/Ebury"
- },
- "related": [],
- "uuid": "39384c7a-3032-4b45-a5eb-8ebe7de22aa2",
- "value": "Welivesecurity Ebury SSH"
- },
{
"description": "M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.",
"meta": {
@@ -3499,6 +3516,21 @@
"uuid": "eb6d4f77-ac63-4cb8-8487-20f9e709334b",
"value": "ESET Ebury Feb 2014"
},
+ {
+ "description": "M.Léveillé, M. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved January 8, 2018.",
+ "meta": {
+ "date_accessed": "2018-01-08T00:00:00Z",
+ "date_published": "2014-02-21T00:00:00Z",
+ "refs": [
+ "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/"
+ ],
+ "source": "MITRE",
+ "title": "An In-depth Analysis of Linux/Ebury"
+ },
+ "related": [],
+ "uuid": "39384c7a-3032-4b45-a5eb-8ebe7de22aa2",
+ "value": "Welivesecurity Ebury SSH"
+ },
{
"description": "Avertium. (2022, June 1). AN IN-DEPTH LOOK AT BLACK BASTA RANSOMWARE. Retrieved March 7, 2023.",
"meta": {
@@ -4051,21 +4083,6 @@
"uuid": "268e7ade-c0a8-5859-8b16-6fa8aa3b0cb7",
"value": "Microsoft App Domains"
},
- {
- "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.",
- "meta": {
- "date_accessed": "2014-11-18T00:00:00Z",
- "date_published": "2008-06-01T00:00:00Z",
- "refs": [
- "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"
- ],
- "source": "MITRE",
- "title": "Application Lockdown with Software Restriction Policies"
- },
- "related": [],
- "uuid": "cae409ca-1c77-45df-88cd-c0998ac724ec",
- "value": "Corio 2008"
- },
{
"description": "Corio, C., & Sayana, D. P.. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.",
"meta": {
@@ -4081,6 +4098,21 @@
"uuid": "5dab4466-0871-486a-84ad-0e648b2e937d",
"value": "Microsoft Application Lockdown"
},
+ {
+ "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.",
+ "meta": {
+ "date_accessed": "2014-11-18T00:00:00Z",
+ "date_published": "2008-06-01T00:00:00Z",
+ "refs": [
+ "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx"
+ ],
+ "source": "MITRE",
+ "title": "Application Lockdown with Software Restriction Policies"
+ },
+ "related": [],
+ "uuid": "cae409ca-1c77-45df-88cd-c0998ac724ec",
+ "value": "Corio 2008"
+ },
{
"description": "Beechey, J.. (2014, November 18). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.",
"meta": {
@@ -4397,21 +4429,6 @@
"uuid": "3dd67aae-7feb-4b07-a985-ccadc1b16f1d",
"value": "Bitdefender APT28 Dec 2015"
},
- {
- "description": "Matthew Dunwoody. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved November 20, 2017.",
- "meta": {
- "date_accessed": "2017-11-20T00:00:00Z",
- "date_published": "2017-03-27T00:00:00Z",
- "refs": [
- "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html"
- ],
- "source": "MITRE",
- "title": "APT29 Domain Fronting With TOR"
- },
- "related": [],
- "uuid": "1d919991-bc87-41bf-9e58-edf1b3806bb8",
- "value": "FireEye APT29 Domain Fronting With TOR March 2017"
- },
{
"description": "Dunwoody, M. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved March 27, 2017.",
"meta": {
@@ -4427,6 +4444,21 @@
"uuid": "3e013b07-deaf-4387-acd7-2d0565d196a9",
"value": "FireEye APT29 Domain Fronting"
},
+ {
+ "description": "Matthew Dunwoody. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved November 20, 2017.",
+ "meta": {
+ "date_accessed": "2017-11-20T00:00:00Z",
+ "date_published": "2017-03-27T00:00:00Z",
+ "refs": [
+ "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html"
+ ],
+ "source": "MITRE",
+ "title": "APT29 Domain Fronting With TOR"
+ },
+ "related": [],
+ "uuid": "1d919991-bc87-41bf-9e58-edf1b3806bb8",
+ "value": "FireEye APT29 Domain Fronting With TOR March 2017"
+ },
{
"description": "FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.",
"meta": {
@@ -5603,21 +5635,6 @@
"uuid": "d4ca3351-eeb8-5342-8c85-806614e22c48",
"value": "FireEye TRITON Dec 2017"
},
- {
- "description": "Runa A. Sandvik. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved August 9, 2022.",
- "meta": {
- "date_accessed": "2022-08-09T00:00:00Z",
- "date_published": "2014-01-14T00:00:00Z",
- "refs": [
- "https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/"
- ],
- "source": "MITRE",
- "title": "Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency"
- },
- "related": [],
- "uuid": "d2186b8c-10c9-493b-8e25-7d69fce006e4",
- "value": "GitHub Cloud Service Credentials"
- },
{
"description": "Sandvik, R. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved October 19, 2020.",
"meta": {
@@ -5633,6 +5650,21 @@
"uuid": "303f8801-bdd6-4a0c-a90a-37867898c99c",
"value": "Forbes GitHub Creds"
},
+ {
+ "description": "Runa A. Sandvik. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved August 9, 2022.",
+ "meta": {
+ "date_accessed": "2022-08-09T00:00:00Z",
+ "date_published": "2014-01-14T00:00:00Z",
+ "refs": [
+ "https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/"
+ ],
+ "source": "MITRE",
+ "title": "Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency"
+ },
+ "related": [],
+ "uuid": "d2186b8c-10c9-493b-8e25-7d69fce006e4",
+ "value": "GitHub Cloud Service Credentials"
+ },
{
"description": "Chen, J.. (2020, January 29). Attacker's Tactics and Techniques in Unsecured Docker Daemons Revealed. Retrieved March 31, 2021.",
"meta": {
@@ -7739,6 +7771,22 @@
"uuid": "eef7cd8a-8cb6-4b24-ba49-9b17353d20b5",
"value": "Shadowbunny VM Defense Evasion"
},
+ {
+ "description": "Kyle Lefton, Larry Cashdollar, Aline Eliovich. (2024, August 28). Beware the Unpatchable: Corona Mirai Botnet Spreads via Zero-Day. Retrieved September 5, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-05T00:00:00Z",
+ "date_published": "2024-08-28T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://www.akamai.com/blog/security-research/2024-corona-mirai-botnet-infects-zero-day-sirt"
+ ],
+ "source": "Tidal Cyber",
+ "title": "Beware the Unpatchable: Corona Mirai Botnet Spreads via Zero-Day"
+ },
+ "related": [],
+ "uuid": "140284f8-075c-4225-99dd-519ba5cebabe",
+ "value": "Akamai Corona Zero-Day August 28 2024"
+ },
{
"description": "Mathanraj Thangaraju, Sijo Jacob. (2023, July 26). Beyond File Search: A Novel Method for Exploiting the \"search-ms\" URI Protocol Handler. Retrieved March 15, 2024.",
"meta": {
@@ -8574,21 +8622,6 @@
"uuid": "e90b4941-5dff-4f38-b4dd-af3426fd621e",
"value": "GitHub Bloodhound"
},
- {
- "description": "Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming Azure. Retrieved October 23, 2019.",
- "meta": {
- "date_accessed": "2019-10-23T00:00:00Z",
- "date_published": "2018-05-11T00:00:00Z",
- "refs": [
- "https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1"
- ],
- "source": "MITRE",
- "title": "Blue Cloud of Death: Red Teaming Azure"
- },
- "related": [],
- "uuid": "0c764280-9d8c-4fa4-9088-170f02550d4c",
- "value": "Blue Cloud of Death"
- },
{
"description": "Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming Azure. Retrieved November 21, 2019.",
"meta": {
@@ -8604,6 +8637,21 @@
"uuid": "39b0adf6-c71e-4501-b8bb-fab82718486b",
"value": "Blue Cloud of Death Video"
},
+ {
+ "description": "Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming Azure. Retrieved October 23, 2019.",
+ "meta": {
+ "date_accessed": "2019-10-23T00:00:00Z",
+ "date_published": "2018-05-11T00:00:00Z",
+ "refs": [
+ "https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1"
+ ],
+ "source": "MITRE",
+ "title": "Blue Cloud of Death: Red Teaming Azure"
+ },
+ "related": [],
+ "uuid": "0c764280-9d8c-4fa4-9088-170f02550d4c",
+ "value": "Blue Cloud of Death"
+ },
{
"description": "SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024.",
"meta": {
@@ -8932,21 +8980,6 @@
"uuid": "60fac434-2815-4568-b951-4bde55c2e3af",
"value": "PaloAlto Preventing Opportunistic Attacks Apr 2016"
},
- {
- "description": "Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 8, 2021.",
- "meta": {
- "date_accessed": "2021-10-08T00:00:00Z",
- "date_published": "2018-06-18T00:00:00Z",
- "refs": [
- "https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique"
- ],
- "source": "MITRE",
- "title": "Bring Your Own Land (BYOL) – A Novel Red Teaming Technique"
- },
- "related": [],
- "uuid": "104a1c1c-0899-4ff9-a5c4-73de702c467d",
- "value": "Mandiant BYOL 2018"
- },
{
"description": "Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 4, 2021.",
"meta": {
@@ -8962,6 +8995,21 @@
"uuid": "445efe8b-659a-4023-afc7-aa7cd21ee5a1",
"value": "Mandiant BYOL"
},
+ {
+ "description": "Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 8, 2021.",
+ "meta": {
+ "date_accessed": "2021-10-08T00:00:00Z",
+ "date_published": "2018-06-18T00:00:00Z",
+ "refs": [
+ "https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique"
+ ],
+ "source": "MITRE",
+ "title": "Bring Your Own Land (BYOL) – A Novel Red Teaming Technique"
+ },
+ "related": [],
+ "uuid": "104a1c1c-0899-4ff9-a5c4-73de702c467d",
+ "value": "Mandiant BYOL 2018"
+ },
{
"description": "Bischoff, P. (2020, October 15). Broadvoice database of more than 350 million customer records exposed online. Retrieved October 20, 2020.",
"meta": {
@@ -9579,21 +9627,6 @@
"uuid": "74df644a-06b8-4331-85a3-932358d65b62",
"value": "Hybrid Analysis Icacls1 June 2018"
},
- {
- "description": "Microsoft. (2016, August 31). Cached and Stored Credentials Technical Overview. Retrieved November 24, 2020.",
- "meta": {
- "date_accessed": "2020-11-24T00:00:00Z",
- "date_published": "2016-08-31T00:00:00Z",
- "refs": [
- "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v=ws.11)#credential-manager-store"
- ],
- "source": "MITRE",
- "title": "Cached and Stored Credentials Technical Overview"
- },
- "related": [],
- "uuid": "c949a29b-bb31-4bd7-a967-ddd48c7efb8e",
- "value": "Microsoft Credential Manager store"
- },
{
"description": "Microsoft. (2016, August 21). Cached and Stored Credentials Technical Overview. Retrieved February 21, 2020.",
"meta": {
@@ -9609,6 +9642,21 @@
"uuid": "590ea63f-f800-47e4-8d39-df11a184ba84",
"value": "Microsoft - Cached Creds"
},
+ {
+ "description": "Microsoft. (2016, August 31). Cached and Stored Credentials Technical Overview. Retrieved November 24, 2020.",
+ "meta": {
+ "date_accessed": "2020-11-24T00:00:00Z",
+ "date_published": "2016-08-31T00:00:00Z",
+ "refs": [
+ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v=ws.11)#credential-manager-store"
+ ],
+ "source": "MITRE",
+ "title": "Cached and Stored Credentials Technical Overview"
+ },
+ "related": [],
+ "uuid": "c949a29b-bb31-4bd7-a967-ddd48c7efb8e",
+ "value": "Microsoft Credential Manager store"
+ },
{
"description": "Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.",
"meta": {
@@ -9670,6 +9718,21 @@
"uuid": "7180c6a7-e6ea-54bf-bcd7-c5238bbc5f5b",
"value": "Cadet Blizzard emerges as novel threat actor"
},
+ {
+ "description": "Matt Muir. (2022, April 6). Cado Discovers Denonia: The First Malware Specifically Targeting Lambda. Retrieved May 27, 2022.",
+ "meta": {
+ "date_accessed": "2022-05-27T00:00:00Z",
+ "date_published": "2022-04-06T00:00:00Z",
+ "refs": [
+ "https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/"
+ ],
+ "source": "MITRE",
+ "title": "Cado Discovers Denonia: The First Malware Specifically Targeting Lambda"
+ },
+ "related": [],
+ "uuid": "584e7ace-ef33-423b-9801-4728a447cb34",
+ "value": "Cado Security Denonia"
+ },
{
"description": "jbowen. (2022, April 3). Cado Discovers Denonia: The First Malware Specifically Targeting Lambda. Retrieved April 11, 2024.",
"meta": {
@@ -9686,21 +9749,6 @@
"uuid": "b276c28d-1488-4a21-86d1-7acdfd77794b",
"value": "Cado Denonia April 3 2022"
},
- {
- "description": "Matt Muir. (2022, April 6). Cado Discovers Denonia: The First Malware Specifically Targeting Lambda. Retrieved May 27, 2022.",
- "meta": {
- "date_accessed": "2022-05-27T00:00:00Z",
- "date_published": "2022-04-06T00:00:00Z",
- "refs": [
- "https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/"
- ],
- "source": "MITRE",
- "title": "Cado Discovers Denonia: The First Malware Specifically Targeting Lambda"
- },
- "related": [],
- "uuid": "584e7ace-ef33-423b-9801-4728a447cb34",
- "value": "Cado Security Denonia"
- },
{
"description": "William Turton. (2023, September 13). Caesars Entertainment Paid Millions to Hackers in Attack. Retrieved September 14, 2023.",
"meta": {
@@ -10681,6 +10729,22 @@
"uuid": "e3949201-c949-4126-9e02-34bfad4713c0",
"value": "The Hacker News Velvet Ant Cisco July 2 2024"
},
+ {
+ "description": "Bill Toulas. (2024, September 9). Chinese hackers use new data theft malware in govt attacks. Retrieved September 13, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-13T00:00:00Z",
+ "date_published": "2024-09-09T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://www.bleepingcomputer.com/news/security/chinese-hackers-use-new-data-theft-malware-in-govt-attacks/"
+ ],
+ "source": "Tidal Cyber",
+ "title": "Chinese hackers use new data theft malware in govt attacks"
+ },
+ "related": [],
+ "uuid": "40774c9c-daca-4ea0-a504-ca73b11e4f29",
+ "value": "BleepingComputer Mustang Panda September 9 2024"
+ },
{
"description": "Catalin Cimpanu. (2021, July 20). Chinese hacking group APT31 uses mesh of home routers to disguise attacks. Retrieved April 25, 2024.",
"meta": {
@@ -10817,6 +10881,22 @@
"uuid": "b019406c-6e39-41a2-a8b4-97f8d6482147",
"value": "Azure AD Hybrid Identity"
},
+ {
+ "description": "Aedan Russell. (2022, May 25). ChromeLoader a pushy malvertiser. Retrieved September 26, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-26T00:00:00Z",
+ "date_published": "2022-05-25T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://redcanary.com/blog/threat-detection/chromeloader/"
+ ],
+ "source": "Tidal Cyber",
+ "title": "ChromeLoader a pushy malvertiser"
+ },
+ "related": [],
+ "uuid": "bffc87ac-e51b-47e3-8a9f-547e762e95c2",
+ "value": "Red Canary May 25 2022"
+ },
{
"description": "Huntress. (n.d.). Retrieved March 14, 2024.",
"meta": {
@@ -10831,6 +10911,38 @@
"uuid": "c1b2d0e9-2396-5080-aea3-58a99c027d20",
"value": "Chrome Remote Desktop"
},
+ {
+ "description": "Simon Hertzberg. (2024, August 30). Cicada 3301 - Ransomware-as-a-Service - Technical Analysis. Retrieved September 4, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-04T00:00:00Z",
+ "date_published": "2024-08-30T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://www.truesec.com/hub/blog/dissecting-the-cicada"
+ ],
+ "source": "Tidal Cyber",
+ "title": "Cicada 3301 - Ransomware-as-a-Service - Technical Analysis"
+ },
+ "related": [],
+ "uuid": "de2de0a9-17d2-41c2-838b-7850762b80ae",
+ "value": "Truesec AB August 30 2024"
+ },
+ {
+ "description": "Sergiu Gatlan. (2024, September 20). CISA warns of Windows flaw used in infostealer malware attacks. Retrieved September 19, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-19T00:00:00Z",
+ "date_published": "2024-09-20T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://www.bleepingcomputer.com/news/security/cisa-warns-of-windows-flaw-used-in-infostealer-malware-attacks/"
+ ],
+ "source": "Tidal Cyber",
+ "title": "CISA warns of Windows flaw used in infostealer malware attacks"
+ },
+ "related": [],
+ "uuid": "2c9a2355-02c5-4718-ad6e-b2fac9ad4096",
+ "value": "BleepingComputer Void Banshee September 16 2024"
+ },
{
"description": "Cisco. (2023, March 7). Cisco IOS Security Command Reference: Commands S to Z . Retrieved July 13, 2022.",
"meta": {
@@ -11260,20 +11372,6 @@
"uuid": "75b89502-21ed-4920-95cc-212eaf17f281",
"value": "CL_Mutexverifiers.ps1 - LOLBAS Project"
},
- {
- "description": "Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.",
- "meta": {
- "date_accessed": "2021-05-11T00:00:00Z",
- "refs": [
- "https://www.cybereason.com/blog/cybereason-vs.-clop-ransomware"
- ],
- "source": "MITRE",
- "title": "Clop Ransomware"
- },
- "related": [],
- "uuid": "f54d682d-100e-41bb-96be-6a79ea422066",
- "value": "Cybereason Clop Dec 2020"
- },
{
"description": "Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.",
"meta": {
@@ -11289,6 +11387,20 @@
"uuid": "458141bd-7dd2-41fd-82e8-7ea2e4a477ab",
"value": "Mcafee Clop Aug 2019"
},
+ {
+ "description": "Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.",
+ "meta": {
+ "date_accessed": "2021-05-11T00:00:00Z",
+ "refs": [
+ "https://www.cybereason.com/blog/cybereason-vs.-clop-ransomware"
+ ],
+ "source": "MITRE",
+ "title": "Clop Ransomware"
+ },
+ "related": [],
+ "uuid": "f54d682d-100e-41bb-96be-6a79ea422066",
+ "value": "Cybereason Clop Dec 2020"
+ },
{
"description": "Sergiu Gatlan. (2023, February 10). Clop ransomware claims it breached 130 orgs using GoAnywhere zero-day. Retrieved May 8, 2023.",
"meta": {
@@ -12325,21 +12437,6 @@
"uuid": "ccd0d241-4ff7-4a15-b2b4-06945980c6bf",
"value": "Windows RDP Sessions"
},
- {
- "description": "Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved June 24, 2015.",
- "meta": {
- "date_accessed": "2015-06-24T00:00:00Z",
- "date_published": "2013-07-31T00:00:00Z",
- "refs": [
- "https://technet.microsoft.com/en-us/library/dn408187.aspx"
- ],
- "source": "MITRE",
- "title": "Configuring Additional LSA Protection"
- },
- "related": [],
- "uuid": "4adfc72b-cd32-46a6-bdf4-a4c2c6cffa73",
- "value": "Microsoft Configure LSA"
- },
{
"description": "Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved February 13, 2015.",
"meta": {
@@ -12370,6 +12467,21 @@
"uuid": "da3f1d7d-188f-4500-9bc6-3299ba043b5c",
"value": "Microsoft LSA Protection Mar 2014"
},
+ {
+ "description": "Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved June 24, 2015.",
+ "meta": {
+ "date_accessed": "2015-06-24T00:00:00Z",
+ "date_published": "2013-07-31T00:00:00Z",
+ "refs": [
+ "https://technet.microsoft.com/en-us/library/dn408187.aspx"
+ ],
+ "source": "MITRE",
+ "title": "Configuring Additional LSA Protection"
+ },
+ "related": [],
+ "uuid": "4adfc72b-cd32-46a6-bdf4-a4c2c6cffa73",
+ "value": "Microsoft Configure LSA"
+ },
{
"description": "Google. (n.d.). Configuring Data Access audit logs. Retrieved October 16, 2020.",
"meta": {
@@ -12878,6 +12990,22 @@
"uuid": "96ce4324-57d2-422b-8403-f5d4f3ce410c",
"value": "Palo Alto ARP"
},
+ {
+ "description": "Jakub Souček. (2024, September 10). CosmicBeetle steps up: Probation period at RansomHub. Retrieved September 13, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-13T00:00:00Z",
+ "date_published": "2024-09-10T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/"
+ ],
+ "source": "Tidal Cyber",
+ "title": "CosmicBeetle steps up: Probation period at RansomHub"
+ },
+ "related": [],
+ "uuid": "8debba29-4d6d-41d2-8772-f97c7d49056b",
+ "value": "WeLiveSecurity CosmicBeetle September 10 2024"
+ },
{
"description": "F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.",
"meta": {
@@ -13519,21 +13647,6 @@
"uuid": "51e67e37-2d61-4228-999b-bec6f80cf106",
"value": "Bishop Fox Sliver Framework August 2019"
},
- {
- "description": "Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved February 15, 2024.",
- "meta": {
- "date_accessed": "2024-02-15T00:00:00Z",
- "date_published": "2023-08-31T00:00:00Z",
- "refs": [
- "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"
- ],
- "source": "MITRE",
- "title": "Cross-Tenant Impersonation: Prevention and Detection"
- },
- "related": [],
- "uuid": "d54188b5-86eb-52a0-8384-823c45431762",
- "value": "Okta Cross-Tenant Impersonation 2023"
- },
{
"description": "Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved March 4, 2024.",
"meta": {
@@ -13549,6 +13662,21 @@
"uuid": "77dbd22f-ce57-50f7-9c6b-8dc874a4d80d",
"value": "Okta Cross-Tenant Impersonation"
},
+ {
+ "description": "Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved February 15, 2024.",
+ "meta": {
+ "date_accessed": "2024-02-15T00:00:00Z",
+ "date_published": "2023-08-31T00:00:00Z",
+ "refs": [
+ "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"
+ ],
+ "source": "MITRE",
+ "title": "Cross-Tenant Impersonation: Prevention and Detection"
+ },
+ "related": [],
+ "uuid": "d54188b5-86eb-52a0-8384-823c45431762",
+ "value": "Okta Cross-Tenant Impersonation 2023"
+ },
{
"description": "Crowdstrike. (2013, October 16). CrowdCasts Monthly: You Have an Adversary Problem. Retrieved March 1, 2017.",
"meta": {
@@ -13830,21 +13958,6 @@
"uuid": "be233077-7bb4-48be-aecf-03258931527d",
"value": "Microsoft Subkey"
},
- {
- "description": "MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.",
- "meta": {
- "date_accessed": "2020-12-30T00:00:00Z",
- "date_published": "2020-12-13T00:00:00Z",
- "refs": [
- "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/"
- ],
- "source": "MITRE",
- "title": "Customer Guidance on Recent Nation-State Cyber Attacks"
- },
- "related": [],
- "uuid": "47031992-841f-4ef4-87c6-bb4c077fb8dc",
- "value": "Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks"
- },
{
"description": "MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020.",
"meta": {
@@ -13860,6 +13973,21 @@
"uuid": "b486ae40-a854-4998-bf1b-aaf6ea2047ed",
"value": "Microsoft SolarWinds Customer Guidance"
},
+ {
+ "description": "MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.",
+ "meta": {
+ "date_accessed": "2020-12-30T00:00:00Z",
+ "date_published": "2020-12-13T00:00:00Z",
+ "refs": [
+ "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/"
+ ],
+ "source": "MITRE",
+ "title": "Customer Guidance on Recent Nation-State Cyber Attacks"
+ },
+ "related": [],
+ "uuid": "47031992-841f-4ef4-87c6-bb4c077fb8dc",
+ "value": "Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks"
+ },
{
"description": "Apple. (2016, September 13). Customizing Login and Logout. Retrieved April 1, 2022.",
"meta": {
@@ -15130,6 +15258,22 @@
"uuid": "4476aa0a-b1ef-4ac6-9e44-5721a0b3e92b",
"value": "Nccgroup Gh0st April 2018"
},
+ {
+ "description": "Michael Gorelik. (2024, September 3). Decoding the Puzzle Cicada3301 Ransomware Threat Analysis. Retrieved September 5, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-05T00:00:00Z",
+ "date_published": "2024-09-03T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://blog.morphisec.com/cicada3301-ransomware-threat-analysis"
+ ],
+ "source": "Tidal Cyber",
+ "title": "Decoding the Puzzle Cicada3301 Ransomware Threat Analysis"
+ },
+ "related": [],
+ "uuid": "90549699-8815-45e8-820c-4f5a7fc584b8",
+ "value": "Morphisec September 3 2024"
+ },
{
"description": "Segura, J. (2017, October 13). Decoy Microsoft Word document delivers malware through a RAT. Retrieved July 21, 2018.",
"meta": {
@@ -15671,6 +15815,22 @@
"uuid": "86053c5a-f2dd-4eb3-9dc2-6a6a4e1c2ae5",
"value": "Apple Kernel Extension Deprecation"
},
+ {
+ "description": "Black Lotus Labs. (2024, September 18). Derailing the Raptor Train. Retrieved September 19, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-19T00:00:00Z",
+ "date_published": "2024-09-18T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://blog.lumen.com/derailing-the-raptor-train/"
+ ],
+ "source": "Tidal Cyber",
+ "title": "Derailing the Raptor Train"
+ },
+ "related": [],
+ "uuid": "21e26577-887b-4b8c-a3f8-4ab8868bed69",
+ "value": "Black Lotus Raptor Train September 18 2024"
+ },
{
"description": "Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020.",
"meta": {
@@ -16328,6 +16488,22 @@
"uuid": "91efc6bf-e15c-514a-96c1-e838268d222f",
"value": "Microsoft Royal ransomware November 2022"
},
+ {
+ "description": "Microsoft Threat Intelligence. (2022, October 25). DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector. Retrieved September 19, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-19T00:00:00Z",
+ "date_published": "2022-10-25T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/"
+ ],
+ "source": "Tidal Cyber",
+ "title": "DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector"
+ },
+ "related": [],
+ "uuid": "5b667611-649d-44d5-86e0-a79527608b3c",
+ "value": "MSTIC DEV-0832 October 25 2022"
+ },
{
"description": "Felix 'FX' Lindner. (2008, February). Developments in Cisco IOS Forensics. Retrieved October 21, 2020.",
"meta": {
@@ -17237,21 +17413,6 @@
"uuid": "a1b987cc-7789-411c-9673-3cf6357b207c",
"value": "ASERT Donot March 2018"
},
- {
- "description": "Simonian, Nick. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved January 17, 2024.",
- "meta": {
- "date_accessed": "2024-01-17T00:00:00Z",
- "date_published": "2023-05-22T00:00:00Z",
- "refs": [
- "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse"
- ],
- "source": "MITRE",
- "title": "Don't @ Me: URL Obfuscation Through Schema Abuse"
- },
- "related": [],
- "uuid": "d5ed4c98-6d37-5000-bba0-9aada295a50c",
- "value": "mandiant-masking"
- },
{
"description": "Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved February 13, 2024.",
"meta": {
@@ -17282,6 +17443,21 @@
"uuid": "b63f5934-2ace-5326-89be-7a850469a563",
"value": "Mandiant URL Obfuscation 2023"
},
+ {
+ "description": "Simonian, Nick. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved January 17, 2024.",
+ "meta": {
+ "date_accessed": "2024-01-17T00:00:00Z",
+ "date_published": "2023-05-22T00:00:00Z",
+ "refs": [
+ "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse"
+ ],
+ "source": "MITRE",
+ "title": "Don't @ Me: URL Obfuscation Through Schema Abuse"
+ },
+ "related": [],
+ "uuid": "d5ed4c98-6d37-5000-bba0-9aada295a50c",
+ "value": "mandiant-masking"
+ },
{
"description": "TheWover. (2019, May 9). donut. Retrieved March 25, 2022.",
"meta": {
@@ -17478,21 +17654,6 @@
"uuid": "9514c5cd-2ed6-4dbf-aa9e-1c425e969226",
"value": "Symantec Dragonfly"
},
- {
- "description": "Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022.",
- "meta": {
- "date_accessed": "2022-04-19T00:00:00Z",
- "date_published": "2017-10-07T00:00:00Z",
- "refs": [
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks"
- ],
- "source": "MITRE",
- "title": "Dragonfly: Western energy sector targeted by sophisticated attack group"
- },
- "related": [],
- "uuid": "a0439d4a-a3ea-4be5-9a01-f223ca259681",
- "value": "Symantec Dragonfly 2.0 October 2017"
- },
{
"description": "Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.",
"meta": {
@@ -17508,6 +17669,21 @@
"uuid": "11bbeafc-ed5d-4d2b-9795-a0a9544fb64e",
"value": "Symantec Dragonfly Sept 2017"
},
+ {
+ "description": "Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022.",
+ "meta": {
+ "date_accessed": "2022-04-19T00:00:00Z",
+ "date_published": "2017-10-07T00:00:00Z",
+ "refs": [
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks"
+ ],
+ "source": "MITRE",
+ "title": "Dragonfly: Western energy sector targeted by sophisticated attack group"
+ },
+ "related": [],
+ "uuid": "a0439d4a-a3ea-4be5-9a01-f223ca259681",
+ "value": "Symantec Dragonfly 2.0 October 2017"
+ },
{
"description": "Slepogin, N. (2017, May 25). Dridex: A History of Evolution. Retrieved May 31, 2019.",
"meta": {
@@ -17985,20 +18161,6 @@
"uuid": "7b1f945b-2547-4bc6-98bf-30248bdf3587",
"value": "Microsoft Dynamic Link Library Search Order"
},
- {
- "description": "Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved November 27, 2017.",
- "meta": {
- "date_accessed": "2017-11-27T00:00:00Z",
- "refs": [
- "https://msdn.microsoft.com/library/windows/desktop/ff919712.aspx"
- ],
- "source": "MITRE",
- "title": "Dynamic-Link Library Security"
- },
- "related": [],
- "uuid": "584490c7-b155-4f62-b68d-a5a2a1799e60",
- "value": "Microsoft DLL Security"
- },
{
"description": "Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved July 25, 2016.",
"meta": {
@@ -18013,6 +18175,20 @@
"uuid": "e087442a-0a53-4cc8-9fd6-772cbd0295d5",
"value": "Microsoft Dynamic-Link Library Security"
},
+ {
+ "description": "Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved November 27, 2017.",
+ "meta": {
+ "date_accessed": "2017-11-27T00:00:00Z",
+ "refs": [
+ "https://msdn.microsoft.com/library/windows/desktop/ff919712.aspx"
+ ],
+ "source": "MITRE",
+ "title": "Dynamic-Link Library Security"
+ },
+ "related": [],
+ "uuid": "584490c7-b155-4f62-b68d-a5a2a1799e60",
+ "value": "Microsoft DLL Security"
+ },
{
"description": "Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved July 25, 2016.",
"meta": {
@@ -18072,6 +18248,22 @@
"uuid": "149c1446-d6a1-4a63-9420-def9272d6cb9",
"value": "CrowdStrike StellarParticle January 2022"
},
+ {
+ "description": "Lenart Bermejo; Sunny Lu; Ted Lee Read time. (2024, September 9). Earth Preta Evolves its Attacks with New Malware and Strategies. Retrieved September 10, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-10T00:00:00Z",
+ "date_published": "2024-09-09T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://www.trendmicro.com/en_us/research/24/i/earth-preta-new-malware-and-strategies.html"
+ ],
+ "source": "Tidal Cyber",
+ "title": "Earth Preta Evolves its Attacks with New Malware and Strategies"
+ },
+ "related": [],
+ "uuid": "0fdc9ee2-5be2-43e0-afb9-c9a94fde3867",
+ "value": "Trend Micro September 9 2024"
+ },
{
"description": "Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.",
"meta": {
@@ -18892,6 +19084,21 @@
"uuid": "ad3eda19-08eb-4d59-a2c9-3b5ed8302205",
"value": "Google Ensuring Your Information is Safe"
},
+ {
+ "description": "Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.",
+ "meta": {
+ "date_accessed": "2024-02-09T00:00:00Z",
+ "date_published": "2018-11-13T00:00:00Z",
+ "refs": [
+ "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign"
+ ],
+ "source": "MITRE",
+ "title": "Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign"
+ },
+ "related": [],
+ "uuid": "31796564-4154-54c0-958a-7d6802dfefad",
+ "value": "Ensilo Darkgate 2018"
+ },
{
"description": "Fortinet Blog. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved October 20, 2023.",
"meta": {
@@ -18908,21 +19115,6 @@
"uuid": "1b9b5c48-d504-4c73-aedc-37e935c47f17",
"value": "Fortinet Blog November 13 2018"
},
- {
- "description": "Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.",
- "meta": {
- "date_accessed": "2024-02-09T00:00:00Z",
- "date_published": "2018-11-13T00:00:00Z",
- "refs": [
- "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign"
- ],
- "source": "MITRE",
- "title": "Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign"
- },
- "related": [],
- "uuid": "31796564-4154-54c0-958a-7d6802dfefad",
- "value": "Ensilo Darkgate 2018"
- },
{
"description": "Splunk Threat Research Team. (2024, January 17). Enter The Gates: An Analysis of the DarkGate AutoIt Loader. Retrieved March 29, 2024.",
"meta": {
@@ -19100,6 +19292,22 @@
"uuid": "691b4907-3544-4ad0-989c-b5c845e0330f",
"value": "LOLBAS Esentutl"
},
+ {
+ "description": "ESET Research. (2024, May 14). ESET APT Activity Report Q4 2023-Q1 2024. Retrieved September 1, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-01T00:00:00Z",
+ "date_published": "2024-05-14T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q4-2023-q1-2024.pdf"
+ ],
+ "source": "Tidal Cyber",
+ "title": "ESET APT Activity Report Q4 2023-Q1 2024"
+ },
+ "related": [],
+ "uuid": "896cc899-b667-4f9d-ba90-8650fb978535",
+ "value": "ESET APT Activity Report Q4 2023-Q1 2024"
+ },
{
"description": "Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved March 2, 2022.",
"meta": {
@@ -20155,21 +20363,6 @@
"uuid": "186c1213-d0c5-4eb6-aa0f-0fd61b07a1f7",
"value": "ThreatPost Social Media Phishing"
},
- {
- "description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 30, 2022.",
- "meta": {
- "date_accessed": "2022-09-30T00:00:00Z",
- "date_published": "2021-01-11T00:00:00Z",
- "refs": [
- "https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/"
- ],
- "source": "MITRE",
- "title": "FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts"
- },
- "related": [],
- "uuid": "785f7692-2be8-4f5d-921e-51efdfe0c0b9",
- "value": "Sentinel Labs"
- },
{
"description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.",
"meta": {
@@ -20185,6 +20378,21 @@
"uuid": "34dc9010-e800-420c-ace4-4f426c915d2f",
"value": "SentinelLabs reversing run-only applescripts 2021"
},
+ {
+ "description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 30, 2022.",
+ "meta": {
+ "date_accessed": "2022-09-30T00:00:00Z",
+ "date_published": "2021-01-11T00:00:00Z",
+ "refs": [
+ "https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/"
+ ],
+ "source": "MITRE",
+ "title": "FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts"
+ },
+ "related": [],
+ "uuid": "785f7692-2be8-4f5d-921e-51efdfe0c0b9",
+ "value": "Sentinel Labs"
+ },
{
"description": "Bill Toulas. (2024, June 17). Fake Google Chrome errors trick you into running malicious PowerShell scripts. Retrieved June 20, 2024.",
"meta": {
@@ -20774,21 +20982,6 @@
"uuid": "6ee27fdb-1753-4fdf-af72-3295b072ff10",
"value": "FireEye FIN7 April 2017"
},
- {
- "description": "Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.",
- "meta": {
- "date_accessed": "2022-04-05T00:00:00Z",
- "date_published": "2022-04-04T00:00:00Z",
- "refs": [
- "https://www.mandiant.com/resources/evolution-of-fin7"
- ],
- "source": "MITRE",
- "title": "FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7"
- },
- "related": [],
- "uuid": "be9919c0-ca52-593b-aea0-c5e9a262b570",
- "value": "Mandiant FIN7 Apr 2022"
- },
{
"description": "Bryce Abdo, Zander Work, Ioana Teaca, Brendan McKeague. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved May 25, 2023.",
"meta": {
@@ -20805,6 +20998,21 @@
"uuid": "fbc3ea90-d3d4-440e-964d-6cd2e991df0c",
"value": "Mandiant FIN7 April 4 2022"
},
+ {
+ "description": "Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.",
+ "meta": {
+ "date_accessed": "2022-04-05T00:00:00Z",
+ "date_published": "2022-04-04T00:00:00Z",
+ "refs": [
+ "https://www.mandiant.com/resources/evolution-of-fin7"
+ ],
+ "source": "MITRE",
+ "title": "FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7"
+ },
+ "related": [],
+ "uuid": "be9919c0-ca52-593b-aea0-c5e9a262b570",
+ "value": "Mandiant FIN7 Apr 2022"
+ },
{
"description": "Gemini Advisory. (2021, October 21). FIN7 Recruits Talent For Push Into Ransomware. Retrieved February 2, 2022.",
"meta": {
@@ -21636,21 +21844,6 @@
"uuid": "02233ce3-abb2-4aed-95b8-56b65c68a665",
"value": "Quick Heal Blog February 17 2023"
},
- {
- "description": "ALEXANDER MARVI, BRAD SLAYBAUGH, DAN EBREO, TUFAIL AHMED, MUHAMMAD UMAIR, TINA JOHNSON. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved May 15, 2023.",
- "meta": {
- "date_accessed": "2023-05-15T00:00:00Z",
- "date_published": "2023-03-16T00:00:00Z",
- "refs": [
- "https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem"
- ],
- "source": "MITRE",
- "title": "Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation"
- },
- "related": [],
- "uuid": "a43dd8ce-23d6-5768-8522-6973dc45e1ac",
- "value": "Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation"
- },
{
"description": "Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023.",
"meta": {
@@ -21666,6 +21859,21 @@
"uuid": "7bdc5bbb-ebbd-5eb8-bd10-9087c883aea7",
"value": "Mandiant Fortinet Zero Day"
},
+ {
+ "description": "ALEXANDER MARVI, BRAD SLAYBAUGH, DAN EBREO, TUFAIL AHMED, MUHAMMAD UMAIR, TINA JOHNSON. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved May 15, 2023.",
+ "meta": {
+ "date_accessed": "2023-05-15T00:00:00Z",
+ "date_published": "2023-03-16T00:00:00Z",
+ "refs": [
+ "https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem"
+ ],
+ "source": "MITRE",
+ "title": "Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation"
+ },
+ "related": [],
+ "uuid": "a43dd8ce-23d6-5768-8522-6973dc45e1ac",
+ "value": "Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation"
+ },
{
"description": "Apple. (n.d.). Foundation. Retrieved July 1, 2020.",
"meta": {
@@ -22845,6 +23053,21 @@
"uuid": "16d0dd05-763a-4503-aa88-c8867d8f202d",
"value": "GitHub ohpe Juicy Potato"
},
+ {
+ "description": "outflanknl. (n.d.). GitHub outflanknl Dumpert. Retrieved September 5, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-05T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://github.com/outflanknl/Dumpert"
+ ],
+ "source": "Tidal Cyber",
+ "title": "GitHub outflanknl Dumpert"
+ },
+ "related": [],
+ "uuid": "ab375812-def9-4491-a69f-62755fb26910",
+ "value": "GitHub outflanknl Dumpert"
+ },
{
"description": "Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js. Retrieved January 11, 2021.",
"meta": {
@@ -23067,6 +23290,21 @@
"uuid": "c2556bcf-9cc9-4f46-8a0f-8f8d801dfdbf",
"value": "GitHub Terminator"
},
+ {
+ "description": "wavestone-cdt. (n.d.). GitHub wavestone-cdt EDRSandBlast. Retrieved September 5, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-05T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://github.com/wavestone-cdt/EDRSandblast"
+ ],
+ "source": "Tidal Cyber",
+ "title": "GitHub wavestone-cdt EDRSandBlast"
+ },
+ "related": [],
+ "uuid": "228dd3e1-1952-447c-a500-31663a2efe45",
+ "value": "GitHub wavestone-cdt EDRSandBlast"
+ },
{
"description": "xmrig. (n.d.). GitHub xmrig-proxy. Retrieved October 25, 2023.",
"meta": {
@@ -24541,21 +24779,6 @@
"uuid": "95d6d1ce-ceba-48ee-88c4-0fb30058bd80",
"value": "Specter Ops - Cloud Credential Storage"
},
- {
- "description": "Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.",
- "meta": {
- "date_accessed": "2021-01-20T00:00:00Z",
- "date_published": "2019-09-23T00:00:00Z",
- "refs": [
- "https://securelist.com/my-name-is-dtrack/93338/"
- ],
- "source": "MITRE",
- "title": "Hello! My name is Dtrack"
- },
- "related": [],
- "uuid": "49bd8841-a4b5-4ced-adfa-0ad0c8625ccd",
- "value": "Securelist Dtrack"
- },
{
"description": "KONSTANTIN ZYKOV. (2019, September 23). Hello! My name is Dtrack. Retrieved September 30, 2022.",
"meta": {
@@ -24572,19 +24795,19 @@
"value": "Securelist Dtrack2"
},
{
- "description": "Baggett, M. (2012, November 8). Help eliminate unquoted path vulnerabilities. Retrieved December 4, 2014.",
+ "description": "Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.",
"meta": {
- "date_accessed": "2014-12-04T00:00:00Z",
- "date_published": "2012-11-08T00:00:00Z",
+ "date_accessed": "2021-01-20T00:00:00Z",
+ "date_published": "2019-09-23T00:00:00Z",
"refs": [
- "https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464"
+ "https://securelist.com/my-name-is-dtrack/93338/"
],
"source": "MITRE",
- "title": "Help eliminate unquoted path vulnerabilities"
+ "title": "Hello! My name is Dtrack"
},
"related": [],
- "uuid": "9b234329-5e05-4035-af38-dd8ab20fd68e",
- "value": "Baggett 2012"
+ "uuid": "49bd8841-a4b5-4ced-adfa-0ad0c8625ccd",
+ "value": "Securelist Dtrack"
},
{
"description": "Mark Baggett. (2012, November 8). Help eliminate unquoted path vulnerabilities. Retrieved November 8, 2012.",
@@ -24601,6 +24824,21 @@
"uuid": "23ad5a8c-cbe1-4f40-8757-f1784a4003a1",
"value": "Help eliminate unquoted path"
},
+ {
+ "description": "Baggett, M. (2012, November 8). Help eliminate unquoted path vulnerabilities. Retrieved December 4, 2014.",
+ "meta": {
+ "date_accessed": "2014-12-04T00:00:00Z",
+ "date_published": "2012-11-08T00:00:00Z",
+ "refs": [
+ "https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464"
+ ],
+ "source": "MITRE",
+ "title": "Help eliminate unquoted path vulnerabilities"
+ },
+ "related": [],
+ "uuid": "9b234329-5e05-4035-af38-dd8ab20fd68e",
+ "value": "Baggett 2012"
+ },
{
"description": "Kellie Eickmeyer. (2022, February 7). Helping users stay safe: Blocking internet macros by default in Office. Retrieved February 7, 2022.",
"meta": {
@@ -24915,6 +25153,22 @@
"uuid": "647f6be8-fe95-4045-8778-f7d7ff00c96c",
"value": "Synack Secure Kernel Extension Broken"
},
+ {
+ "description": "Britton Manahan. (2024, September 14). Highway Blobbery: Data Theft using Azure Storage Explorer. Retrieved September 19, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-19T00:00:00Z",
+ "date_published": "2024-09-14T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://www.modepush.com/blog/highway-blobbery-data-theft-using-azure-storage-explorer"
+ ],
+ "source": "Tidal Cyber",
+ "title": "Highway Blobbery: Data Theft using Azure Storage Explorer"
+ },
+ "related": [],
+ "uuid": "a4c50b03-f0d7-4d29-a9de-e550be61390c",
+ "value": "modePUSH Azure Storage Explorer September 14 2024"
+ },
{
"description": "Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.",
"meta": {
@@ -24961,21 +25215,6 @@
"uuid": "f5e43446-04ea-4dcd-be3a-22f8b10b8aa1",
"value": "Hive Ransomware Analysis | Kroll"
},
- {
- "description": "Microsoft. (2017, April 20). HKLM\\SYSTEM\\CurrentControlSet\\Services Registry Tree. Retrieved March 16, 2020.",
- "meta": {
- "date_accessed": "2020-03-16T00:00:00Z",
- "date_published": "2017-04-20T00:00:00Z",
- "refs": [
- "https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree"
- ],
- "source": "MITRE",
- "title": "HKLM\\SYSTEM\\CurrentControlSet\\Services Registry Tree"
- },
- "related": [],
- "uuid": "cb9b5391-773f-4b56-8c41-d4f548c7b835",
- "value": "Microsoft CurrentControlSet Services"
- },
{
"description": "Microsoft. (2021, August 5). HKLM\\SYSTEM\\CurrentControlSet\\Services Registry Tree. Retrieved August 25, 2021.",
"meta": {
@@ -24991,6 +25230,21 @@
"uuid": "171cfdf1-d91c-4df3-831e-89b6237e3c8b",
"value": "microsoft_services_registry_tree"
},
+ {
+ "description": "Microsoft. (2017, April 20). HKLM\\SYSTEM\\CurrentControlSet\\Services Registry Tree. Retrieved March 16, 2020.",
+ "meta": {
+ "date_accessed": "2020-03-16T00:00:00Z",
+ "date_published": "2017-04-20T00:00:00Z",
+ "refs": [
+ "https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree"
+ ],
+ "source": "MITRE",
+ "title": "HKLM\\SYSTEM\\CurrentControlSet\\Services Registry Tree"
+ },
+ "related": [],
+ "uuid": "cb9b5391-773f-4b56-8c41-d4f548c7b835",
+ "value": "Microsoft CurrentControlSet Services"
+ },
{
"description": "Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.",
"meta": {
@@ -27090,6 +27344,22 @@
"uuid": "f5367abc-e776-41a0-b8e5-6dc60079c081",
"value": "Cisco Talos Q2 Trends July 26 2023"
},
+ {
+ "description": "SentinelOne. (2023, September 21). Inc. Ransom. Retrieved January 1, 2024.",
+ "meta": {
+ "date_accessed": "2024-01-01T00:00:00Z",
+ "date_published": "2023-09-21T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://www.sentinelone.com/anthology/inc-ransom/"
+ ],
+ "source": "Tidal Cyber",
+ "title": "Inc. Ransom"
+ },
+ "related": [],
+ "uuid": "7e793738-c132-47bf-90aa-1f0659564d16",
+ "value": "SentinelOne September 21 2023"
+ },
{
"description": "Cybersecurity and Infrastructure Security Agency. (2023, July 6). Increased Truebot Activity Infects U.S. and Canada Based Networks. Retrieved July 6, 2023.",
"meta": {
@@ -28374,6 +28644,20 @@
"uuid": "956b3d80-4e19-4cab-a65f-ad86f233aa12",
"value": "GitHub Invoke-Obfuscation"
},
+ {
+ "description": "Barrett Adams . (n.d.). Invoke-PSImage . Retrieved September 30, 2022.",
+ "meta": {
+ "date_accessed": "2022-09-30T00:00:00Z",
+ "refs": [
+ "https://github.com/peewpw/Invoke-PSImage"
+ ],
+ "source": "MITRE",
+ "title": "Invoke-PSImage"
+ },
+ "related": [],
+ "uuid": "449c873c-c5af-45b8-8bd7-505d2181a05c",
+ "value": "GitHub PSImage"
+ },
{
"description": "Adams, B. (2017, December 17). Invoke-PSImage. Retrieved April 10, 2018.",
"meta": {
@@ -28389,20 +28673,6 @@
"uuid": "dd210b79-bd5f-4282-9542-4d1ae2f16438",
"value": "GitHub Invoke-PSImage"
},
- {
- "description": "Barrett Adams . (n.d.). Invoke-PSImage . Retrieved September 30, 2022.",
- "meta": {
- "date_accessed": "2022-09-30T00:00:00Z",
- "refs": [
- "https://github.com/peewpw/Invoke-PSImage"
- ],
- "source": "MITRE",
- "title": "Invoke-PSImage"
- },
- "related": [],
- "uuid": "449c873c-c5af-45b8-8bd7-505d2181a05c",
- "value": "GitHub PSImage"
- },
{
"description": "PowerShellMafia. (2016, December 14). Invoke-Shellcode. Retrieved May 25, 2023.",
"meta": {
@@ -29437,21 +29707,6 @@
"uuid": "26a554dc-39c0-4638-902d-7e84fe01b961",
"value": "U.S. Justice Department GRU Botnet February 2024"
},
- {
- "description": "Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved February 1, 2022.",
- "meta": {
- "date_accessed": "2022-02-01T00:00:00Z",
- "date_published": "2020-06-13T00:00:00Z",
- "refs": [
- "https://o365blog.com/post/just-looking"
- ],
- "source": "MITRE",
- "title": "Just looking: Azure Active Directory reconnaissance as an outsider"
- },
- "related": [],
- "uuid": "16565eaf-44fb-44f4-b490-40dc1160ff2b",
- "value": "Azure AD Recon"
- },
{
"description": "Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved May 27, 2022.",
"meta": {
@@ -29467,6 +29722,21 @@
"uuid": "42dad2a3-5b33-4be4-a19b-58a27fb3ee5d",
"value": "Azure Active Directory Reconnaisance"
},
+ {
+ "description": "Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved February 1, 2022.",
+ "meta": {
+ "date_accessed": "2022-02-01T00:00:00Z",
+ "date_published": "2020-06-13T00:00:00Z",
+ "refs": [
+ "https://o365blog.com/post/just-looking"
+ ],
+ "source": "MITRE",
+ "title": "Just looking: Azure Active Directory reconnaissance as an outsider"
+ },
+ "related": [],
+ "uuid": "16565eaf-44fb-44f4-b490-40dc1160ff2b",
+ "value": "Azure AD Recon"
+ },
{
"description": "Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware turning to Golang. Retrieved December 17, 2020.",
"meta": {
@@ -29497,21 +29767,6 @@
"uuid": "459fcde2-7ac3-4640-a5bc-cd8750e54962",
"value": "Kali Redsnarf"
},
- {
- "description": "Hull, D. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019.",
- "meta": {
- "date_accessed": "2019-10-10T00:00:00Z",
- "date_published": "2014-05-03T00:00:00Z",
- "refs": [
- "https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html"
- ],
- "source": "MITRE",
- "title": "Kansa: Service related collectors and analysis"
- },
- "related": [],
- "uuid": "58d5bc0b-8548-4c3a-8302-e07df3b961ff",
- "value": "TrustedSignal Service Failure"
- },
{
"description": "Hull, D.. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019.",
"meta": {
@@ -29527,6 +29782,21 @@
"uuid": "d854f84a-4d70-4ef4-9197-d8f5396feabb",
"value": "Kansa Service related collectors"
},
+ {
+ "description": "Hull, D. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019.",
+ "meta": {
+ "date_accessed": "2019-10-10T00:00:00Z",
+ "date_published": "2014-05-03T00:00:00Z",
+ "refs": [
+ "https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html"
+ ],
+ "source": "MITRE",
+ "title": "Kansa: Service related collectors and analysis"
+ },
+ "related": [],
+ "uuid": "58d5bc0b-8548-4c3a-8302-e07df3b961ff",
+ "value": "TrustedSignal Service Failure"
+ },
{
"description": "Cybersecurity and Infrastructure Security Agency. (2023, December 12). Karakurt Data Extortion Group. Retrieved May 1, 2024.",
"meta": {
@@ -30608,8 +30878,8 @@
"title": "Lazarus KillDisks Central American casino"
},
"related": [],
- "uuid": "454704b7-9ede-4d30-acfd-2cf16a89bcb3",
- "value": "ESET Lazarus KillDisk April 2018"
+ "uuid": "6f931476-29e6-4bba-ba1b-37ab742f4b49",
+ "value": "Lazarus KillDisk"
},
{
"description": "Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.",
@@ -30623,8 +30893,8 @@
"title": "Lazarus KillDisks Central American casino"
},
"related": [],
- "uuid": "6f931476-29e6-4bba-ba1b-37ab742f4b49",
- "value": "Lazarus KillDisk"
+ "uuid": "454704b7-9ede-4d30-acfd-2cf16a89bcb3",
+ "value": "ESET Lazarus KillDisk April 2018"
},
{
"description": "Dinesh Devadoss, Phil Stokes. (2022, September 26). Lazarus \"Operation In(ter)ception\" Targets macOS Users Dreaming of Jobs in Crypto. Retrieved March 8, 2024.",
@@ -30672,21 +30942,6 @@
"uuid": "ba6a5fcc-9391-42c0-8b90-57b729525f41",
"value": "Kaspersky ThreatNeedle Feb 2021"
},
- {
- "description": "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved October 3, 2018.",
- "meta": {
- "date_accessed": "2018-10-03T00:00:00Z",
- "date_published": "2017-04-03T00:00:00Z",
- "refs": [
- "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf"
- ],
- "source": "MITRE",
- "title": "Lazarus Under the Hood"
- },
- "related": [],
- "uuid": "312b30b1-3bd6-46ea-8f77-504f442499bc",
- "value": "Kaspersky Lazarus Under The Hood APR 2017"
- },
{
"description": "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.",
"meta": {
@@ -30702,6 +30957,21 @@
"uuid": "a1e1ab6a-8db0-4593-95ec-78784607dfa0",
"value": "Kaspersky Lazarus Under The Hood Blog 2017"
},
+ {
+ "description": "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved October 3, 2018.",
+ "meta": {
+ "date_accessed": "2018-10-03T00:00:00Z",
+ "date_published": "2017-04-03T00:00:00Z",
+ "refs": [
+ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf"
+ ],
+ "source": "MITRE",
+ "title": "Lazarus Under the Hood"
+ },
+ "related": [],
+ "uuid": "312b30b1-3bd6-46ea-8f77-504f442499bc",
+ "value": "Kaspersky Lazarus Under The Hood APR 2017"
+ },
{
"description": "Mclellan, M.. (2018, November 19). Lazy Passwords Become Rocket Fuel for Emotet SMB Spreader. Retrieved March 25, 2019.",
"meta": {
@@ -32435,21 +32705,6 @@
"uuid": "80bb8646-1eb0-442a-aa51-ee3efaf75915",
"value": "alientvault macspy"
},
- {
- "description": "Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 18, 2021.",
- "meta": {
- "date_accessed": "2021-03-18T00:00:00Z",
- "date_published": "2020-07-07T00:00:00Z",
- "refs": [
- "https://blog.malwarebytes.com/detections/osx-thiefquest/"
- ],
- "source": "MITRE",
- "title": "Mac ThiefQuest malware may not be ransomware after all"
- },
- "related": [],
- "uuid": "b265ef93-c1fb-440d-a9e0-89cf25a3de05",
- "value": "Reed thiefquest fake ransom"
- },
{
"description": "Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 22, 2021.",
"meta": {
@@ -32465,6 +32720,21 @@
"uuid": "47b49df4-34f1-4a89-9983-e8bc19aadf8c",
"value": "reed thiefquest ransomware analysis"
},
+ {
+ "description": "Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 18, 2021.",
+ "meta": {
+ "date_accessed": "2021-03-18T00:00:00Z",
+ "date_published": "2020-07-07T00:00:00Z",
+ "refs": [
+ "https://blog.malwarebytes.com/detections/osx-thiefquest/"
+ ],
+ "source": "MITRE",
+ "title": "Mac ThiefQuest malware may not be ransomware after all"
+ },
+ "related": [],
+ "uuid": "b265ef93-c1fb-440d-a9e0-89cf25a3de05",
+ "value": "Reed thiefquest fake ransom"
+ },
{
"description": "Jerome Segura. (2023, September 6). Mac users targeted in new malvertising campaign delivering Atomic Stealer. Retrieved April 19, 2024.",
"meta": {
@@ -33174,21 +33444,6 @@
"uuid": "9b52a72b-938a-5eb6-a3b7-5a925657f0a3",
"value": "Malware Monday VBE"
},
- {
- "description": "Wardle, P. (2015, April). Malware Persistence on OS X Yosemite. Retrieved April 6, 2018.",
- "meta": {
- "date_accessed": "2018-04-06T00:00:00Z",
- "date_published": "2015-04-01T00:00:00Z",
- "refs": [
- "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf"
- ],
- "source": "MITRE",
- "title": "Malware Persistence on OS X Yosemite"
- },
- "related": [],
- "uuid": "7e3f3dda-c407-4b06-a6b0-8b72c4dad6e6",
- "value": "RSAC 2015 San Francisco Patrick Wardle"
- },
{
"description": "Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017.",
"meta": {
@@ -33204,6 +33459,21 @@
"uuid": "d4e3b066-c439-4284-ba28-3b8bd8ec270e",
"value": "Malware Persistence on OS X"
},
+ {
+ "description": "Wardle, P. (2015, April). Malware Persistence on OS X Yosemite. Retrieved April 6, 2018.",
+ "meta": {
+ "date_accessed": "2018-04-06T00:00:00Z",
+ "date_published": "2015-04-01T00:00:00Z",
+ "refs": [
+ "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf"
+ ],
+ "source": "MITRE",
+ "title": "Malware Persistence on OS X Yosemite"
+ },
+ "related": [],
+ "uuid": "7e3f3dda-c407-4b06-a6b0-8b72c4dad6e6",
+ "value": "RSAC 2015 San Francisco Patrick Wardle"
+ },
{
"description": "Harbour, N. (2010, July 15). Malware Persistence without the Windows Registry. Retrieved November 17, 2020.",
"meta": {
@@ -34198,20 +34468,6 @@
"uuid": "aa7393ad-0760-4f27-a068-17beba17bbe3",
"value": "Secureworks NICKEL ACADEMY Dec 2017"
},
- {
- "description": "Cybereason Nocturnus. (2020, November 19). Cybereason vs. MedusaLocker Ransomware. Retrieved June 23, 2021.",
- "meta": {
- "date_accessed": "2021-06-23T00:00:00Z",
- "refs": [
- "https://www.cybereason.com/blog/medusalocker-ransomware"
- ],
- "source": "MITRE",
- "title": "MedusaLocker Ransomware"
- },
- "related": [],
- "uuid": "f7b41120-8455-409f-ad9c-815c2c43edfd",
- "value": "Cybereason Nocturnus MedusaLocker 2020"
- },
{
"description": "Health Sector Cybersecurity Coordination Center (HC3). (2023, February 24). MedusaLocker Ransomware. Retrieved August 11, 2023.",
"meta": {
@@ -34228,6 +34484,20 @@
"uuid": "49e314d6-5324-41e0-8bee-2b3e08d5e12f",
"value": "HC3 Analyst Note MedusaLocker Ransomware February 2023"
},
+ {
+ "description": "Cybereason Nocturnus. (2020, November 19). Cybereason vs. MedusaLocker Ransomware. Retrieved June 23, 2021.",
+ "meta": {
+ "date_accessed": "2021-06-23T00:00:00Z",
+ "refs": [
+ "https://www.cybereason.com/blog/medusalocker-ransomware"
+ ],
+ "source": "MITRE",
+ "title": "MedusaLocker Ransomware"
+ },
+ "related": [],
+ "uuid": "f7b41120-8455-409f-ad9c-815c2c43edfd",
+ "value": "Cybereason Nocturnus MedusaLocker 2020"
+ },
{
"description": "Lawrence Abrams. (2023, March 12). Medusa ransomware gang picks up steam as it targets companies worldwide. Retrieved September 14, 2023.",
"meta": {
@@ -34695,21 +34965,6 @@
"uuid": "f9daf15d-61ea-4cfa-a4e8-9d33d1acd28f",
"value": "Microsoft HTML Help May 2018"
},
- {
- "description": "Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019.",
- "meta": {
- "date_accessed": "2019-10-04T00:00:00Z",
- "date_published": "2019-08-27T00:00:00Z",
- "refs": [
- "https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens"
- ],
- "source": "MITRE",
- "title": "Microsoft identity platform access tokens"
- },
- "related": [],
- "uuid": "a39d976e-9b52-48f3-b5db-0ffd84ecd338",
- "value": "Microsoft Identity Platform Access 2019"
- },
{
"description": "Microsoft. (2019, August 29). Microsoft identity platform access tokens. Retrieved September 12, 2019.",
"meta": {
@@ -34725,6 +34980,21 @@
"uuid": "44767d53-8cd7-44dd-a69d-8a7bebc1d87d",
"value": "Microsoft - Azure AD Identity Tokens - Aug 2019"
},
+ {
+ "description": "Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019.",
+ "meta": {
+ "date_accessed": "2019-10-04T00:00:00Z",
+ "date_published": "2019-08-27T00:00:00Z",
+ "refs": [
+ "https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens"
+ ],
+ "source": "MITRE",
+ "title": "Microsoft identity platform access tokens"
+ },
+ "related": [],
+ "uuid": "a39d976e-9b52-48f3-b5db-0ffd84ecd338",
+ "value": "Microsoft Identity Platform Access 2019"
+ },
{
"description": "Microsoft. (n.d.). Microsoft identity platform and OAuth 2.0 authorization code flow. Retrieved September 12, 2019.",
"meta": {
@@ -34886,21 +35156,6 @@
"uuid": "86955cd2-5980-44ba-aa7b-4b9f8e347730",
"value": "Microsoft WDAC"
},
- {
- "description": "Jordan Geurten et al. . (2022, March 29). Microsoft recommended driver block rules. Retrieved April 7, 2022.",
- "meta": {
- "date_accessed": "2022-04-07T00:00:00Z",
- "date_published": "2022-03-29T00:00:00Z",
- "refs": [
- "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules"
- ],
- "source": "MITRE",
- "title": "Microsoft recommended driver block rules"
- },
- "related": [],
- "uuid": "9bb5c330-56bd-47e7-8414-729d8e6cb3b3",
- "value": "Microsoft driver block rules - Duplicate"
- },
{
"description": "Microsoft. (2020, October 15). Microsoft recommended driver block rules. Retrieved March 16, 2021.",
"meta": {
@@ -34916,6 +35171,21 @@
"uuid": "2ad8414a-4490-4896-8266-556b8bdbb77f",
"value": "Microsoft Driver Block Rules"
},
+ {
+ "description": "Jordan Geurten et al. . (2022, March 29). Microsoft recommended driver block rules. Retrieved April 7, 2022.",
+ "meta": {
+ "date_accessed": "2022-04-07T00:00:00Z",
+ "date_published": "2022-03-29T00:00:00Z",
+ "refs": [
+ "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules"
+ ],
+ "source": "MITRE",
+ "title": "Microsoft recommended driver block rules"
+ },
+ "related": [],
+ "uuid": "9bb5c330-56bd-47e7-8414-729d8e6cb3b3",
+ "value": "Microsoft driver block rules - Duplicate"
+ },
{
"description": "Microsoft. (n.d.). Retrieved January 24, 2020.",
"meta": {
@@ -35082,6 +35352,22 @@
"uuid": "0e7ea8d0-bdb8-48a6-9718-703f64d16460",
"value": "Microsoft Threat Intelligence LinkedIn July 15 2024"
},
+ {
+ "description": "Microsoft Threat Intelligence. (2024, September 18). Microsoft Threat Intelligence LinkedIn Vanilla Tempest. Retrieved September 19, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-19T00:00:00Z",
+ "date_published": "2024-09-18T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://www.linkedin.com/feed/update/urn:li:activity:7242222140853264385/"
+ ],
+ "source": "Tidal Cyber",
+ "title": "Microsoft Threat Intelligence LinkedIn Vanilla Tempest"
+ },
+ "related": [],
+ "uuid": "24c11dff-21df-4ce9-b3df-2e0a886339ff",
+ "value": "MSTIC Vanilla Tempest September 18 2024"
+ },
{
"description": "MsftSecIntel. (2023, May 26). Microsoft Threat Intelligence Tweet April 26 2023. Retrieved June 16, 2023.",
"meta": {
@@ -35357,21 +35643,6 @@
"uuid": "2a01a70c-28a8-444e-95a7-00a568d51ce6",
"value": "Harmj0y DCSync Sept 2015"
},
- {
- "description": "Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved December 4, 2017.",
- "meta": {
- "date_accessed": "2017-12-04T00:00:00Z",
- "date_published": "2015-09-25T00:00:00Z",
- "refs": [
- "https://adsecurity.org/?p=1729"
- ],
- "source": "MITRE",
- "title": "Mimikatz DCSync Usage, Exploitation, and Detection"
- },
- "related": [],
- "uuid": "856ed70b-29b0-4f56-b5ae-a98981a22eaf",
- "value": "AdSecurity DCSync Sept 2015"
- },
{
"description": "Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved August 7, 2017.",
"meta": {
@@ -35387,6 +35658,21 @@
"uuid": "61b0bb42-2ed6-413d-b331-0a84df12a87d",
"value": "ADSecurity Mimikatz DCSync"
},
+ {
+ "description": "Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved December 4, 2017.",
+ "meta": {
+ "date_accessed": "2017-12-04T00:00:00Z",
+ "date_published": "2015-09-25T00:00:00Z",
+ "refs": [
+ "https://adsecurity.org/?p=1729"
+ ],
+ "source": "MITRE",
+ "title": "Mimikatz DCSync Usage, Exploitation, and Detection"
+ },
+ "related": [],
+ "uuid": "856ed70b-29b0-4f56-b5ae-a98981a22eaf",
+ "value": "AdSecurity DCSync Sept 2015"
+ },
{
"description": "Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz. Retrieved June 20, 2019.",
"meta": {
@@ -35507,21 +35793,6 @@
"uuid": "0110500c-bf67-43a5-97cb-16eb6c01040b",
"value": "APT15 Intezer June 2018"
},
- {
- "description": "ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.",
- "meta": {
- "date_accessed": "2024-03-13T00:00:00Z",
- "date_published": "2019-11-19T00:00:00Z",
- "refs": [
- "https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/"
- ],
- "source": "MITRE",
- "title": "Mispadu: Advertisement for a discounted Unhappy Meal"
- },
- "related": [],
- "uuid": "e1b945f4-20e0-5b69-8fd7-f05afce8c0ba",
- "value": "ESET Security Mispadu Facebook Ads 2019"
- },
{
"description": "ESET Research. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved April 4, 2024.",
"meta": {
@@ -35538,6 +35809,21 @@
"uuid": "a27753c1-2f7a-40c4-9e28-a37265bce28c",
"value": "ESET Mispadu November 2019"
},
+ {
+ "description": "ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.",
+ "meta": {
+ "date_accessed": "2024-03-13T00:00:00Z",
+ "date_published": "2019-11-19T00:00:00Z",
+ "refs": [
+ "https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/"
+ ],
+ "source": "MITRE",
+ "title": "Mispadu: Advertisement for a discounted Unhappy Meal"
+ },
+ "related": [],
+ "uuid": "e1b945f4-20e0-5b69-8fd7-f05afce8c0ba",
+ "value": "ESET Security Mispadu Facebook Ads 2019"
+ },
{
"description": "Duarte, H., Morrison, B. (2012). (Mis)trusting and (ab)using ssh. Retrieved January 8, 2018.",
"meta": {
@@ -35938,6 +36224,22 @@
"uuid": "ea64a3a5-a248-44bb-98cd-f7e3d4c23d4e",
"value": "Forcepoint Monsoon"
},
+ {
+ "description": "Nathaniel Morales; Joshua Paul Ignacio Read time. (2023, August 14). Monti Ransomware Unleashes a New Encryptor for Linux. Retrieved January 1, 2024.",
+ "meta": {
+ "date_accessed": "2024-01-01T00:00:00Z",
+ "date_published": "2023-08-14T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://www.trendmicro.com/en_us/research/23/h/monti-ransomware-unleashes-a-new-encryptor-for-linux.html"
+ ],
+ "source": "Tidal Cyber",
+ "title": "Monti Ransomware Unleashes a New Encryptor for Linux"
+ },
+ "related": [],
+ "uuid": "12d2fbc5-f9cb-41b5-96a6-1cd100b5a173",
+ "value": "Trend Micro August 14 2023"
+ },
{
"description": "Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks . Retrieved May 29, 2024.",
"meta": {
@@ -36194,21 +36496,6 @@
"uuid": "e208c277-e477-4123-8c3c-313d55cdc1ea",
"value": "Volatility Detecting Hooks Sept 2012"
},
- {
- "description": "Robert Kugler. (2012, November 20). Mozilla Foundation Security Advisory 2012-98. Retrieved March 10, 2017.",
- "meta": {
- "date_accessed": "2017-03-10T00:00:00Z",
- "date_published": "2012-11-20T00:00:00Z",
- "refs": [
- "https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/"
- ],
- "source": "MITRE",
- "title": "Mozilla Foundation Security Advisory 2012-98"
- },
- "related": [],
- "uuid": "cd720550-a0b5-4d1d-85dd-98da97f45b62",
- "value": "mozilla_sec_adv_2012"
- },
{
"description": "Kugler, R. (2012, November 20). Mozilla Foundation Security Advisory 2012-98. Retrieved March 10, 2017.",
"meta": {
@@ -36224,6 +36511,21 @@
"uuid": "920d1607-154e-4c74-b1eb-0d8299be536f",
"value": "Mozilla Firefox Installer DLL Hijack"
},
+ {
+ "description": "Robert Kugler. (2012, November 20). Mozilla Foundation Security Advisory 2012-98. Retrieved March 10, 2017.",
+ "meta": {
+ "date_accessed": "2017-03-10T00:00:00Z",
+ "date_published": "2012-11-20T00:00:00Z",
+ "refs": [
+ "https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/"
+ ],
+ "source": "MITRE",
+ "title": "Mozilla Foundation Security Advisory 2012-98"
+ },
+ "related": [],
+ "uuid": "cd720550-a0b5-4d1d-85dd-98da97f45b62",
+ "value": "mozilla_sec_adv_2012"
+ },
{
"description": "LOLBAS. (2020, March 20). MpCmdRun.exe. Retrieved December 4, 2023.",
"meta": {
@@ -37648,21 +37950,6 @@
"uuid": "5695d3a2-6b6c-433a-9254-d4a2e001a8be",
"value": "Bleeping Computer Evil Corp mimics PayloadBin gang 2022"
},
- {
- "description": "Windows Defender Research. (2016, March 22). New feature in Office 2016 can block macros and help prevent infection. Retrieved April 11, 2018.",
- "meta": {
- "date_accessed": "2018-04-11T00:00:00Z",
- "date_published": "2016-03-22T00:00:00Z",
- "refs": [
- "https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/"
- ],
- "source": "MITRE",
- "title": "New feature in Office 2016 can block macros and help prevent infection"
- },
- "related": [],
- "uuid": "4d0f4d0a-b812-42f8-a52c-a1f5c69e6337",
- "value": "Microsoft Block Office Macros"
- },
{
"description": "Microsoft Malware Protection Center. (2016, March 22). New feature in Office 2016 can block macros and help prevent infection. Retrieved July 3, 2017.",
"meta": {
@@ -37678,6 +37965,21 @@
"uuid": "f14f08c5-de51-4827-ba3a-f0598dfbe505",
"value": "TechNet Office Macro Security"
},
+ {
+ "description": "Windows Defender Research. (2016, March 22). New feature in Office 2016 can block macros and help prevent infection. Retrieved April 11, 2018.",
+ "meta": {
+ "date_accessed": "2018-04-11T00:00:00Z",
+ "date_published": "2016-03-22T00:00:00Z",
+ "refs": [
+ "https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/"
+ ],
+ "source": "MITRE",
+ "title": "New feature in Office 2016 can block macros and help prevent infection"
+ },
+ "related": [],
+ "uuid": "4d0f4d0a-b812-42f8-a52c-a1f5c69e6337",
+ "value": "Microsoft Block Office Macros"
+ },
{
"description": "Sudhakar Ramakrishna . (2021, January 11). New Findings From Our Investigation of SUNBURST. Retrieved January 13, 2021.",
"meta": {
@@ -37782,21 +38084,6 @@
"uuid": "1641553f-96e7-4829-8c77-d96388dac5c7",
"value": "Avast CCleaner3 2018"
},
- {
- "description": "Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved December 17, 2020.",
- "meta": {
- "date_accessed": "2020-12-17T00:00:00Z",
- "date_published": "2017-04-06T00:00:00Z",
- "refs": [
- "https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/"
- ],
- "source": "MITRE",
- "title": "New IoT/Linux Malware Targets DVRs, Forms Botnet"
- },
- "related": [],
- "uuid": "95b5b03e-f160-47cf-920c-8f4f3d4114a3",
- "value": "Tsunami"
- },
{
"description": "Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018.",
"meta": {
@@ -37812,6 +38099,21 @@
"uuid": "489a6c57-f64c-423b-a7bd-169fa36c4cdf",
"value": "amnesia malware"
},
+ {
+ "description": "Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved December 17, 2020.",
+ "meta": {
+ "date_accessed": "2020-12-17T00:00:00Z",
+ "date_published": "2017-04-06T00:00:00Z",
+ "refs": [
+ "https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/"
+ ],
+ "source": "MITRE",
+ "title": "New IoT/Linux Malware Targets DVRs, Forms Botnet"
+ },
+ "related": [],
+ "uuid": "95b5b03e-f160-47cf-920c-8f4f3d4114a3",
+ "value": "Tsunami"
+ },
{
"description": "ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.",
"meta": {
@@ -37918,21 +38220,6 @@
"uuid": "b1540c5c-0bbc-4b9d-9185-fae224ba31be",
"value": "Gallagher 2015"
},
- {
- "description": "Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved December 18, 2017.",
- "meta": {
- "date_accessed": "2017-12-18T00:00:00Z",
- "date_published": "2017-11-28T00:00:00Z",
- "refs": [
- "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html"
- ],
- "source": "MITRE",
- "title": "Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection"
- },
- "related": [],
- "uuid": "9737055a-f583-448e-84d0-1d336c4da9a8",
- "value": "FireEye TLS Nov 2017"
- },
{
"description": "Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019.",
"meta": {
@@ -37948,6 +38235,21 @@
"uuid": "32c0b9d2-9f31-4e49-8b3a-c63ff4fffa47",
"value": "FireEye Ursnif Nov 2017"
},
+ {
+ "description": "Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved December 18, 2017.",
+ "meta": {
+ "date_accessed": "2017-12-18T00:00:00Z",
+ "date_published": "2017-11-28T00:00:00Z",
+ "refs": [
+ "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html"
+ ],
+ "source": "MITRE",
+ "title": "Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection"
+ },
+ "related": [],
+ "uuid": "9737055a-f583-448e-84d0-1d336c4da9a8",
+ "value": "FireEye TLS Nov 2017"
+ },
{
"description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.",
"meta": {
@@ -38233,6 +38535,22 @@
"uuid": "2263af27-9c30-4bf6-a204-2f148ebdd17c",
"value": "Unit 42 MechaFlounder March 2019"
},
+ {
+ "description": "Bill Cozens. (2024, September 9). New RansomHub attack uses TDSSKiller and LaZagne, disables EDR. Retrieved September 13, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-13T00:00:00Z",
+ "date_published": "2024-09-09T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://www.threatdown.com/blog/new-ransomhub-attack-uses-tdskiller-and-lazagne-disables-edr/"
+ ],
+ "source": "Tidal Cyber",
+ "title": "New RansomHub attack uses TDSSKiller and LaZagne, disables EDR"
+ },
+ "related": [],
+ "uuid": "34422e6e-0e79-48ba-a942-9816e9b4ee7c",
+ "value": "ThreatDown RansomHub September 9 2024"
+ },
{
"description": "Chiu, A. (2016, June 27). New Ransomware Variant \"Nyetya\" Compromises Systems Worldwide. Retrieved March 26, 2019.",
"meta": {
@@ -38578,21 +38896,6 @@
"uuid": "bc7755a0-5ee3-477b-b8d7-67174a59d0e2",
"value": "Avira Mustang Panda January 2020"
},
- {
- "description": "Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.",
- "meta": {
- "date_accessed": "2016-08-17T00:00:00Z",
- "date_published": "2016-05-24T00:00:00Z",
- "refs": [
- "http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/"
- ],
- "source": "MITRE",
- "title": "New Wekby Attacks Use DNS Requests As Command and Control Mechanism"
- },
- "related": [],
- "uuid": "4a946c3f-ee0a-4649-8104-2bd9d90ebd49",
- "value": "Palo Alto DNS Requests"
- },
{
"description": "Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.",
"meta": {
@@ -38608,6 +38911,21 @@
"uuid": "6f08aa4e-c89f-4d3e-8f46-e856e21d2d50",
"value": "PaloAlto DNS Requests May 2016"
},
+ {
+ "description": "Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.",
+ "meta": {
+ "date_accessed": "2016-08-17T00:00:00Z",
+ "date_published": "2016-05-24T00:00:00Z",
+ "refs": [
+ "http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/"
+ ],
+ "source": "MITRE",
+ "title": "New Wekby Attacks Use DNS Requests As Command and Control Mechanism"
+ },
+ "related": [],
+ "uuid": "4a946c3f-ee0a-4649-8104-2bd9d90ebd49",
+ "value": "Palo Alto DNS Requests"
+ },
{
"description": "Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.",
"meta": {
@@ -38846,21 +39164,6 @@
"uuid": "65f1bbaa-8ad1-4ad5-b726-660558d27efc",
"value": "Nmap: the Network Mapper"
},
- {
- "description": "Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.",
- "meta": {
- "date_accessed": "2022-03-25T00:00:00Z",
- "date_published": "2021-10-25T00:00:00Z",
- "refs": [
- "https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/"
- ],
- "source": "MITRE",
- "title": "NOBELIUM targeting delegated administrative privileges to facilitate broader attacks"
- },
- "related": [],
- "uuid": "7b6cc308-9871-47e5-9039-a9a7e66ce373",
- "value": "MSTIC Nobelium Oct 2021"
- },
{
"description": "Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved January 31, 2022.",
"meta": {
@@ -38876,6 +39179,21 @@
"uuid": "aa315293-77a5-4ad9-b024-9af844edff9a",
"value": "Microsoft Nobelium Admin Privileges"
},
+ {
+ "description": "Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.",
+ "meta": {
+ "date_accessed": "2022-03-25T00:00:00Z",
+ "date_published": "2021-10-25T00:00:00Z",
+ "refs": [
+ "https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/"
+ ],
+ "source": "MITRE",
+ "title": "NOBELIUM targeting delegated administrative privileges to facilitate broader attacks"
+ },
+ "related": [],
+ "uuid": "7b6cc308-9871-47e5-9039-a9a7e66ce373",
+ "value": "MSTIC Nobelium Oct 2021"
+ },
{
"description": "Symantec Threat Hunter Team. (2022, September 22). Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics. Retrieved September 14, 2023.",
"meta": {
@@ -39025,6 +39343,22 @@
"uuid": "f8700002-5da6-4cb8-be62-34e421d2a573",
"value": "Malwarebytes Pony April 2016"
},
+ {
+ "description": "Bill Toulas. (2024, September 10). NoName ransomware gang deploying RansomHub malware in recent attacks. Retrieved September 13, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-13T00:00:00Z",
+ "date_published": "2024-09-10T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://www.bleepingcomputer.com/news/security/noname-ransomware-gang-deploying-ransomhub-malware-in-recent-attacks/"
+ ],
+ "source": "Tidal Cyber",
+ "title": "NoName ransomware gang deploying RansomHub malware in recent attacks"
+ },
+ "related": [],
+ "uuid": "79752048-f2fd-4357-9e0a-15b9a2927852",
+ "value": "BleepingComputer NoName September 10 2024"
+ },
{
"description": "Ruohonen, S. & Robinson, S. (2023, February 2). No Pineapple! -DPRK Targeting of Medical Research and Technology Sector. Retrieved July 10, 2023.",
"meta": {
@@ -39884,6 +40218,21 @@
"uuid": "e3d932fc-0148-43b9-bcc7-971dd7ba3bf8",
"value": "Bitdefender Agent Tesla April 2020"
},
+ {
+ "description": "Council on Foreign Relations. (n.d.). OilRig. Retrieved September 1, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-01T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://www.cfr.org/cyber-operations/oilrig"
+ ],
+ "source": "Tidal Cyber",
+ "title": "OilRig"
+ },
+ "related": [],
+ "uuid": "db9985eb-d536-45b9-a82b-34d8cdd2b699",
+ "value": "CFR OilRig Profile"
+ },
{
"description": "Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017.",
"meta": {
@@ -39929,6 +40278,38 @@
"uuid": "14bbb07b-caeb-4d17-8e54-047322a5930c",
"value": "Palo Alto OilRig Oct 2016"
},
+ {
+ "description": "ESET Research. (2024, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved September 3, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-03T00:00:00Z",
+ "date_published": "2024-09-21T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/"
+ ],
+ "source": "Tidal Cyber",
+ "title": "OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes"
+ },
+ "related": [],
+ "uuid": "21ee3e95-ac4b-48f7-b948-249e1884bc96",
+ "value": "ESET OilRig September 21 2023"
+ },
+ {
+ "description": "Zuzana Hromcová, Adam Burgher. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved September 1, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-01T00:00:00Z",
+ "date_published": "2023-12-14T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/"
+ ],
+ "source": "Tidal Cyber",
+ "title": "OilRig’s persistent attacks using cloud service-powered downloaders"
+ },
+ "related": [],
+ "uuid": "f96b74d5-ff75-47c6-a9a2-b2f43db351bc",
+ "value": "ESET OilRig December 14 2023"
+ },
{
"description": "Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.",
"meta": {
@@ -40773,21 +41154,6 @@
"uuid": "4035e871-9291-4d7f-9c5f-d8482d4dc8a7",
"value": "AhnLab Kimsuky Kabar Cobra Feb 2019"
},
- {
- "description": "Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.",
- "meta": {
- "date_accessed": "2014-11-12T00:00:00Z",
- "date_published": "2014-01-01T00:00:00Z",
- "refs": [
- "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf"
- ],
- "source": "MITRE",
- "title": "OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs"
- },
- "related": [],
- "uuid": "31504d92-6c4d-43f0-8548-ccc3aa05ba48",
- "value": "Villeneuve et al 2014"
- },
{
"description": "Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.",
"meta": {
@@ -40803,6 +41169,21 @@
"uuid": "bb45cf96-ceae-4f46-a0f5-08cd89f699c9",
"value": "Mandiant Operation Ke3chang November 2014"
},
+ {
+ "description": "Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.",
+ "meta": {
+ "date_accessed": "2014-11-12T00:00:00Z",
+ "date_published": "2014-01-01T00:00:00Z",
+ "refs": [
+ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf"
+ ],
+ "source": "MITRE",
+ "title": "OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs"
+ },
+ "related": [],
+ "uuid": "31504d92-6c4d-43f0-8548-ccc3aa05ba48",
+ "value": "Villeneuve et al 2014"
+ },
{
"description": "Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.",
"meta": {
@@ -41461,21 +41842,6 @@
"uuid": "55ee5bcc-ba56-58ac-9afb-2349aa75fe39",
"value": "Kubernetes Cloud Native Security"
},
- {
- "description": "Apple. (2012, July 23). Overview of Dynamic Libraries. Retrieved September 7, 2023.",
- "meta": {
- "date_accessed": "2023-09-07T00:00:00Z",
- "date_published": "2012-07-23T00:00:00Z",
- "refs": [
- "https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html"
- ],
- "source": "MITRE",
- "title": "Overview of Dynamic Libraries"
- },
- "related": [],
- "uuid": "39ffd162-4052-57ec-bd20-2fe6b8e6beab",
- "value": "Apple Dev Dynamic Libraries"
- },
{
"description": "Apple Inc.. (2012, July 23). Overview of Dynamic Libraries. Retrieved March 24, 2021.",
"meta": {
@@ -41491,6 +41857,21 @@
"uuid": "e3b8cc52-2096-418c-b291-1bc76022961d",
"value": "Apple Doco Archive Dynamic Libraries"
},
+ {
+ "description": "Apple. (2012, July 23). Overview of Dynamic Libraries. Retrieved September 7, 2023.",
+ "meta": {
+ "date_accessed": "2023-09-07T00:00:00Z",
+ "date_published": "2012-07-23T00:00:00Z",
+ "refs": [
+ "https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html"
+ ],
+ "source": "MITRE",
+ "title": "Overview of Dynamic Libraries"
+ },
+ "related": [],
+ "uuid": "39ffd162-4052-57ec-bd20-2fe6b8e6beab",
+ "value": "Apple Dev Dynamic Libraries"
+ },
{
"description": "Google Cloud. (n.d.). Overview of IAM Conditions. Retrieved January 2, 2024.",
"meta": {
@@ -42279,6 +42660,22 @@
"uuid": "3ca2e78e-751e-460b-9f3c-f851d054bce4",
"value": "Pentesting AD Forests"
},
+ {
+ "description": "U.S. Federal Bureau of Investigation. (2024, September 18). People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations. Retrieved September 19, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-19T00:00:00Z",
+ "date_published": "2024-09-18T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://www.ic3.gov/Media/News/2024/240918.pdf"
+ ],
+ "source": "Tidal Cyber",
+ "title": "People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations"
+ },
+ "related": [],
+ "uuid": "cfb6f191-6c43-423b-9289-02beb3d721d1",
+ "value": "FBI PRC Botnet September 18 2024"
+ },
{
"description": "Cybersecurity and Infrastructure Security Agency. (2023, September 27). People's Republic of China-Linked Cyber Actors Hide in Router Firmware. Retrieved September 29, 2023.",
"meta": {
@@ -42493,21 +42890,6 @@
"uuid": "533b8ae2-2fc3-4cf4-bcaa-5d8bfcba91c0",
"value": "Prevailion EvilNum May 2020"
},
- {
- "description": "Ryan Hanson. (2016, September 24). phishery. Retrieved October 23, 2020.",
- "meta": {
- "date_accessed": "2020-10-23T00:00:00Z",
- "date_published": "2016-09-24T00:00:00Z",
- "refs": [
- "https://github.com/ryhanson/phishery"
- ],
- "source": "MITRE",
- "title": "phishery"
- },
- "related": [],
- "uuid": "6da51561-a813-4802-aa84-1b3de1bc2e14",
- "value": "GitHub Phishery"
- },
{
"description": "Hanson, R. (2016, September 24). phishery. Retrieved July 21, 2018.",
"meta": {
@@ -42523,6 +42905,21 @@
"uuid": "7e643cf0-5df7-455d-add7-2342f36bdbcb",
"value": "ryhanson phishery SEPT 2016"
},
+ {
+ "description": "Ryan Hanson. (2016, September 24). phishery. Retrieved October 23, 2020.",
+ "meta": {
+ "date_accessed": "2020-10-23T00:00:00Z",
+ "date_published": "2016-09-24T00:00:00Z",
+ "refs": [
+ "https://github.com/ryhanson/phishery"
+ ],
+ "source": "MITRE",
+ "title": "phishery"
+ },
+ "related": [],
+ "uuid": "6da51561-a813-4802-aa84-1b3de1bc2e14",
+ "value": "GitHub Phishery"
+ },
{
"description": "ANSSI. (2021, December 6). PHISHING CAMPAIGNS BY THE NOBELIUM INTRUSION SET. Retrieved April 13, 2022.",
"meta": {
@@ -44328,21 +44725,6 @@
"uuid": "069ef9af-3402-4b13-8c60-b397b0b0bfd7",
"value": "PaloAlto EncodedCommand March 2017"
},
- {
- "description": "Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved December 17, 2020.",
- "meta": {
- "date_accessed": "2020-12-17T00:00:00Z",
- "date_published": "2018-12-06T00:00:00Z",
- "refs": [
- "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat"
- ],
- "source": "MITRE",
- "title": "Pulling Linux Rabbit/Rabbot Malware Out of a Hat"
- },
- "related": [],
- "uuid": "ec413dc7-028c-4153-9e98-abe85961747f",
- "value": "anomali-linux-rabbit"
- },
{
"description": "Anomali Labs. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved March 4, 2019.",
"meta": {
@@ -44358,6 +44740,21 @@
"uuid": "e843eb47-21b0-44b9-8065-02aea0a0b05f",
"value": "Anomali Linux Rabbit 2018"
},
+ {
+ "description": "Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved December 17, 2020.",
+ "meta": {
+ "date_accessed": "2020-12-17T00:00:00Z",
+ "date_published": "2018-12-06T00:00:00Z",
+ "refs": [
+ "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat"
+ ],
+ "source": "MITRE",
+ "title": "Pulling Linux Rabbit/Rabbot Malware Out of a Hat"
+ },
+ "related": [],
+ "uuid": "ec413dc7-028c-4153-9e98-abe85961747f",
+ "value": "anomali-linux-rabbit"
+ },
{
"description": "CrowdStrike. (n.d.). Punk Spider. Retrieved February 20, 2024.",
"meta": {
@@ -45036,21 +45433,6 @@
"uuid": "e096e1f4-6b62-4756-8811-f263cf1dcecc",
"value": "FBI Ransomware Tools November 7 2023"
},
- {
- "description": "Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021.",
- "meta": {
- "date_accessed": "2021-03-02T00:00:00Z",
- "date_published": "2020-02-24T00:00:00Z",
- "refs": [
- "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html"
- ],
- "source": "MITRE",
- "title": "Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT"
- },
- "related": [],
- "uuid": "44856547-2de5-45ff-898f-a523095bd593",
- "value": "FireEye Ransomware Feb 2020"
- },
{
"description": "Zafra, D. Lunden, K. Brubaker, N. Kennelly, J.. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved February 9, 2021.",
"meta": {
@@ -45066,6 +45448,21 @@
"uuid": "9ffa0f35-98e4-4265-8b66-9c805a2b6525",
"value": "FireEye Ransomware Disrupt Industrial Production"
},
+ {
+ "description": "Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021.",
+ "meta": {
+ "date_accessed": "2021-03-02T00:00:00Z",
+ "date_published": "2020-02-24T00:00:00Z",
+ "refs": [
+ "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html"
+ ],
+ "source": "MITRE",
+ "title": "Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT"
+ },
+ "related": [],
+ "uuid": "44856547-2de5-45ff-898f-a523095bd593",
+ "value": "FireEye Ransomware Feb 2020"
+ },
{
"description": "Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021.",
"meta": {
@@ -45112,6 +45509,22 @@
"uuid": "d0811fd4-e89d-4337-9bc1-a9a8774d44b1",
"value": "Sophos News August 14 2024"
},
+ {
+ "description": "Rapid. (2024, September 12). Ransomware Groups Demystified Lynx Ransomware . Retrieved September 12, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-12T00:00:00Z",
+ "date_published": "2024-09-12T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://www.rapid7.com/blog/post/2024/09/12/ransomware-groups-demystified-lynx-ransomware/"
+ ],
+ "source": "Tidal Cyber",
+ "title": "Ransomware Groups Demystified Lynx Ransomware"
+ },
+ "related": [],
+ "uuid": "21d393ae-d135-4c5a-8c6d-1baa8c0a1e08",
+ "value": "Rapid7 Blog September 12 2024"
+ },
{
"description": "Www.invictus-ir.com. (2024, January 11). Ransomware in the cloud. Retrieved April 17, 2024.",
"meta": {
@@ -46085,6 +46498,20 @@
"uuid": "f58ac1e4-c470-4aac-a077-7f358e25b0fa",
"value": "Microsoft Registry Auditing Aug 2016"
},
+ {
+ "description": "Microsoft. (n.d.). Registry Key Security and Access Rights. Retrieved March 16, 2017.",
+ "meta": {
+ "date_accessed": "2017-03-16T00:00:00Z",
+ "refs": [
+ "https://msdn.microsoft.com/library/windows/desktop/ms724878.aspx"
+ ],
+ "source": "MITRE",
+ "title": "Registry Key Security and Access Rights"
+ },
+ "related": [],
+ "uuid": "c5627d86-1b59-4c2a-aac0-88f1b4dc6974",
+ "value": "MSDN Registry Key Security"
+ },
{
"description": "Microsoft. (2018, May 31). Registry Key Security and Access Rights. Retrieved March 16, 2017.",
"meta": {
@@ -46100,20 +46527,6 @@
"uuid": "f8f12cbb-029c-48b1-87ce-624a7f98c8ab",
"value": "Registry Key Security"
},
- {
- "description": "Microsoft. (n.d.). Registry Key Security and Access Rights. Retrieved March 16, 2017.",
- "meta": {
- "date_accessed": "2017-03-16T00:00:00Z",
- "refs": [
- "https://msdn.microsoft.com/library/windows/desktop/ms724878.aspx"
- ],
- "source": "MITRE",
- "title": "Registry Key Security and Access Rights"
- },
- "related": [],
- "uuid": "c5627d86-1b59-4c2a-aac0-88f1b4dc6974",
- "value": "MSDN Registry Key Security"
- },
{
"description": "Microsoft. (2021, December 14). Registry Trees for Devices and Drivers. Retrieved March 28, 2023.",
"meta": {
@@ -47201,21 +47614,6 @@
"uuid": "d1d6b6fe-ef93-4417-844b-7cd8dc76934b",
"value": "U.S. HHS Royal & BlackCat Alert"
},
- {
- "description": "Iacono, L. and Green, S. (2023, February 13). Royal Ransomware Deep Dive. Retrieved March 30, 2023.",
- "meta": {
- "date_accessed": "2023-03-30T00:00:00Z",
- "date_published": "2023-02-13T00:00:00Z",
- "refs": [
- "https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive"
- ],
- "source": "MITRE",
- "title": "Royal Ransomware Deep Dive"
- },
- "related": [],
- "uuid": "dcdcc965-56d0-58e6-996b-d8bd40916745",
- "value": "Kroll Royal Deep Dive February 2023"
- },
{
"description": "Laurie Iacono, Keith Wojcieszek, George Glass. (2023, February 13). Royal Ransomware Deep Dive. Retrieved June 17, 2024.",
"meta": {
@@ -47232,6 +47630,21 @@
"uuid": "de385ede-f928-4a1e-934c-8ce7a6e7f33b",
"value": "Kroll Royal Ransomware February 13 2023"
},
+ {
+ "description": "Iacono, L. and Green, S. (2023, February 13). Royal Ransomware Deep Dive. Retrieved March 30, 2023.",
+ "meta": {
+ "date_accessed": "2023-03-30T00:00:00Z",
+ "date_published": "2023-02-13T00:00:00Z",
+ "refs": [
+ "https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive"
+ ],
+ "source": "MITRE",
+ "title": "Royal Ransomware Deep Dive"
+ },
+ "related": [],
+ "uuid": "dcdcc965-56d0-58e6-996b-d8bd40916745",
+ "value": "Kroll Royal Deep Dive February 2023"
+ },
{
"description": "Morales, N. et al. (2023, February 20). Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers. Retrieved March 30, 2023.",
"meta": {
@@ -47791,19 +48204,20 @@
"value": "Unit42 Redaman January 2019"
},
{
- "description": "Cyber Security Infrastructure Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved May 31, 2022.",
+ "description": "Cybersecurity and Infrastructure Security Agency. (2024, September 5). Russian Military Cyber Actors Target US and Global Critical Infrastructure. Retrieved September 9, 2024.",
"meta": {
- "date_accessed": "2022-05-31T00:00:00Z",
- "date_published": "2022-03-15T00:00:00Z",
+ "date_accessed": "2024-09-09T00:00:00Z",
+ "date_published": "2024-09-05T00:00:00Z",
+ "owner": "TidalCyberIan",
"refs": [
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-074a"
+ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a"
],
- "source": "MITRE",
- "title": "Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability"
+ "source": "Tidal Cyber",
+ "title": "Russian Military Cyber Actors Target US and Global Critical Infrastructure"
},
"related": [],
- "uuid": "00c6ff88-6eeb-486d-ae69-dffd5aebafe6",
- "value": "Russians Exploit Default MFA Protocol - CISA March 2022"
+ "uuid": "9631a46d-3e0a-4f25-962b-0b2501c47926",
+ "value": "U.S. CISA Unit 29155 September 5 2024"
},
{
"description": "Cybersecurity and Infrastructure Security Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved March 16, 2022.",
@@ -47820,6 +48234,21 @@
"uuid": "fa03324e-c79c-422e-80f1-c270fd87d4e2",
"value": "CISA MFA PrintNightmare"
},
+ {
+ "description": "Cyber Security Infrastructure Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved May 31, 2022.",
+ "meta": {
+ "date_accessed": "2022-05-31T00:00:00Z",
+ "date_published": "2022-03-15T00:00:00Z",
+ "refs": [
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-074a"
+ ],
+ "source": "MITRE",
+ "title": "Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability"
+ },
+ "related": [],
+ "uuid": "00c6ff88-6eeb-486d-ae69-dffd5aebafe6",
+ "value": "Russians Exploit Default MFA Protocol - CISA March 2022"
+ },
{
"description": "US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.",
"meta": {
@@ -48266,6 +48695,22 @@
"uuid": "3a60f7de-9ead-444e-9d08-689c655b26c7",
"value": "Mandiant SCANdalous Jul 2020"
},
+ {
+ "description": "Jakub Souček. (2023, August 22). Scarabs colon-izing vulnerable servers. Retrieved September 13, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-13T00:00:00Z",
+ "date_published": "2023-08-22T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://www.welivesecurity.com/en/eset-research/scarabs-colon-izing-vulnerable-servers/"
+ ],
+ "source": "Tidal Cyber",
+ "title": "Scarabs colon-izing vulnerable servers"
+ },
+ "related": [],
+ "uuid": "7cbf97fe-1809-4089-b386-a8bfd083df39",
+ "value": "WeLiveSecurity Scarab August 22 2023"
+ },
{
"description": "GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.",
"meta": {
@@ -48281,21 +48726,6 @@
"uuid": "2dd5b872-a4ab-4b77-8457-a3d947298fc0",
"value": "Securelist ScarCruft May 2019"
},
- {
- "description": "SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved July 12, 2023.",
- "meta": {
- "date_accessed": "2023-07-12T00:00:00Z",
- "date_published": "2023-07-11T00:00:00Z",
- "refs": [
- "https://sysdig.com/blog/scarleteel-2-0/"
- ],
- "source": "MITRE",
- "title": "SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto"
- },
- "related": [],
- "uuid": "90e60242-82d8-5648-b7e4-def6fd508e16",
- "value": "Sysdig ScarletEel 2.0"
- },
{
"description": "Alessandro Brucato. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved September 25, 2023.",
"meta": {
@@ -48311,6 +48741,21 @@
"uuid": "285266e7-7a62-5f98-9b0f-fefde4b21c88",
"value": "Sysdig ScarletEel 2.0 2023"
},
+ {
+ "description": "SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved July 12, 2023.",
+ "meta": {
+ "date_accessed": "2023-07-12T00:00:00Z",
+ "date_published": "2023-07-11T00:00:00Z",
+ "refs": [
+ "https://sysdig.com/blog/scarleteel-2-0/"
+ ],
+ "source": "MITRE",
+ "title": "SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto"
+ },
+ "related": [],
+ "uuid": "90e60242-82d8-5648-b7e4-def6fd508e16",
+ "value": "Sysdig ScarletEel 2.0"
+ },
{
"description": "Alberto Pellitteri. (2023, February 28). SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft. Retrieved February 2, 2023.",
"meta": {
@@ -48327,6 +48772,22 @@
"uuid": "18931f81-51bf-44af-9573-512ccb66c238",
"value": "Sysdig Scarleteel February 28 2023"
},
+ {
+ "description": "Laura Brosnan. (2024, June 26). Scarlet Goldfinch Taking flight with NetSupport Manager - Red Canary. Retrieved June 26, 2024.",
+ "meta": {
+ "date_accessed": "2024-06-26T00:00:00Z",
+ "date_published": "2024-06-26T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://redcanary.com/blog/threat-intelligence/scarlet-goldfinch/"
+ ],
+ "source": "Tidal Cyber",
+ "title": "Scarlet Goldfinch Taking flight with NetSupport Manager - Red Canary"
+ },
+ "related": [],
+ "uuid": "e0d62504-6fec-4d95-9f4a-e0dda7e7b6d9",
+ "value": "Red Canary June 26 2024"
+ },
{
"description": "Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.",
"meta": {
@@ -48923,21 +49384,6 @@
"uuid": "3cc2c996-10e9-4e25-999c-21dc2c69e4af",
"value": "CISA IDN ST05-016"
},
- {
- "description": "Dr. Nestori Syynimaa.. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved February 1, 2022.",
- "meta": {
- "date_accessed": "2022-02-01T00:00:00Z",
- "date_published": "2017-11-16T00:00:00Z",
- "refs": [
- "https://o365blog.com/post/federation-vulnerability/"
- ],
- "source": "MITRE",
- "title": "Security vulnerability in Azure AD & Office 365 identity federation"
- },
- "related": [],
- "uuid": "123995be-36f5-4cd6-b80a-d601c2d0971e",
- "value": "Azure AD Federation Vulnerability"
- },
{
"description": "Dr. Nestori Syynimaa. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved September 28, 2022.",
"meta": {
@@ -48953,6 +49399,21 @@
"uuid": "d2005eb6-4da4-4938-97fb-caa0e2381f4e",
"value": "AADInternals zure AD Federated Domain"
},
+ {
+ "description": "Dr. Nestori Syynimaa.. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved February 1, 2022.",
+ "meta": {
+ "date_accessed": "2022-02-01T00:00:00Z",
+ "date_published": "2017-11-16T00:00:00Z",
+ "refs": [
+ "https://o365blog.com/post/federation-vulnerability/"
+ ],
+ "source": "MITRE",
+ "title": "Security vulnerability in Azure AD & Office 365 identity federation"
+ },
+ "related": [],
+ "uuid": "123995be-36f5-4cd6-b80a-d601c2d0971e",
+ "value": "Azure AD Federation Vulnerability"
+ },
{
"description": "ESET Research. (2015, July 10). Sednit APT Group Meets Hacking Team. Retrieved March 1, 2017.",
"meta": {
@@ -50865,6 +51326,21 @@
"uuid": "01d9c3ba-29e2-5090-b399-0e7adf50a6b9",
"value": "SocGholish-update"
},
+ {
+ "description": "Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.",
+ "meta": {
+ "date_accessed": "2024-03-22T00:00:00Z",
+ "date_published": "2022-11-07T00:00:00Z",
+ "refs": [
+ "https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/"
+ ],
+ "source": "MITRE",
+ "title": "SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders"
+ },
+ "related": [],
+ "uuid": "8a26eeb6-6f80-58f1-b773-b38835c6781d",
+ "value": "SentinelOne SocGholish Infrastructure November 2022"
+ },
{
"description": "Aleksandar Milenkoski. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved May 7, 2023.",
"meta": {
@@ -50881,21 +51357,6 @@
"uuid": "c2dd119c-25d8-4e48-8eeb-89552a5a096c",
"value": "SentinelLabs SocGholish November 2022"
},
- {
- "description": "Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.",
- "meta": {
- "date_accessed": "2024-03-22T00:00:00Z",
- "date_published": "2022-11-07T00:00:00Z",
- "refs": [
- "https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/"
- ],
- "source": "MITRE",
- "title": "SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders"
- },
- "related": [],
- "uuid": "8a26eeb6-6f80-58f1-b773-b38835c6781d",
- "value": "SentinelOne SocGholish Infrastructure November 2022"
- },
{
"description": "Proofpoint. (2022, November 21). SocGholish Malware: A Real Threat from a Fake Update | Proofpoint US. Retrieved May 7, 2023.",
"meta": {
@@ -51170,6 +51631,22 @@
"uuid": "6fce30c3-17d6-42a0-8470-319e2930e573",
"value": "solution_monitor_dhcp_scopes"
},
+ {
+ "description": "Sekoia TDR; Felix Aimé; Pierre-Antoine D; Charles M; Grégoire Clermont; Jeremy Scion. (2024, July 23). Solving the 7777 Botnet enigma A cybersecurity quest. Retrieved July 24, 2024.",
+ "meta": {
+ "date_accessed": "2024-07-24T00:00:00Z",
+ "date_published": "2024-07-23T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://blog.sekoia.io/solving-the-7777-botnet-enigma-a-cybersecurity-quest/"
+ ],
+ "source": "Tidal Cyber",
+ "title": "Solving the 7777 Botnet enigma A cybersecurity quest"
+ },
+ "related": [],
+ "uuid": "ae84e72a-56b3-4dc4-b053-d3766764ac0d",
+ "value": "Sekoia.io Blog July 23 2024"
+ },
{
"description": "SophosXOps. (2023, September 13). Sophos X-Ops Tweet September 13 2023. Retrieved September 22, 2023.",
"meta": {
@@ -51872,21 +52349,6 @@
"uuid": "edd0cab4-48f7-48d8-a318-ced118af6a63",
"value": "Sekoia.io Stealc February 27 2023"
},
- {
- "description": "Syynimaa, N. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved August 3, 2022.",
- "meta": {
- "date_accessed": "2022-08-03T00:00:00Z",
- "date_published": "2022-02-15T00:00:00Z",
- "refs": [
- "https://o365blog.com/post/deviceidentity/"
- ],
- "source": "MITRE",
- "title": "Stealing and faking Azure AD device identities"
- },
- "related": [],
- "uuid": "ec94c043-92ef-4691-b21a-7ea68f39e338",
- "value": "O365 Blog Azure AD Device IDs"
- },
{
"description": "Dr. Nestori Syynimaa. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved February 21, 2023.",
"meta": {
@@ -51902,6 +52364,21 @@
"uuid": "b5ef16c4-1db0-51e9-93ab-54a8e480debc",
"value": "AADInternals Azure AD Device Identities"
},
+ {
+ "description": "Syynimaa, N. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved August 3, 2022.",
+ "meta": {
+ "date_accessed": "2022-08-03T00:00:00Z",
+ "date_published": "2022-02-15T00:00:00Z",
+ "refs": [
+ "https://o365blog.com/post/deviceidentity/"
+ ],
+ "source": "MITRE",
+ "title": "Stealing and faking Azure AD device identities"
+ },
+ "related": [],
+ "uuid": "ec94c043-92ef-4691-b21a-7ea68f39e338",
+ "value": "O365 Blog Azure AD Device IDs"
+ },
{
"description": "Fuller, R. (2013, September 11). Stealing passwords every time they change. Retrieved November 21, 2017.",
"meta": {
@@ -52277,6 +52754,22 @@
"uuid": "ad96148c-8230-4923-86fd-4b1da211db1a",
"value": "U.S. CISA Play Ransomware December 2023"
},
+ {
+ "description": "Cybersecurity and Infrastructure Security Agency. (2024, August 29). #StopRansomware: RansomHub Ransomware. Retrieved September 3, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-03T00:00:00Z",
+ "date_published": "2024-08-29T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a"
+ ],
+ "source": "Tidal Cyber",
+ "title": "#StopRansomware: RansomHub Ransomware"
+ },
+ "related": [],
+ "uuid": "af338cbd-6416-4dee-95c7-6915f78e2604",
+ "value": "U.S. CISA RansomHub Ransomware August 29 2024"
+ },
{
"description": "Cybersecurity and Infrastructure Security Agency. (2023, November 15). #StopRansomware: Rhysida Ransomware. Retrieved November 16, 2023.",
"meta": {
@@ -52340,6 +52833,22 @@
"uuid": "0a754513-5f20-44a0-8cea-c5d9519106c8",
"value": "U.S. CISA Vice Society September 2022"
},
+ {
+ "description": "Cybersecurity and Infrastructure Security Agency. (2022, August 11). #StopRansomware: Zeppelin Ransomware. Retrieved September 19, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-19T00:00:00Z",
+ "date_published": "2022-08-11T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-223a"
+ ],
+ "source": "Tidal Cyber",
+ "title": "#StopRansomware: Zeppelin Ransomware"
+ },
+ "related": [],
+ "uuid": "42d98de2-8c9a-4cc4-b5a1-9778c0da3286",
+ "value": "U.S. CISA Zeppelin Ransomware August 11 2022"
+ },
{
"description": "LOLBAS. (2021, October 21). Stordiag.exe. Retrieved December 4, 2023.",
"meta": {
@@ -52622,8 +53131,8 @@
"title": "SUNBURST, TEARDROP and the NetSec New Normal"
},
"related": [],
- "uuid": "4e3d9201-83d4-5375-b3b7-e00dfb16342d",
- "value": "CheckPoint Sunburst & Teardrop December 2020"
+ "uuid": "a6b75979-af51-42ed-9bb9-01d5fb9ceac9",
+ "value": "Check Point Sunburst Teardrop December 2020"
},
{
"description": "Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021.",
@@ -52637,8 +53146,8 @@
"title": "SUNBURST, TEARDROP and the NetSec New Normal"
},
"related": [],
- "uuid": "a6b75979-af51-42ed-9bb9-01d5fb9ceac9",
- "value": "Check Point Sunburst Teardrop December 2020"
+ "uuid": "4e3d9201-83d4-5375-b3b7-e00dfb16342d",
+ "value": "CheckPoint Sunburst & Teardrop December 2020"
},
{
"description": "CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.",
@@ -53204,6 +53713,20 @@
"uuid": "2a3c5216-b153-4d89-b0b1-f32af3aa83d0",
"value": "Peripheral Discovery macOS"
},
+ {
+ "description": "Microsoft. (n.d.). System Time. Retrieved November 25, 2016.",
+ "meta": {
+ "date_accessed": "2016-11-25T00:00:00Z",
+ "refs": [
+ "https://msdn.microsoft.com/ms724961.aspx"
+ ],
+ "source": "MITRE",
+ "title": "System Time"
+ },
+ "related": [],
+ "uuid": "5e15e03b-be8b-4f3d-a3ae-0df7a4ecfbec",
+ "value": "MSDN System Time"
+ },
{
"description": "ArchLinux. (2024, February 1). System Time. Retrieved March 27, 2024.",
"meta": {
@@ -53219,20 +53742,6 @@
"uuid": "2dfd22d7-c78b-5967-b732-736f37ea5489",
"value": "linux system time"
},
- {
- "description": "Microsoft. (n.d.). System Time. Retrieved November 25, 2016.",
- "meta": {
- "date_accessed": "2016-11-25T00:00:00Z",
- "refs": [
- "https://msdn.microsoft.com/ms724961.aspx"
- ],
- "source": "MITRE",
- "title": "System Time"
- },
- "related": [],
- "uuid": "5e15e03b-be8b-4f3d-a3ae-0df7a4ecfbec",
- "value": "MSDN System Time"
- },
{
"description": "Atomic Red Team. (2023, November). T1003.007 - OS Credential Dumping: Proc Filesystem. Retrieved March 28, 2024.",
"meta": {
@@ -53715,6 +54224,22 @@
"uuid": "dfd168c0-40da-4402-a123-963eb8e2125a",
"value": "dharma_ransomware"
},
+ {
+ "description": "Check Point Research. (2024, September 11). Targeted Iranian Attacks Against Iraqi Government Infrastructure - Check Point Research. Retrieved September 11, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-11T00:00:00Z",
+ "date_published": "2024-09-11T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://research.checkpoint.com/2024/iranian-malware-attacks-iraqi-government/"
+ ],
+ "source": "Tidal Cyber",
+ "title": "Targeted Iranian Attacks Against Iraqi Government Infrastructure - Check Point Research"
+ },
+ "related": [],
+ "uuid": "53320d81-4060-4414-b5b8-21d09362bc44",
+ "value": "Check Point Research September 11 2024"
+ },
{
"description": "Check Point. (n.d.). Targeted SSL Stripping Attacks Are Real. Retrieved May 24, 2023.",
"meta": {
@@ -53940,21 +54465,6 @@
"uuid": "b98f1967-c62f-5afe-a2f7-4c426615d576",
"value": "AquaSec TeamTNT 2023"
},
- {
- "description": "Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.",
- "meta": {
- "date_accessed": "2022-08-04T00:00:00Z",
- "date_published": "2022-04-21T00:00:00Z",
- "refs": [
- "https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/"
- ],
- "source": "MITRE",
- "title": "TeamTNT targeting AWS, Alibaba"
- },
- "related": [],
- "uuid": "f39b5f92-6e14-4c7f-b79d-7bade722e6d9",
- "value": "Cisco Talos Intelligence Group"
- },
{
"description": "Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved July 8, 2022.",
"meta": {
@@ -53970,6 +54480,21 @@
"uuid": "acd1b4c5-da28-584e-b892-599180a8dbb0",
"value": "Talos TeamTNT"
},
+ {
+ "description": "Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.",
+ "meta": {
+ "date_accessed": "2022-08-04T00:00:00Z",
+ "date_published": "2022-04-21T00:00:00Z",
+ "refs": [
+ "https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/"
+ ],
+ "source": "MITRE",
+ "title": "TeamTNT targeting AWS, Alibaba"
+ },
+ "related": [],
+ "uuid": "f39b5f92-6e14-4c7f-b79d-7bade722e6d9",
+ "value": "Cisco Talos Intelligence Group"
+ },
{
"description": "Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021.",
"meta": {
@@ -54975,6 +55500,22 @@
"uuid": "7578541b-1ae3-58d0-a8b9-120bd6cd96f5",
"value": "CrowdStrike Evolution of Pinchy Spider July 2021"
},
+ {
+ "description": "Abe Schneider, Bethany Hardin, Lavine Oluoch . (2022, September 19). The Evolution of the Chromeloader Malware. Retrieved September 26, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-26T00:00:00Z",
+ "date_published": "2022-09-19T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html"
+ ],
+ "source": "Tidal Cyber",
+ "title": "The Evolution of the Chromeloader Malware"
+ },
+ "related": [],
+ "uuid": "5c2985f1-2d80-488b-ab63-fbd56aba229b",
+ "value": "VMware Chromeloader September 19 2022"
+ },
{
"description": "Julia Kisielius. (2017, April 25). The Felismus RAT: Powerful Threat, Mysterious Purpose. Retrieved January 10, 2024.",
"meta": {
@@ -55346,8 +55887,8 @@
"title": "The LaZagne Project !!!"
},
"related": [],
- "uuid": "33cca4fa-72a8-59a3-a62f-12f71a499a15",
- "value": "GitHub LaZange Dec 2018"
+ "uuid": "9347b507-3a41-405d-87f9-d4fc2bfc48e5",
+ "value": "GitHub LaZagne Dec 2018"
},
{
"description": "Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.",
@@ -55360,8 +55901,8 @@
"title": "The LaZagne Project !!!"
},
"related": [],
- "uuid": "9347b507-3a41-405d-87f9-d4fc2bfc48e5",
- "value": "GitHub LaZagne Dec 2018"
+ "uuid": "33cca4fa-72a8-59a3-a62f-12f71a499a15",
+ "value": "GitHub LaZange Dec 2018"
},
{
"description": "SecureWorks. (2013). The Lifecycle of Peer-to-Peer (Gameover) ZeuS. Retrieved August 19, 2015.",
@@ -55453,6 +55994,22 @@
"uuid": "ed5a2ec0-8328-40db-9f58-7eaac4ad39a0",
"value": "Villeneuve 2011"
},
+ {
+ "description": "Tommy Madjar; Pim Trouerbach; Selena Larson; The Proofpoint Threat Research Team. (2024, August 29). The Malware That Must Not Be Named Suspected Espionage Campaign Delivers “Voldemort†. Retrieved August 29, 2024.",
+ "meta": {
+ "date_accessed": "2024-08-29T00:00:00Z",
+ "date_published": "2024-08-29T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort"
+ ],
+ "source": "Tidal Cyber",
+ "title": "The Malware That Must Not Be Named Suspected Espionage Campaign Delivers “Voldemortâ€"
+ },
+ "related": [],
+ "uuid": "548f23b2-3ab6-4ea0-839f-8f9c8745d91d",
+ "value": "Proofpoint August 29 2024"
+ },
{
"description": "Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.",
"meta": {
@@ -55932,6 +56489,22 @@
"uuid": "f8a8a3a0-5b30-5f3e-a7b0-f8a4aaae7ee7",
"value": "Cofense Agent Tesla"
},
+ {
+ "description": "Laura Brosnan. (2024, March 18). The rise of Charcoal Stork . Retrieved September 26, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-26T00:00:00Z",
+ "date_published": "2024-03-18T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://redcanary.com/blog/threat-intelligence/charcoal-stork/"
+ ],
+ "source": "Tidal Cyber",
+ "title": "The rise of Charcoal Stork"
+ },
+ "related": [],
+ "uuid": "a86131cd-1a42-4222-9d39-221dd6e054ba",
+ "value": "Red Canary March 18 2024"
+ },
{
"description": "Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.",
"meta": {
@@ -56595,6 +57168,22 @@
"uuid": "26d7134e-7b93-4aa1-a859-03cf964ca1b5",
"value": "Atlas SEO"
},
+ {
+ "description": "Vanja Svajcer. (2024, September 3). Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads. Retrieved September 3, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-03T00:00:00Z",
+ "date_published": "2024-09-03T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://blog.talosintelligence.com/threat-actors-using-macropack/"
+ ],
+ "source": "Tidal Cyber",
+ "title": "Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads"
+ },
+ "related": [],
+ "uuid": "b222cabd-347d-45d4-aeaf-4135795d944d",
+ "value": "Cisco Talos Blog September 3 2024"
+ },
{
"description": "Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.",
"meta": {
@@ -56791,6 +57380,21 @@
"uuid": "5e1db76a-0a3e-42ce-a66c-f914fb1a3471",
"value": "Unit 42 DGA Feb 2019"
},
+ {
+ "description": "Red Canary. (n.d.). Threat: ChromeLoader. Retrieved September 26, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-26T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://redcanary.com/threat-detection-report/threats/chromeloader/"
+ ],
+ "source": "Tidal Cyber",
+ "title": "Threat: ChromeLoader"
+ },
+ "related": [],
+ "uuid": "bcfe9d10-11fe-4241-8262-bce07e8a11c1",
+ "value": "Red Canary TDR ChromeLoader"
+ },
{
"description": "Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.",
"meta": {
@@ -57523,21 +58127,6 @@
"uuid": "99e48516-f918-477c-b85e-4ad894cc031f",
"value": "JScrip May 2018"
},
- {
- "description": "Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.",
- "meta": {
- "date_accessed": "2021-09-02T00:00:00Z",
- "date_published": "2021-05-13T00:00:00Z",
- "refs": [
- "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html"
- ],
- "source": "MITRE, Tidal Cyber",
- "title": "Transparent Tribe APT expands its Windows malware arsenal"
- },
- "related": [],
- "uuid": "5d58c285-bc7d-4a8a-a96a-ac7118c1089d",
- "value": "Talos Transparent Tribe May 2021"
- },
{
"description": "Malhotra, A., McKay, K. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal . Retrieved July 29, 2022.",
"meta": {
@@ -57553,6 +58142,21 @@
"uuid": "be1e3092-1981-457b-ae76-b55b057e1d73",
"value": "tt_obliqueRAT"
},
+ {
+ "description": "Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.",
+ "meta": {
+ "date_accessed": "2021-09-02T00:00:00Z",
+ "date_published": "2021-05-13T00:00:00Z",
+ "refs": [
+ "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html"
+ ],
+ "source": "MITRE, Tidal Cyber",
+ "title": "Transparent Tribe APT expands its Windows malware arsenal"
+ },
+ "related": [],
+ "uuid": "5d58c285-bc7d-4a8a-a96a-ac7118c1089d",
+ "value": "Talos Transparent Tribe May 2021"
+ },
{
"description": "N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.",
"meta": {
@@ -57583,21 +58187,6 @@
"uuid": "9bdda422-dbf7-4b70-a7b1-9e3ad658c239",
"value": "tt_httrack_fake_domains"
},
- {
- "description": "Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved April 1, 2021.",
- "meta": {
- "date_accessed": "2021-04-01T00:00:00Z",
- "date_published": "2020-08-20T00:00:00Z",
- "refs": [
- "https://securelist.com/transparent-tribe-part-1/98127/"
- ],
- "source": "MITRE",
- "title": "Transparent Tribe: Evolution analysis, part 1"
- },
- "related": [],
- "uuid": "0db470b1-ab22-4b67-a858-472e4de7c6f0",
- "value": "Securelist Trasparent Tribe 2020"
- },
{
"description": "Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.",
"meta": {
@@ -57613,6 +58202,21 @@
"uuid": "42c7faa2-f664-4e4a-9d23-93c88a09da5b",
"value": "Kaspersky Transparent Tribe August 2020"
},
+ {
+ "description": "Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved April 1, 2021.",
+ "meta": {
+ "date_accessed": "2021-04-01T00:00:00Z",
+ "date_published": "2020-08-20T00:00:00Z",
+ "refs": [
+ "https://securelist.com/transparent-tribe-part-1/98127/"
+ ],
+ "source": "MITRE",
+ "title": "Transparent Tribe: Evolution analysis, part 1"
+ },
+ "related": [],
+ "uuid": "0db470b1-ab22-4b67-a858-472e4de7c6f0",
+ "value": "Securelist Trasparent Tribe 2020"
+ },
{
"description": "Microsoft. (2016, June 1). Transport agents. Retrieved June 24, 2019.",
"meta": {
@@ -58330,21 +58934,6 @@
"uuid": "5d69d122-13bc-45c4-95ab-68283a21b699",
"value": "TrendMicro Tropic Trooper Mar 2018"
},
- {
- "description": "Ray, V., et al. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved December 18, 2020.",
- "meta": {
- "date_accessed": "2020-12-18T00:00:00Z",
- "date_published": "2016-11-22T00:00:00Z",
- "refs": [
- "https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/"
- ],
- "source": "MITRE",
- "title": "Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy"
- },
- "related": [],
- "uuid": "47524b17-1acd-44b1-8de5-168369fa9455",
- "value": "paloalto Tropic Trooper 2016"
- },
{
"description": "Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.",
"meta": {
@@ -58360,6 +58949,21 @@
"uuid": "cad84e3d-9506-44f8-bdd9-d090e6ce9b06",
"value": "Unit 42 Tropic Trooper Nov 2016"
},
+ {
+ "description": "Ray, V., et al. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved December 18, 2020.",
+ "meta": {
+ "date_accessed": "2020-12-18T00:00:00Z",
+ "date_published": "2016-11-22T00:00:00Z",
+ "refs": [
+ "https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/"
+ ],
+ "source": "MITRE",
+ "title": "Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy"
+ },
+ "related": [],
+ "uuid": "47524b17-1acd-44b1-8de5-168369fa9455",
+ "value": "paloalto Tropic Trooper 2016"
+ },
{
"description": "Microsoft. (2023, October 23). Troubleshooting Conditional Access policy changes. Retrieved January 2, 2024.",
"meta": {
@@ -60361,21 +60965,6 @@
"uuid": "32a30a3f-3ed1-4def-86b1-f40bbffa1cc5",
"value": "Microsoft SMB Packet Signing"
},
- {
- "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.",
- "meta": {
- "date_accessed": "2016-04-07T00:00:00Z",
- "date_published": "2012-06-27T00:00:00Z",
- "refs": [
- "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ee791851(v=ws.11)?redirectedfrom=MSDN"
- ],
- "source": "MITRE",
- "title": "Using Software Restriction Policies and AppLocker Policies"
- },
- "related": [],
- "uuid": "774e6598-0926-4adb-890f-00824de07ae0",
- "value": "Microsoft Using Software Restriction"
- },
{
"description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.",
"meta": {
@@ -60391,6 +60980,21 @@
"uuid": "84e1c53f-e858-4106-9c14-1b536d5b56f9",
"value": "TechNet Applocker vs SRP"
},
+ {
+ "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.",
+ "meta": {
+ "date_accessed": "2016-04-07T00:00:00Z",
+ "date_published": "2012-06-27T00:00:00Z",
+ "refs": [
+ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ee791851(v=ws.11)?redirectedfrom=MSDN"
+ ],
+ "source": "MITRE",
+ "title": "Using Software Restriction Policies and AppLocker Policies"
+ },
+ "related": [],
+ "uuid": "774e6598-0926-4adb-890f-00824de07ae0",
+ "value": "Microsoft Using Software Restriction"
+ },
{
"description": "Jan Schaumann. (2015, November 5). Using the OS X Keychain to store and retrieve passwords. Retrieved March 31, 2022.",
"meta": {
@@ -60985,6 +61589,22 @@
"uuid": "90a5ab3c-c2a8-4b02-9bd7-628672907737",
"value": "Offensive Security VNC Authentication Check"
},
+ {
+ "description": "Peter Girnus, Aliakbar Zahravi. (2024, July 15). Void Banshee Targets Windows Users. Retrieved September 19, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-19T00:00:00Z",
+ "date_published": "2024-07-15T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html"
+ ],
+ "source": "Tidal Cyber",
+ "title": "Void Banshee Targets Windows Users"
+ },
+ "related": [],
+ "uuid": "02c4dda2-3aae-43ec-9b14-df282b200def",
+ "value": "Trend Micro Void Banshee July 15 2024"
+ },
{
"description": "Feike Hacquebord, Stephen Hilt, Fernando Merces, Lord Alfred Remorin. (2023, May 30). Void Rabisu’s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors’ Goals. Retrieved June 4, 2023.",
"meta": {
@@ -61016,6 +61636,21 @@
"uuid": "a26344a2-63ca-422e-8cf9-0cf22a5bee72",
"value": "CheckPoint Volatile Cedar March 2015"
},
+ {
+ "description": "Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.",
+ "meta": {
+ "date_accessed": "2023-07-27T00:00:00Z",
+ "date_published": "2023-05-24T00:00:00Z",
+ "refs": [
+ "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"
+ ],
+ "source": "MITRE",
+ "title": "Volt Typhoon targets US critical infrastructure with living-off-the-land techniques"
+ },
+ "related": [],
+ "uuid": "8b74f0b7-9719-598c-b3ee-61d734393e6f",
+ "value": "Microsoft Volt Typhoon May 2023"
+ },
{
"description": "Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved May 25, 2023.",
"meta": {
@@ -61032,21 +61667,6 @@
"uuid": "2e94c44a-d2a7-4e56-ac8a-df315fc14ec1",
"value": "Microsoft Volt Typhoon May 24 2023"
},
- {
- "description": "Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.",
- "meta": {
- "date_accessed": "2023-07-27T00:00:00Z",
- "date_published": "2023-05-24T00:00:00Z",
- "refs": [
- "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"
- ],
- "source": "MITRE",
- "title": "Volt Typhoon targets US critical infrastructure with living-off-the-land techniques"
- },
- "related": [],
- "uuid": "8b74f0b7-9719-598c-b3ee-61d734393e6f",
- "value": "Microsoft Volt Typhoon May 2023"
- },
{
"description": "LOLBAS. (2023, July 12). VSDiagnostics.exe. Retrieved December 4, 2023.",
"meta": {
@@ -61143,21 +61763,6 @@
"uuid": "70c168a0-9ddf-408d-ba29-885c0c5c936a",
"value": "vstest.console.exe - LOLBAS Project"
},
- {
- "description": "Kanthak, S. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017.",
- "meta": {
- "date_accessed": "2017-02-03T00:00:00Z",
- "date_published": "2016-07-20T00:00:00Z",
- "refs": [
- "https://skanthak.homepage.t-online.de/sentinel.html"
- ],
- "source": "MITRE",
- "title": "Vulnerability and Exploit Detector"
- },
- "related": [],
- "uuid": "94f99326-1512-47ca-8c99-9b382e4d0261",
- "value": "Kanthak Sentinel"
- },
{
"description": "Kanthak, S.. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017.",
"meta": {
@@ -61173,6 +61778,21 @@
"uuid": "d63d6e14-8fe7-4893-a42f-3752eaec8770",
"value": "Vulnerability and Exploit Detector"
},
+ {
+ "description": "Kanthak, S. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017.",
+ "meta": {
+ "date_accessed": "2017-02-03T00:00:00Z",
+ "date_published": "2016-07-20T00:00:00Z",
+ "refs": [
+ "https://skanthak.homepage.t-online.de/sentinel.html"
+ ],
+ "source": "MITRE",
+ "title": "Vulnerability and Exploit Detector"
+ },
+ "related": [],
+ "uuid": "94f99326-1512-47ca-8c99-9b382e4d0261",
+ "value": "Kanthak Sentinel"
+ },
{
"description": "CertiK. (2020, June 30). Vulnerability in Electron-based Application: Unintentionally Giving Malicious Code Room to Run. Retrieved March 7, 2024.",
"meta": {
@@ -61667,20 +62287,6 @@
"uuid": "d316c581-646d-48e7-956e-34e2f957c67d",
"value": "Cofense Astaroth Sept 2018"
},
- {
- "description": "Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.",
- "meta": {
- "date_accessed": "2021-09-14T00:00:00Z",
- "refs": [
- "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil"
- ],
- "source": "MITRE",
- "title": "wevtutil"
- },
- "related": [],
- "uuid": "25511dde-9e13-4e03-8ae4-2495e9f5eb5e",
- "value": "Wevtutil Microsoft Documentation"
- },
{
"description": "Plett, C. et al.. (2017, October 16). wevtutil. Retrieved July 2, 2018.",
"meta": {
@@ -61696,6 +62302,20 @@
"uuid": "8896d802-96c6-4546-8a82-c1f7f2d71ea1",
"value": "Microsoft wevtutil Oct 2017"
},
+ {
+ "description": "Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.",
+ "meta": {
+ "date_accessed": "2021-09-14T00:00:00Z",
+ "refs": [
+ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil"
+ ],
+ "source": "MITRE",
+ "title": "wevtutil"
+ },
+ "related": [],
+ "uuid": "25511dde-9e13-4e03-8ae4-2495e9f5eb5e",
+ "value": "Wevtutil Microsoft Documentation"
+ },
{
"description": "LOLBAS. (2021, September 26). Wfc.exe. Retrieved December 4, 2023.",
"meta": {
@@ -62669,21 +63289,6 @@
"uuid": "92ac290c-4863-4774-b334-848ed72e3627",
"value": "Trend Micro Privileged Container"
},
- {
- "description": "Mandiant Intelligence. (2023, September 14). Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety. Retrieved January 2, 2024.",
- "meta": {
- "date_accessed": "2024-01-02T00:00:00Z",
- "date_published": "2023-09-14T00:00:00Z",
- "refs": [
- "https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware"
- ],
- "source": "MITRE",
- "title": "Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety"
- },
- "related": [],
- "uuid": "3a310dbd-4b5c-5eaf-a4ce-699e52007c9b",
- "value": "Mandiant UNC3944 SMS Phishing 2023"
- },
{
"description": "Mandiant Intelligence. (2023, September 14). Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety. Retrieved November 16, 2023.",
"meta": {
@@ -62700,6 +63305,21 @@
"uuid": "7420d79f-c6a3-4932-9c2e-c9cc36e2ca35",
"value": "Mandiant UNC3944 September 14 2023"
},
+ {
+ "description": "Mandiant Intelligence. (2023, September 14). Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety. Retrieved January 2, 2024.",
+ "meta": {
+ "date_accessed": "2024-01-02T00:00:00Z",
+ "date_published": "2023-09-14T00:00:00Z",
+ "refs": [
+ "https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware"
+ ],
+ "source": "MITRE",
+ "title": "Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety"
+ },
+ "related": [],
+ "uuid": "3a310dbd-4b5c-5eaf-a4ce-699e52007c9b",
+ "value": "Mandiant UNC3944 SMS Phishing 2023"
+ },
{
"description": "Stack Overflow. (n.d.). Why do I see an \"Electron Security Warning\" after updating my Electron project to the latest version?. Retrieved March 7, 2024.",
"meta": {
@@ -62816,6 +63436,22 @@
"uuid": "806eadfc-f473-4f2b-b03b-8a1f1c0a2d96",
"value": "ESET Carberp March 2012"
},
+ {
+ "description": "Microsoft Corporation. (2012, April 2). Win32Gamarue threat description - Microsoft Security Intelligence. Retrieved September 27, 2024.",
+ "meta": {
+ "date_accessed": "2024-09-27T00:00:00Z",
+ "date_published": "2012-04-02T00:00:00Z",
+ "owner": "TidalCyberIan",
+ "refs": [
+ "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Gamarue"
+ ],
+ "source": "Tidal Cyber",
+ "title": "Win32Gamarue threat description - Microsoft Security Intelligence"
+ },
+ "related": [],
+ "uuid": "de44abcc-9467-4c63-b0c4-c3a3b282ae39",
+ "value": "microsoft.com April 2 2012"
+ },
{
"description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.",
"meta": {
@@ -63168,21 +63804,6 @@
"uuid": "20ec94d1-4a5c-43f5-bb65-f3ea965d2b6e",
"value": "TechNet PowerShell"
},
- {
- "description": "absolomb. (2018, January 26). Windows Privilege Escalation Guide. Retrieved August 10, 2018.",
- "meta": {
- "date_accessed": "2018-08-10T00:00:00Z",
- "date_published": "2018-01-26T00:00:00Z",
- "refs": [
- "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/"
- ],
- "source": "MITRE",
- "title": "Windows Privilege Escalation Guide"
- },
- "related": [],
- "uuid": "185154f2-5f2e-48bf-b609-991e9d6a037b",
- "value": "Windows Privilege Escalation Guide"
- },
{
"description": "McFarland, R. (2018, January 26). Windows Privilege Escalation Guide. Retrieved August 10, 2018.",
"meta": {
@@ -63198,6 +63819,21 @@
"uuid": "c52945dc-eb20-4e69-8f8e-a262f33c244c",
"value": "SploitSpren Windows Priv Jan 2018"
},
+ {
+ "description": "absolomb. (2018, January 26). Windows Privilege Escalation Guide. Retrieved August 10, 2018.",
+ "meta": {
+ "date_accessed": "2018-08-10T00:00:00Z",
+ "date_published": "2018-01-26T00:00:00Z",
+ "refs": [
+ "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/"
+ ],
+ "source": "MITRE",
+ "title": "Windows Privilege Escalation Guide"
+ },
+ "related": [],
+ "uuid": "185154f2-5f2e-48bf-b609-991e9d6a037b",
+ "value": "Windows Privilege Escalation Guide"
+ },
{
"description": "HackHappy. (2018, April 23). Windows Privilege Escalation – Unquoted Services. Retrieved August 10, 2018.",
"meta": {
@@ -63448,21 +64084,6 @@
"uuid": "25d54a16-59a0-497d-a4a5-021420da8f1c",
"value": "Microsoft System Services Fundamentals"
},
- {
- "description": "Mathers, B. (2017, May 31). Windows Time Service Tools and Settings. Retrieved March 26, 2018.",
- "meta": {
- "date_accessed": "2018-03-26T00:00:00Z",
- "date_published": "2017-05-31T00:00:00Z",
- "refs": [
- "https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings"
- ],
- "source": "MITRE",
- "title": "Windows Time Service Tools and Settings"
- },
- "related": [],
- "uuid": "9e3d8dec-745a-4744-b80c-d65897ebba3c",
- "value": "Microsoft W32Time May 2017"
- },
{
"description": "Mathers, B. (2016, September 30). Windows Time Service Tools and Settings. Retrieved November 25, 2016.",
"meta": {
@@ -63478,6 +64099,21 @@
"uuid": "0d908e07-abc1-40fc-b147-9b9fd483b262",
"value": "Technet Windows Time Service"
},
+ {
+ "description": "Mathers, B. (2017, May 31). Windows Time Service Tools and Settings. Retrieved March 26, 2018.",
+ "meta": {
+ "date_accessed": "2018-03-26T00:00:00Z",
+ "date_published": "2017-05-31T00:00:00Z",
+ "refs": [
+ "https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings"
+ ],
+ "source": "MITRE",
+ "title": "Windows Time Service Tools and Settings"
+ },
+ "related": [],
+ "uuid": "9e3d8dec-745a-4744-b80c-d65897ebba3c",
+ "value": "Microsoft W32Time May 2017"
+ },
{
"description": "Microsoft. (2018, February 1). Windows Time Service (W32Time). Retrieved March 26, 2018.",
"meta": {
diff --git a/clusters/tidal-software.json b/clusters/tidal-software.json
index 096cdd4..5b1a0f6 100644
--- a/clusters/tidal-software.json
+++ b/clusters/tidal-software.json
@@ -28,10 +28,6 @@
{
"dest-uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c",
"type": "used-by"
- },
- {
- "dest-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a",
- "type": "similar"
}
],
"uuid": "71d76208-c465-4447-8d6e-c54f142b65a4",
@@ -56,10 +52,6 @@
{
"dest-uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c",
"type": "used-by"
- },
- {
- "dest-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc",
- "type": "similar"
}
],
"uuid": "a15142a3-4797-4fef-8ec6-065e3322a69b",
@@ -72,7 +64,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5023",
+ "software_attack_id": "S3023",
"source": "Tidal Cyber",
"tags": [
"e551ae97-d1b4-484e-9267-89f33829ec2c",
@@ -137,9 +129,10 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5299",
+ "software_attack_id": "S3061",
"source": "Tidal Cyber",
"tags": [
+ "51946995-71d4-4bd3-9f7f-491b450f018b",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"562e535e-19f5-4d6c-81ed-ce2aec544f09",
"5e7433ad-a894-4489-93bc-41e90da90019",
@@ -181,10 +174,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "2c5281dd-b5fd-4531-8aea-c1bf8a0f8756",
- "type": "similar"
}
],
"uuid": "3d33fbf5-c21e-4587-ba31-9aeec3cc10c0",
@@ -209,10 +198,6 @@
{
"dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb",
"type": "used-by"
- },
- {
- "dest-uuid": "a0ebedca-d558-4e48-8ff7-4bf76208d90c",
- "type": "similar"
}
],
"uuid": "394cadd0-bc4d-4181-ac53-858e84b8e3de",
@@ -225,7 +210,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5203",
+ "software_attack_id": "S3324",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -246,7 +231,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5059",
+ "software_attack_id": "S3082",
"source": "Tidal Cyber",
"tags": [
"dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c"
@@ -284,10 +269,6 @@
{
"dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666",
"type": "used-by"
- },
- {
- "dest-uuid": "04cecafd-cb5f-4daf-aa1f-73899116c4a2",
- "type": "similar"
}
],
"uuid": "cf465790-3d6d-5767-bb8c-63a429f95d83",
@@ -309,10 +290,6 @@
{
"dest-uuid": "31bc763e-623f-4870-9780-86e43d732594",
"type": "used-by"
- },
- {
- "dest-uuid": "36801ffb-5c85-4c50-9121-6122e389366d",
- "type": "similar"
}
],
"uuid": "202781a3-d481-4984-9e5a-31caafc20135",
@@ -334,10 +311,6 @@
{
"dest-uuid": "f036b992-4c3f-47b7-a458-94ac133bce74",
"type": "used-by"
- },
- {
- "dest-uuid": "0f1ad2ef-41d4-4b7a-9304-ddae68ea3005",
- "type": "similar"
}
],
"uuid": "f52e759a-a725-4b50-84f2-12bef89d369e",
@@ -350,7 +323,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5082",
+ "software_attack_id": "S3190",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -463,10 +436,6 @@
{
"dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8",
"type": "used-by"
- },
- {
- "dest-uuid": "f59508a6-3615-47c3-b493-6676e1a39a87",
- "type": "similar"
}
],
"uuid": "70559096-2a6b-4388-97e6-c2b16f3be78e",
@@ -479,7 +448,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5204",
+ "software_attack_id": "S3325",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -500,7 +469,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5270",
+ "software_attack_id": "S3111",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -528,7 +497,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5024",
+ "software_attack_id": "S3024",
"source": "Tidal Cyber",
"tags": [
"c5a258ce-9045-48d9-b254-ec2bf6437bb5",
@@ -586,7 +555,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5006",
+ "software_attack_id": "S3025",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -637,7 +606,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5025",
+ "software_attack_id": "S3026",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -672,7 +641,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5187",
+ "software_attack_id": "S3308",
"source": "Tidal Cyber",
"tags": [
"7a457caf-c3b6-4a48-84cf-c1f50a2eda27",
@@ -708,10 +677,6 @@
{
"dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5",
"type": "used-by"
- },
- {
- "dest-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73",
- "type": "similar"
}
],
"uuid": "ef7f4f5f-6f30-4059-87d1-cd8375bf1bee",
@@ -733,12 +698,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "f27c9a91-c618-40c6-837d-089ba4d80f45",
"value": "Agent.btz"
},
@@ -749,7 +709,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5205",
+ "software_attack_id": "S3326",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -772,6 +732,7 @@
"software_attack_id": "S0331",
"source": "MITRE",
"tags": [
+ "d11d22a2-518d-4727-975b-d04d8826e4c0",
"16b47583-1c54-431f-9f09-759df7b5ddb7",
"f8669b82-2194-49a9-8e20-92e7f9ab0a6f"
],
@@ -787,10 +748,6 @@
{
"dest-uuid": "e47ae2a7-d34d-4528-ba67-c9c07daa91ba",
"type": "used-by"
- },
- {
- "dest-uuid": "e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
- "type": "similar"
}
],
"uuid": "304650b1-a0b5-460c-9210-23a5b53815a4",
@@ -805,6 +762,7 @@
"software_attack_id": "S1129",
"source": "MITRE",
"tags": [
+ "fde14c10-e749-4c04-b97f-1d9fbd6e72e7",
"c5a258ce-9045-48d9-b254-ec2bf6437bb5",
"cc4ea215-87ce-4351-9579-cf527caf5992",
"e551ae97-d1b4-484e-9267-89f33829ec2c",
@@ -825,10 +783,6 @@
{
"dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e",
"type": "used-by"
- },
- {
- "dest-uuid": "6f6b2353-4b39-40ce-9d6d-d00b7a61e656",
- "type": "similar"
}
],
"uuid": "96ae0e1e-975a-5e11-adbe-c79ee17cee11",
@@ -886,10 +840,6 @@
{
"dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1",
"type": "used-by"
- },
- {
- "dest-uuid": "05318127-5962-444b-b900-a9dcfe0ff6e9",
- "type": "similar"
}
],
"uuid": "f173ec20-ef40-436b-a859-fef017e1e767",
@@ -915,10 +865,6 @@
{
"dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8",
"type": "used-by"
- },
- {
- "dest-uuid": "5f1d4579-4e8f-48e7-860e-2da773ae432e",
- "type": "similar"
}
],
"uuid": "9521c535-1043-4b82-ba5d-e5eaeca500ee",
@@ -936,12 +882,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "dcd9548e-df9e-47c2-81f3-bc084289959d",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "69aac793-9e6a-5167-bc62-823189ee2f7b",
"value": "ANDROMEDA"
},
@@ -954,9 +895,10 @@
"Linux",
"Windows"
],
- "software_attack_id": "S5274",
+ "software_attack_id": "S3114",
"source": "Tidal Cyber",
"tags": [
+ "d903e38b-600d-4736-9e3b-cf1a6e436481",
"d819ae1a-e385-49fd-88d5-f66660729ecb",
"e551ae97-d1b4-484e-9267-89f33829ec2c",
"15787198-6c8b-4f79-bf50-258d55072fee",
@@ -970,6 +912,10 @@
]
},
"related": [
+ {
+ "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5",
+ "type": "used-by"
+ },
{
"dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a",
"type": "used-by"
@@ -985,9 +931,11 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5007",
+ "software_attack_id": "S3027",
"source": "Tidal Cyber",
"tags": [
+ "d903e38b-600d-4736-9e3b-cf1a6e436481",
+ "d819ae1a-e385-49fd-88d5-f66660729ecb",
"c5a258ce-9045-48d9-b254-ec2bf6437bb5",
"cc4ea215-87ce-4351-9579-cf527caf5992",
"e551ae97-d1b4-484e-9267-89f33829ec2c",
@@ -1017,6 +965,18 @@
"dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d",
"type": "used-by"
},
+ {
+ "dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac",
+ "type": "used-by"
+ },
+ {
+ "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5",
+ "type": "used-by"
+ },
+ {
+ "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f",
+ "type": "used-by"
+ },
{
"dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0",
"type": "used-by"
@@ -1088,7 +1048,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5083",
+ "software_attack_id": "S3191",
"source": "Tidal Cyber",
"tags": [
"837cf289-ad09-48ca-adf9-b46b07015666",
@@ -1125,10 +1085,6 @@
{
"dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08",
"type": "used-by"
- },
- {
- "dest-uuid": "e2d34c63-6f5a-41f5-86a2-e2380f27f858",
- "type": "similar"
}
],
"uuid": "cdeb3110-07e5-4c3d-9eef-e6f2b760ef33",
@@ -1154,10 +1110,6 @@
{
"dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1",
"type": "used-by"
- },
- {
- "dest-uuid": "295721d2-ee20-4fa3-ade3-37f4146b4570",
- "type": "similar"
}
],
"uuid": "9df2e42e-b454-46ea-b50d-2f7d999f3d42",
@@ -1170,7 +1122,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5206",
+ "software_attack_id": "S3327",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -1191,7 +1143,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5286",
+ "software_attack_id": "S3001",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -1223,10 +1175,6 @@
{
"dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d",
"type": "used-by"
- },
- {
- "dest-uuid": "3161d76a-e2b2-4b97-9906-24909b735386",
- "type": "similar"
}
],
"uuid": "7ba79887-d496-47aa-8b71-df7f46329322",
@@ -1269,10 +1217,6 @@
{
"dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2",
"type": "used-by"
- },
- {
- "dest-uuid": "30489451-5886-4c46-90c9-0dff9adc5252",
- "type": "similar"
}
],
"uuid": "45b51950-6190-4572-b1a2-7c69d865251e",
@@ -1285,7 +1229,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5084",
+ "software_attack_id": "S3192",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -1330,10 +1274,6 @@
{
"dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5",
"type": "used-by"
- },
- {
- "dest-uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2",
- "type": "similar"
}
],
"uuid": "a0cce010-9158-45e5-978a-f002e5c31a03",
@@ -1348,18 +1288,14 @@
"software_attack_id": "S0373",
"source": "MITRE",
"tags": [
+ "84d9893e-e338-442a-bfc0-3148ad5f716d",
"4d767e87-4cf6-438a-927a-43d2d0beaab7"
],
"type": [
"malware"
]
},
- "related": [
- {
- "dest-uuid": "edb24a93-1f7a-4bbf-a738-1397a14662c6",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "ea719a35-cbe9-4503-873d-164f68ab4544",
"value": "Astaroth"
},
@@ -1372,15 +1308,14 @@
"software_attack_id": "S1087",
"source": "MITRE",
"tags": [
+ "9eaf6107-4d57-4bc7-b6d2-4541d5936672",
"af5e9be5-b86e-47af-91dd-966a5e34a186",
"27a117ce-bb19-4f79-9bc2-a851b69c5c50",
"6070668f-1cbd-4878-8066-c636d1d8659c",
"61cdbb28-cbfd-498b-9ab1-1f14337f9524",
"e551ae97-d1b4-484e-9267-89f33829ec2c",
"15787198-6c8b-4f79-bf50-258d55072fee",
- "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"f8669b82-2194-49a9-8e20-92e7f9ab0a6f",
- "2feda37d-5579-4102-a073-aa02e82cb49f",
"fdd53e62-5bf1-41f1-8bd6-b970a866c39d",
"d431939f-2dc0-410b-83f7-86c458125444"
],
@@ -1400,10 +1335,6 @@
{
"dest-uuid": "153c14a6-31b7-44f2-892e-6d9fdc152267",
"type": "used-by"
- },
- {
- "dest-uuid": "6a5947f3-1a36-4653-8734-526df3e1d28d",
- "type": "similar"
}
],
"uuid": "d587efff-4699-51c7-a4cc-bdbd1b302ed4",
@@ -1440,10 +1371,6 @@
{
"dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb",
"type": "used-by"
- },
- {
- "dest-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952",
- "type": "similar"
}
],
"uuid": "af01dc7b-a2bc-4fda-bbfe-d2be889c2860",
@@ -1456,7 +1383,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5085",
+ "software_attack_id": "S3194",
"source": "Tidal Cyber",
"tags": [
"85a29262-64bd-443c-9e08-3ee26aac859b",
@@ -1478,7 +1405,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5014",
+ "software_attack_id": "S3008",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -1510,6 +1437,10 @@
"dest-uuid": "4ea1245f-3f35-5168-bd10-1fc49142fd4e",
"type": "used-by"
},
+ {
+ "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6",
+ "type": "used-by"
+ },
{
"dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd",
"type": "used-by"
@@ -1549,9 +1480,10 @@
"platforms": [
"macOS"
],
- "software_attack_id": "S5314",
+ "software_attack_id": "S3127",
"source": "Tidal Cyber",
"tags": [
+ "4d767e87-4cf6-438a-927a-43d2d0beaab7",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2feda37d-5579-4102-a073-aa02e82cb49f"
],
@@ -1575,12 +1507,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "89c35e9f-b435-4f58-9073-f24c1ee8754f",
"value": "Attor"
},
@@ -1600,10 +1527,6 @@
{
"dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08",
"type": "used-by"
- },
- {
- "dest-uuid": "24b4ce59-eaac-4c8b-8634-9b093b7ccd92",
- "type": "similar"
}
],
"uuid": "d0c25f14-5eb3-40c1-a890-2ab1349dff53",
@@ -1617,6 +1540,9 @@
],
"software_attack_id": "S0129",
"source": "MITRE",
+ "tags": [
+ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f"
+ ],
"type": [
"malware"
]
@@ -1629,10 +1555,6 @@
{
"dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac",
"type": "used-by"
- },
- {
- "dest-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300",
- "type": "similar"
}
],
"uuid": "3f927596-5219-49eb-bd0d-57068b0e04ed",
@@ -1645,7 +1567,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5277",
+ "software_attack_id": "S3117",
"source": "Tidal Cyber",
"tags": [
"d819ae1a-e385-49fd-88d5-f66660729ecb",
@@ -1686,10 +1608,6 @@
{
"dest-uuid": "31bc763e-623f-4870-9780-86e43d732594",
"type": "used-by"
- },
- {
- "dest-uuid": "3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5",
- "type": "similar"
}
],
"uuid": "649a4cfc-c0d0-412d-a28c-1bd4ed604ea8",
@@ -1704,6 +1622,7 @@
"software_attack_id": "S0640",
"source": "MITRE",
"tags": [
+ "8c65cb23-442d-4855-9d80-e0ac27bcfc48",
"562e535e-19f5-4d6c-81ed-ce2aec544f09",
"5e7433ad-a894-4489-93bc-41e90da90019",
"7e7b0c67-bb85-4996-a289-da0e792d7172"
@@ -1712,12 +1631,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "58c5a3a1-928f-4094-9e98-a5a4e56dd5f3",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "bad92974-35f6-4183-8024-b629140c6ee6",
"value": "Avaddon"
},
@@ -1740,10 +1654,6 @@
{
"dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb",
"type": "used-by"
- },
- {
- "dest-uuid": "36ede314-7db4-4d09-b53d-81bbfbe5f6f8",
- "type": "similar"
}
],
"uuid": "e5ca0192-e905-46a1-abef-ce1119c1f967",
@@ -1772,15 +1682,45 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "0945a1a5-a79a-47c8-9079-10c16cdfcb5d",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "e792dc8d-b0f4-5916-8850-a61ff53125d0",
"value": "AvosLocker"
},
+ {
+ "description": "AzCopy is a command line tool that enables Azure storage data transfers. It facilitates file transfer activity for Azure Storage Explorer, another legitimate utility that has been abused by ransomware operations like the BianLian and Rhysida gangs.[[modePUSH Azure Storage Explorer September 14 2024](/references/a4c50b03-f0d7-4d29-a9de-e550be61390c)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Azure AD",
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "software_attack_id": "S3187",
+ "source": "Tidal Cyber",
+ "tags": [
+ "c9c73000-30a5-4a16-8c8b-79169f9c24aa",
+ "509a90c7-9ca9-4b23-bca2-cd38ef6a6207",
+ "8bf128ad-288b-41bc-904f-093f4fdde745",
+ "e1af18e3-3224-4e4c-9d0f-533768474508"
+ ],
+ "type": [
+ "tool"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd",
+ "type": "used-by"
+ },
+ {
+ "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "aab3287b-932a-4208-af5e-d10abffb188b",
+ "value": "AzCopy"
+ },
{
"description": "[Azorult](https://app.tidalcyber.com/software/cc68a7f0-c955-465f-bee0-2dacbb179078) is a commercial Trojan that is used to steal information from compromised hosts. [Azorult](https://app.tidalcyber.com/software/cc68a7f0-c955-465f-bee0-2dacbb179078) has been observed in the wild as early as 2016.\nIn July 2018, [Azorult](https://app.tidalcyber.com/software/cc68a7f0-c955-465f-bee0-2dacbb179078) was seen used in a spearphishing campaign against targets in North America. [Azorult](https://app.tidalcyber.com/software/cc68a7f0-c955-465f-bee0-2dacbb179078) has been seen used for cryptocurrency theft. [[Unit42 Azorult Nov 2018](https://app.tidalcyber.com/references/44ceddf6-bcbf-4a60-bb92-f8cdc675d185)][[Proofpoint Azorult July 2018](https://app.tidalcyber.com/references/a85c869a-3ba3-42c2-9460-d3d1f0874044)]",
"meta": {
@@ -1800,15 +1740,46 @@
{
"dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1",
"type": "used-by"
- },
- {
- "dest-uuid": "f9b05f33-d45d-4e4d-aafe-c208d38a0080",
- "type": "similar"
}
],
"uuid": "cc68a7f0-c955-465f-bee0-2dacbb179078",
"value": "Azorult"
},
+ {
+ "description": "Azure Storage Explorer is a Microsoft application that provides a graphical interface for managing Azure storage elements, as well as file and folder download and upload capabilities. The associated AzCopy tool facilitates actual Azure Storage Explorer file transfer capabilities.[[modePUSH Azure Storage Explorer September 14 2024](/references/a4c50b03-f0d7-4d29-a9de-e550be61390c)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Azure AD",
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "software_attack_id": "S3186",
+ "source": "Tidal Cyber",
+ "tags": [
+ "c9c73000-30a5-4a16-8c8b-79169f9c24aa",
+ "509a90c7-9ca9-4b23-bca2-cd38ef6a6207",
+ "8bf128ad-288b-41bc-904f-093f4fdde745",
+ "e1af18e3-3224-4e4c-9d0f-533768474508"
+ ],
+ "type": [
+ "tool"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd",
+ "type": "used-by"
+ },
+ {
+ "dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "1674b306-aa70-44f5-b373-24bb5fc51cfa",
+ "value": "Azure Storage Explorer"
+ },
{
"description": "[Babuk](https://app.tidalcyber.com/software/0dc07eb9-66df-4116-b1bc-7020ca6395a1) is a Ransomware-as-a-service (RaaS) malware that has been used since at least 2021. The operators of [Babuk](https://app.tidalcyber.com/software/0dc07eb9-66df-4116-b1bc-7020ca6395a1) employ a \"Big Game Hunting\" approach to targeting major enterprises and operate a leak site to post stolen data as part of their extortion scheme.[[Sogeti CERT ESEC Babuk March 2021](https://app.tidalcyber.com/references/e85e3bd9-6ddc-4d0f-a16c-b525a75baa7e)][[McAfee Babuk February 2021](https://app.tidalcyber.com/references/bb23ca19-78bb-4406-90a4-bf82bd467e04)][[CyberScoop Babuk February 2021](https://app.tidalcyber.com/references/0a0aeacd-0976-4c84-b40d-5704afca9f0e)]",
"meta": {
@@ -1837,12 +1808,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "61c7a91a-0b83-461d-ad32-75d96eed4a09",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "0dc07eb9-66df-4116-b1bc-7020ca6395a1",
"value": "Babuk"
},
@@ -1865,10 +1831,6 @@
{
"dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1",
"type": "used-by"
- },
- {
- "dest-uuid": "d1b7830a-fced-4be3-a99c-f495af9d9e1b",
- "type": "similar"
}
],
"uuid": "ebb824a2-abff-4bfd-87f0-d63cb02b62e6",
@@ -1893,10 +1855,6 @@
{
"dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a",
"type": "used-by"
- },
- {
- "dest-uuid": "c13d9621-aca7-436b-ab3d-3a95badb3d00",
- "type": "similar"
}
],
"uuid": "2763ad8c-cf4e-42eb-88db-a40ff8f96cf9",
@@ -1921,10 +1879,6 @@
{
"dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1",
"type": "used-by"
- },
- {
- "dest-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974",
- "type": "similar"
}
],
"uuid": "f7cc5974-767c-4cb4-acc7-36295a386ce5",
@@ -1949,10 +1903,6 @@
{
"dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f",
"type": "used-by"
- },
- {
- "dest-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d",
- "type": "similar"
}
],
"uuid": "d0daaa00-68e1-4568-bb08-3f28bcd82c63",
@@ -1965,7 +1915,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5026",
+ "software_attack_id": "S3028",
"source": "Tidal Cyber",
"tags": [
"d903e38b-600d-4736-9e3b-cf1a6e436481",
@@ -2017,10 +1967,6 @@
{
"dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08",
"type": "used-by"
- },
- {
- "dest-uuid": "9dbdadb6-fdbf-490f-a35f-38762d06a0d2",
- "type": "similar"
}
],
"uuid": "d7aa53a5-0912-4952-8f7f-55698e933c3b",
@@ -2045,10 +1991,6 @@
{
"dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871",
"type": "used-by"
- },
- {
- "dest-uuid": "57d83eac-a2ea-42b0-a7b2-c80c55157790",
- "type": "similar"
}
],
"uuid": "8c454294-81cb-45d0-b299-818994ad3e6f",
@@ -2070,10 +2012,6 @@
{
"dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f",
"type": "used-by"
- },
- {
- "dest-uuid": "3553b49d-d4ae-4fb6-ab17-0adbc520c888",
- "type": "similar"
}
],
"uuid": "16481e0f-49d5-54c1-a1fe-16d9e7f8d08c",
@@ -2095,10 +2033,6 @@
{
"dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a",
"type": "used-by"
- },
- {
- "dest-uuid": "e9595678-d269-469e-ae6b-75e49259de63",
- "type": "similar"
}
],
"uuid": "34c24d27-c779-42a4-9f61-3f0d3fea6fd4",
@@ -2116,12 +2050,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "9af05de0-bc09-4511-a350-5eb8b06185c1",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "10e76722-4b52-47f6-9276-70e95fecb26b",
"value": "BadPatch"
},
@@ -2132,7 +2061,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5304",
+ "software_attack_id": "S3070",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -2174,10 +2103,6 @@
{
"dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666",
"type": "used-by"
- },
- {
- "dest-uuid": "2eaa5319-5e1e-4dd7-bbc4-566fced3964a",
- "type": "similar"
}
],
"uuid": "a1d86d8f-fa48-43aa-9833-7355750e455c",
@@ -2192,8 +2117,6 @@
"software_attack_id": "S0234",
"source": "MITRE",
"tags": [
- "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
- "2feda37d-5579-4102-a073-aa02e82cb49f",
"f8669b82-2194-49a9-8e20-92e7f9ab0a6f"
],
"type": [
@@ -2204,10 +2127,6 @@
{
"dest-uuid": "7ad94dbf-9909-42dd-8b62-a435481bdb14",
"type": "used-by"
- },
- {
- "dest-uuid": "835a79f1-842d-472d-b8f4-d54b545c341b",
- "type": "similar"
}
],
"uuid": "5c0f8c35-88ff-40a1-977a-af5ce534e932",
@@ -2232,10 +2151,6 @@
{
"dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08",
"type": "used-by"
- },
- {
- "dest-uuid": "1f6e3702-7ca1-4582-b2e7-4591297d05a8",
- "type": "similar"
}
],
"uuid": "24b8471d-698f-48cc-b47a-8fbbaf28b293",
@@ -2248,7 +2163,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5086",
+ "software_attack_id": "S3195",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -2269,7 +2184,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5027",
+ "software_attack_id": "S3029",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -2325,10 +2240,6 @@
{
"dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8",
"type": "used-by"
- },
- {
- "dest-uuid": "99fdf3b4-96ef-4ab9-b191-fc683441cad0",
- "type": "similar"
}
],
"uuid": "b35d9817-6ead-4dbd-a2fa-4b8e217f8eac",
@@ -2353,10 +2264,6 @@
{
"dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb",
"type": "used-by"
- },
- {
- "dest-uuid": "f0fc920e-57a3-4af5-89be-9ea594c8b1ea",
- "type": "similar"
}
],
"uuid": "3daa5ae1-464e-4c0a-aa46-15264a2a0126",
@@ -2374,12 +2281,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "be4dab36-d499-4ac3-b204-5e309e3a5331",
"value": "BBSRAT"
},
@@ -2402,10 +2304,6 @@
{
"dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb",
"type": "used-by"
- },
- {
- "dest-uuid": "805480f1-6caa-4a67-8ca9-b2b39650d986",
- "type": "similar"
}
],
"uuid": "a114a498-fcfd-4e0a-9d1e-e26750d71af8",
@@ -2418,7 +2316,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5207",
+ "software_attack_id": "S3328",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -2439,7 +2337,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5001",
+ "software_attack_id": "S3010",
"source": "Tidal Cyber",
"tags": [
"35e694ec-5133-46e3-b7e1-5831867c3b55",
@@ -2466,7 +2364,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5292",
+ "software_attack_id": "S3009",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -2503,10 +2401,6 @@
{
"dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f",
"type": "used-by"
- },
- {
- "dest-uuid": "b8eb28e4-48a6-40ae-951a-328714f75eda",
- "type": "similar"
}
],
"uuid": "3ad98097-2d10-4aa1-9594-7e74828a3643",
@@ -2531,10 +2425,6 @@
{
"dest-uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c",
"type": "used-by"
- },
- {
- "dest-uuid": "65ffc206-d7c1-45b3-b543-f6b726e7840d",
- "type": "similar"
}
],
"uuid": "b898816e-610f-4c2f-9045-d9f28a54ee58",
@@ -2560,10 +2450,6 @@
{
"dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87",
"type": "used-by"
- },
- {
- "dest-uuid": "fa766a65-5136-4ff3-8429-36d08eaa0100",
- "type": "similar"
}
],
"uuid": "e7dec940-8701-4c06-9865-5b11c61c046d",
@@ -2594,6 +2480,10 @@
]
},
"related": [
+ {
+ "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5",
+ "type": "used-by"
+ },
{
"dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9",
"type": "used-by"
@@ -2625,10 +2515,6 @@
{
"dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8",
"type": "used-by"
- },
- {
- "dest-uuid": "64764dc6-a032-495f-8250-1e4c06bdc163",
- "type": "similar"
}
],
"uuid": "52a20d3d-1edd-4f17-87f0-b77c67d260b4",
@@ -2643,6 +2529,7 @@
"software_attack_id": "S1070",
"source": "MITRE",
"tags": [
+ "da5af5bf-d4f3-4bbb-9638-57ea2dc2c776",
"89c5b94b-ecf4-4d53-9b74-3465086d4565",
"d903e38b-600d-4736-9e3b-cf1a6e436481",
"e551ae97-d1b4-484e-9267-89f33829ec2c",
@@ -2664,10 +2551,6 @@
{
"dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4",
"type": "used-by"
- },
- {
- "dest-uuid": "8d242fb4-9033-4f13-8a88-4b9b4bcd9a53",
- "type": "similar"
}
],
"uuid": "0d5b24ba-68dc-50fa-8268-3012180fe374",
@@ -2683,6 +2566,7 @@
"software_attack_id": "S1068",
"source": "MITRE",
"tags": [
+ "d5248609-d9ed-4aad-849a-aa0476f85dea",
"562e535e-19f5-4d6c-81ed-ce2aec544f09",
"1dc8fd1e-0737-405a-98a1-111dd557f1b5",
"5e7433ad-a894-4489-93bc-41e90da90019",
@@ -2698,6 +2582,10 @@
"dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337",
"type": "used-by"
},
+ {
+ "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f",
+ "type": "used-by"
+ },
{
"dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800",
"type": "used-by"
@@ -2709,10 +2597,6 @@
{
"dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7",
"type": "used-by"
- },
- {
- "dest-uuid": "50c44c34-3abb-48ae-9433-a2337de5b0bc",
- "type": "similar"
}
],
"uuid": "691369e5-ef74-5ff9-bc20-34efeb4b6c5b",
@@ -2742,10 +2626,6 @@
{
"dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871",
"type": "used-by"
- },
- {
- "dest-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43",
- "type": "similar"
}
],
"uuid": "e85e2fca-9347-4448-bfc1-342f29d5d6a1",
@@ -2770,10 +2650,6 @@
{
"dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666",
"type": "used-by"
- },
- {
- "dest-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
- "type": "similar"
}
],
"uuid": "908216c7-3ad4-4e0c-9dd3-a7ed5d1c695f",
@@ -2786,7 +2662,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5306",
+ "software_attack_id": "S3084",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -2818,10 +2694,6 @@
{
"dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572",
"type": "used-by"
- },
- {
- "dest-uuid": "63c4511b-2d6e-4bb2-b582-e2e99a8a467d",
- "type": "similar"
}
],
"uuid": "da348a51-d047-4144-9ba4-34d2ce964a11",
@@ -2835,9 +2707,10 @@
"Linux",
"Windows"
],
- "software_attack_id": "S5324",
+ "software_attack_id": "S3139",
"source": "Tidal Cyber",
"tags": [
+ "2917207f-aa63-4c4a-b2d2-be7e16d1f25c",
"e551ae97-d1b4-484e-9267-89f33829ec2c",
"15787198-6c8b-4f79-bf50-258d55072fee",
"a2e000da-8181-4327-bacd-32013dbd3654",
@@ -2875,10 +2748,6 @@
{
"dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08",
"type": "used-by"
- },
- {
- "dest-uuid": "01dbc71d-0ee8-420d-abb4-3dfb6a4bf725",
- "type": "similar"
}
],
"uuid": "1af8ea81-40df-4fba-8d63-1858b8b31217",
@@ -2893,6 +2762,8 @@
"software_attack_id": "S0521",
"source": "MITRE",
"tags": [
+ "d8f7e071-fbfd-46f8-b431-e241bb1513ac",
+ "61cdbb28-cbfd-498b-9ab1-1f14337f9524",
"d819ae1a-e385-49fd-88d5-f66660729ecb",
"e551ae97-d1b4-484e-9267-89f33829ec2c",
"509a90c7-9ca9-4b23-bca2-cd38ef6a6207",
@@ -2951,10 +2822,6 @@
{
"dest-uuid": "ca93af75-0ffa-4df4-b86a-92d4d50e496e",
"type": "used-by"
- },
- {
- "dest-uuid": "066b057c-944e-4cfc-b654-e3dfba04b926",
- "type": "similar"
}
],
"uuid": "72658763-8077-451e-8572-38858f8cacf3",
@@ -2979,10 +2846,6 @@
{
"dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66",
"type": "used-by"
- },
- {
- "dest-uuid": "8bd47506-29ae-44ea-a5c1-c57e8a1ab6b0",
- "type": "similar"
}
],
"uuid": "3aaaaf86-638b-4a65-be18-c6e6dcdcdb97",
@@ -3000,12 +2863,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "4c6d62c2-89f5-4159-8fab-0190b1f9d328",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "3793db4b-f843-4cfd-89d2-ec28b62feda5",
"value": "Bonadan"
},
@@ -3017,6 +2875,9 @@
],
"software_attack_id": "S0360",
"source": "MITRE",
+ "tags": [
+ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f"
+ ],
"type": [
"malware"
]
@@ -3025,10 +2886,6 @@
{
"dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2",
"type": "used-by"
- },
- {
- "dest-uuid": "d5268dfb-ae2b-4e0e-ac07-02a460613d8a",
- "type": "similar"
}
],
"uuid": "d8690218-5272-47d8-8189-35d3b518e66f",
@@ -3043,6 +2900,7 @@
"software_attack_id": "S0635",
"source": "MITRE",
"tags": [
+ "15126457-d8bb-4799-9cee-b18e17ef9703",
"84615fe0-c2a5-4e07-8957-78ebc29b4635"
],
"type": [
@@ -3053,10 +2911,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "c26f1c05-b861-4970-94dc-2f7f921a3074",
- "type": "similar"
}
],
"uuid": "9d393f6f-855e-4348-8a26-008174e3605a",
@@ -3081,10 +2935,6 @@
{
"dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff",
"type": "used-by"
- },
- {
- "dest-uuid": "56d10a7f-bb42-4267-9b4c-63abb9c06010",
- "type": "similar"
}
],
"uuid": "74a73624-d53b-4c84-a14b-8ae964fd577c",
@@ -3102,12 +2952,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "da2ef4a9-7cbe-400a-a379-e2f230f28db3",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "d47a4753-80f5-494e-aad7-d033aaff0d6d",
"value": "BOOTRASH"
},
@@ -3130,10 +2975,6 @@
{
"dest-uuid": "988f5312-834e-48ea-93b7-e6e01ee0938d",
"type": "used-by"
- },
- {
- "dest-uuid": "919a056e-5104-43b9-ad55-2ac929108b71",
- "type": "similar"
}
],
"uuid": "d3e46011-3433-426c-83b3-61c2576d5f71",
@@ -3155,10 +2996,6 @@
{
"dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1",
"type": "used-by"
- },
- {
- "dest-uuid": "28b97733-ef07-4414-aaa5-df50b2d30cc5",
- "type": "similar"
}
],
"uuid": "51b27e2c-c737-4006-a657-195ea1a1f4f0",
@@ -3180,10 +3017,6 @@
{
"dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca",
"type": "used-by"
- },
- {
- "dest-uuid": "79499993-a8d6-45eb-b343-bf58dea5bdde",
- "type": "similar"
}
],
"uuid": "7942783c-73a7-413c-94d1-8981029a1c51",
@@ -3198,6 +3031,7 @@
"software_attack_id": "S1063",
"source": "MITRE",
"tags": [
+ "599dd679-c6a6-42b6-8b7a-29d840db2028",
"e1af18e3-3224-4e4c-9d0f-533768474508",
"e81ba503-60b0-4b64-8f20-ef93e7783796"
],
@@ -3209,10 +3043,6 @@
{
"dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7",
"type": "used-by"
- },
- {
- "dest-uuid": "75d8b521-6b6a-42ff-8af3-d97e20ce12a5",
- "type": "similar"
}
],
"uuid": "23043b44-69a6-5cdf-8f60-5a68068680c7",
@@ -3230,12 +3060,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "67fc172a-36fa-4a35-88eb-4ba730ed52a6",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "c9e773de-0213-4b64-83fb-637060c8b5ed",
"value": "BS2005"
},
@@ -3258,10 +3083,6 @@
{
"dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e",
"type": "used-by"
- },
- {
- "dest-uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b",
- "type": "similar"
}
],
"uuid": "2be4e3d2-e8c5-4406-8041-2c17bdb3a547",
@@ -3286,10 +3107,6 @@
{
"dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb",
"type": "used-by"
- },
- {
- "dest-uuid": "d2c7f8ad-3b50-4cfa-bbb1-799eff06fb40",
- "type": "similar"
}
],
"uuid": "c21d3e6c-0f6d-44a8-bdd5-5b3180a641c9",
@@ -3316,10 +3133,6 @@
{
"dest-uuid": "396a4361-3e84-47bc-9544-58e287c05799",
"type": "used-by"
- },
- {
- "dest-uuid": "04378e79-4387-468a-a8f7-f974b8254e44",
- "type": "similar"
}
],
"uuid": "cc155181-fb34-4aaf-b083-b7b57b140b7a",
@@ -3334,18 +3147,14 @@
"software_attack_id": "S0482",
"source": "MITRE",
"tags": [
+ "707e8a2b-e223-4d99-91c2-43de4b4459f6",
"4d767e87-4cf6-438a-927a-43d2d0beaab7"
],
"type": [
"malware"
]
},
- "related": [
- {
- "dest-uuid": "7bef1b56-4870-4e74-b32a-7dd88c390c44",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "e9873bf1-9619-4c62-b4cf-1009e83de186",
"value": "Bundlore"
},
@@ -3361,12 +3170,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "29a0bb87-1162-4c83-9834-2a98a876051b",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "44ed9567-2cb6-590e-b332-154557fb93f9",
"value": "BUSHWALK"
},
@@ -3386,10 +3190,6 @@
{
"dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f",
"type": "used-by"
- },
- {
- "dest-uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52",
- "type": "similar"
}
],
"uuid": "7c03fb92-3cd8-4ce4-a1e0-75e47465e4bc",
@@ -3402,9 +3202,10 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5309",
+ "software_attack_id": "S3107",
"source": "Tidal Cyber",
"tags": [
+ "83a25621-55a6-4b0d-be67-4905b6d3a1c6",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"a2e000da-8181-4327-bacd-32013dbd3654",
"562e535e-19f5-4d6c-81ed-ce2aec544f09",
@@ -3440,12 +3241,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "b30d999d-64e0-4e35-9856-884e4b83d611",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "62d0ddcd-790d-4d2d-9d94-276f54b40cf0",
"value": "CaddyWiper"
},
@@ -3465,10 +3261,6 @@
{
"dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1",
"type": "used-by"
- },
- {
- "dest-uuid": "a705b085-1eae-455e-8f4d-842483d814eb",
- "type": "similar"
}
],
"uuid": "c8a51b39-6906-4381-9bb4-4e9e612aa085",
@@ -3490,10 +3282,6 @@
{
"dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f",
"type": "used-by"
- },
- {
- "dest-uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283",
- "type": "similar"
}
],
"uuid": "ad859a79-c183-44f6-a89a-f734710672a9",
@@ -3511,12 +3299,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "b8fdef82-d2cf-4948-8949-6466357b1be1",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "6b5b408c-4f9d-4137-bfb1-830d12e9736c",
"value": "Calisto"
},
@@ -3536,10 +3319,6 @@
{
"dest-uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4",
"type": "used-by"
- },
- {
- "dest-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5",
- "type": "similar"
}
],
"uuid": "352ee271-89e6-4d3f-9c26-98dbab0e2986",
@@ -3561,10 +3340,6 @@
{
"dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5",
"type": "used-by"
- },
- {
- "dest-uuid": "d20b397a-ea47-48a9-b503-2e2a3551e11d",
- "type": "similar"
}
],
"uuid": "790e931d-2571-496d-9f48-322774a7d482",
@@ -3590,10 +3365,6 @@
{
"dest-uuid": "72d9bea7-9ca1-43e6-8702-2fb7fb1355de",
"type": "used-by"
- },
- {
- "dest-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4",
- "type": "similar"
}
],
"uuid": "4cb9294b-9e4c-41b9-b640-46213a01952d",
@@ -3611,12 +3382,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "bbcd7a02-ef24-4171-ac94-a93540173b94",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "df9491fd-5e24-4548-8e21-1268dce59d1f",
"value": "Carberp"
},
@@ -3636,10 +3402,6 @@
{
"dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2",
"type": "used-by"
- },
- {
- "dest-uuid": "b7e9880a-7a7c-4162-bddb-e28e8ef2bf1f",
- "type": "similar"
}
],
"uuid": "61f5d19c-1da2-43d1-ab20-51eacbca71f2",
@@ -3660,12 +3422,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "b879758f-bbc4-4cab-b5ba-177ac9b009b4",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "fa23acef-3034-43ee-9610-4fc322f0d80b",
"value": "Cardinal RAT"
},
@@ -3684,12 +3441,7 @@
"tool"
]
},
- "related": [
- {
- "dest-uuid": "5fc81b43-62b5-41b1-9113-c79ae5f030c4",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "84bb4068-b441-435e-8535-02a458ffd50b",
"value": "CARROTBALL"
},
@@ -3705,12 +3457,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "1b9f0800-035e-4ed1-9648-b18294cc5bc8",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "aefa893d-fc6e-41a9-8794-2700049db9e5",
"value": "CARROTBAT"
},
@@ -3730,10 +3477,6 @@
{
"dest-uuid": "a3b39b07-0bfa-4c69-9f01-acf7dc6033b4",
"type": "used-by"
- },
- {
- "dest-uuid": "8d9e758b-735f-4cbc-ba7c-32cd15138b2a",
- "type": "similar"
}
],
"uuid": "04deccb5-9850-45c3-a900-5d7039a94190",
@@ -3758,15 +3501,38 @@
{
"dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937",
"type": "used-by"
- },
- {
- "dest-uuid": "751b77e6-af1f-483b-93fe-eddf17f92a64",
- "type": "similar"
}
],
"uuid": "ee88afaa-88bc-4c20-906f-332866388549",
"value": "Caterpillar WebShell"
},
+ {
+ "description": "CBROVER is a first-stage backdoor, one of a series of software associated with China-based espionage actor Earth Preta (aka Mustang Panda) reported by researchers in September 2024.[[Trend Micro September 9 2024](/references/0fdc9ee2-5be2-43e0-afb9-c9a94fde3867)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S3172",
+ "source": "Tidal Cyber",
+ "tags": [
+ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "73ff6a0c-12fd-43d6-b2ea-2949a7f748b1",
+ "value": "CBROVER"
+ },
{
"description": "CC-Attack is a publicly available script that automates the use of open, external proxy servers as part of denial of service flood attacks. Its use has been promoted among the members of the Killnet hacktivist collective.[[Flashpoint Glossary Killnet](/references/502cc03b-350b-4e2d-9436-364c43a0a203)]",
"meta": {
@@ -3775,7 +3541,7 @@
"Linux",
"Windows"
],
- "software_attack_id": "S5062",
+ "software_attack_id": "S3085",
"source": "Tidal Cyber",
"tags": [
"62bde669-3020-4682-be68-36c83b2588a4"
@@ -3808,12 +3574,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "b0f13390-cec7-4814-b37c-ccec01887faa",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "4eb0720c-7046-4ff1-adfd-ae603506e499",
"value": "CCBkdr"
},
@@ -3829,12 +3590,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "a394448a-4576-41b8-81cc-9b61abad94ab",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "e00c2a0c-bbe5-4eff-b0ad-b2543456a317",
"value": "ccf32"
},
@@ -3845,7 +3601,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5208",
+ "software_attack_id": "S3329",
"source": "Tidal Cyber",
"tags": [
"4479b9e9-d912-451a-9ad5-08b3d922422d",
@@ -3860,6 +3616,33 @@
"uuid": "d9ea2696-7c47-44cd-8784-9aeef5e149ea",
"value": "Cdb"
},
+ {
+ "description": "A credential dumping tool associated with Iran-linked espionage group OilRig.[[ESET OilRig September 21 2023](/references/21ee3e95-ac4b-48f7-b948-249e1884bc96)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S3158",
+ "source": "Tidal Cyber",
+ "tags": [
+ "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "0dc7a5a5-c304-40bb-87d7-c0f77dd84b29",
+ "value": "CDumper"
+ },
{
"description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used for installing certificates\n\n**Author:** Ensar Samil\n\n**Paths:**\n* c:\\windows\\system32\\certoc.exe\n* c:\\windows\\syswow64\\certoc.exe\n\n**Resources:**\n* [https://twitter.com/sblmsrsn/status/1445758411803480072?s=20](https://twitter.com/sblmsrsn/status/1445758411803480072?s=20)\n* [https://twitter.com/sblmsrsn/status/1452941226198671363?s=20](https://twitter.com/sblmsrsn/status/1452941226198671363?s=20)\n\n**Detection:**\n* Sigma: [proc_creation_win_certoc_load_dll.yml](https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml)\n* IOC: Process creation with given parameter\n* IOC: Unsigned DLL load via certoc.exe\n* IOC: Network connection via certoc.exe[[CertOC.exe - LOLBAS Project](/references/b906498e-2773-419b-8c6d-3e974925ac18)]",
"meta": {
@@ -3867,7 +3650,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5087",
+ "software_attack_id": "S3197",
"source": "Tidal Cyber",
"tags": [
"fb909648-ee44-4871-abe6-82c909c4d677",
@@ -3889,7 +3672,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5088",
+ "software_attack_id": "S3198",
"source": "Tidal Cyber",
"tags": [
"35a798a2-eaab-48a3-9ee7-5538f36a4172",
@@ -3986,10 +3769,6 @@
{
"dest-uuid": "570198e3-b59c-5772-b1ee-15d7ea14d48a",
"type": "used-by"
- },
- {
- "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc",
- "type": "similar"
}
],
"uuid": "2fe21578-ee31-4ee8-b6ab-b5f76f97d043",
@@ -4010,12 +3789,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "77e0ecf7-ca91-4c06-8012-8e728986a87a",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "0c8efcd0-bfdf-4771-8754-18aac836c359",
"value": "Chaes"
},
@@ -4035,12 +3809,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "5bcd5511-6756-4824-a692-e8bb109364af",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "92c88765-6b12-42cd-b1d7-f6a65b2236e2",
"value": "Chaos"
},
@@ -4053,6 +3822,7 @@
"software_attack_id": "S0674",
"source": "MITRE",
"tags": [
+ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f",
"4d767e87-4cf6-438a-927a-43d2d0beaab7"
],
"type": [
@@ -4063,10 +3833,6 @@
{
"dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4",
"type": "used-by"
- },
- {
- "dest-uuid": "7acb15b6-fe2c-4319-b136-6ab36ff0b2d4",
- "type": "similar"
}
],
"uuid": "b1e3b56f-2e83-4cab-a1c1-16999009d056",
@@ -4088,10 +3854,6 @@
{
"dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322",
"type": "used-by"
- },
- {
- "dest-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e",
- "type": "similar"
}
],
"uuid": "3f2283ef-67c2-49a3-98ac-1aa9f0499361",
@@ -4113,10 +3875,6 @@
{
"dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c",
"type": "used-by"
- },
- {
- "dest-uuid": "5d3fa1db-5041-4560-b87b-8f61cc225c52",
- "type": "similar"
}
],
"uuid": "6475bc8c-b95d-5cb3-92f0-aa7e2f18859a",
@@ -4134,12 +3892,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "b2203c59-4089-4ee4-bfe1-28fa25f0dbfe",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "2fd6f564-918e-4ee7-920a-2b4be858d11a",
"value": "Cherry Picker"
},
@@ -4195,10 +3948,6 @@
{
"dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d",
"type": "used-by"
- },
- {
- "dest-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70",
- "type": "similar"
}
],
"uuid": "723c5ab7-23ca-46f2-83bb-f1d1e550122c",
@@ -4216,12 +3965,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "0b639373-5f03-430e-b8f9-2fe8c8faad8e",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "7c36563a-9143-4766-8aef-4e1787e18d8c",
"value": "Chinoxy"
},
@@ -4232,7 +3976,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5063",
+ "software_attack_id": "S3087",
"source": "Tidal Cyber",
"tags": [
"e551ae97-d1b4-484e-9267-89f33829ec2c",
@@ -4274,7 +4018,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5028",
+ "software_attack_id": "S3030",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -4323,15 +4067,40 @@
{
"dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5",
"type": "used-by"
- },
- {
- "dest-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472",
- "type": "similar"
}
],
"uuid": "01c6c49a-f7c8-44cd-a377-4dfd358ffeba",
"value": "CHOPSTICK"
},
+ {
+ "description": "ChromeLoader is a \"browser hijacking\" malware that is capable of adjusting victim web browser settings and in order to redirect user traffic to advertisement websites. ChromeLoader is notable for using a relatively uncommon technique whereby PowerShell is leveraged to inject the malware into the browser and add a malicious extension to it.[[Red Canary May 25 2022](/references/bffc87ac-e51b-47e3-8a9f-547e762e95c2)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "macOS",
+ "Windows"
+ ],
+ "software_attack_id": "S5281",
+ "source": "Tidal Cyber",
+ "tags": [
+ "9775efc2-e8ac-47de-bd2a-bb08202b48fd",
+ "707e8a2b-e223-4d99-91c2-43de4b4459f6",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "6d23e83f-fd4f-4802-bd01-daff7348741d",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "1523b0d7-9c95-4f39-a23b-7ca347748dc6",
+ "value": "ChromeLoader"
+ },
{
"description": "[Chrommme](https://app.tidalcyber.com/software/df77ed2a-f135-4f00-9a5e-79b7a6a2ed14) is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first reported in June 2021; security researchers noted infrastructure overlaps with [Gelsemium](https://app.tidalcyber.com/software/9a117508-1d22-4fea-aa65-db670c13a5c9) malware.[[ESET Gelsemium June 2021](https://app.tidalcyber.com/references/ea28cf8c-8c92-48cb-b499-ffb7ff0e3cf5)]",
"meta": {
@@ -4347,15 +4116,41 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "579607c2-d046-40df-99ab-beb479c37a2a",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "df77ed2a-f135-4f00-9a5e-79b7a6a2ed14",
"value": "Chrommme"
},
+ {
+ "description": "A ransomware binary used by the ransomware-as-a-service (\"RaaS\") group of the same name, which was first observed in June 2024. This ransomware is written in Rust and can run on Windows and Linux/ESXi hosts. Researchers have highlighted several notable overlaps between Cicada3301 and ALPHV/BlackCat ransomware.[[Truesec AB August 30 2024](/references/de2de0a9-17d2-41c2-838b-7850762b80ae)][[Morphisec September 3 2024](/references/90549699-8815-45e8-820c-4f5a7fc584b8)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Linux",
+ "Windows"
+ ],
+ "software_attack_id": "S3164",
+ "source": "Tidal Cyber",
+ "tags": [
+ "a2e000da-8181-4327-bacd-32013dbd3654",
+ "562e535e-19f5-4d6c-81ed-ce2aec544f09",
+ "5e7433ad-a894-4489-93bc-41e90da90019",
+ "7e7b0c67-bb85-4996-a289-da0e792d7172",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "7a28cff6-80df-49e1-8457-a0305e736897",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "a45b2ee6-43dd-47e8-9846-385a06c0c9ac",
+ "value": "Cicada3301"
+ },
{
"description": "[Clambling](https://app.tidalcyber.com/software/4bac93bd-7e58-4ddb-a205-d99597b9e65e) is a modular backdoor written in C++ that has been used by [Threat Group-3390](https://app.tidalcyber.com/groups/79be2f31-5626-425e-844c-fd9c99e38fe5) since at least 2017.[[Trend Micro DRBControl February 2020](https://app.tidalcyber.com/references/4dfbf26d-023b-41dd-82c8-12fe18cb10e6)]",
"meta": {
@@ -4372,10 +4167,6 @@
{
"dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5",
"type": "used-by"
- },
- {
- "dest-uuid": "6e95feb1-78ee-48d3-b421-4d76663b5c49",
- "type": "similar"
}
],
"uuid": "4bac93bd-7e58-4ddb-a205-d99597b9e65e",
@@ -4388,7 +4179,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5257",
+ "software_attack_id": "S3378",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -4409,7 +4200,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5255",
+ "software_attack_id": "S3376",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -4430,7 +4221,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5256",
+ "software_attack_id": "S3377",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -4453,8 +4244,7 @@
"software_attack_id": "S0611",
"source": "MITRE",
"tags": [
- "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
- "2feda37d-5579-4102-a073-aa02e82cb49f",
+ "0629ccb3-83b1-4aeb-a9cb-1585b6b21542",
"562e535e-19f5-4d6c-81ed-ce2aec544f09",
"b15c16f7-b8c7-4962-9acc-a98a39f87b69",
"b18b5401-d88d-4f28-8f50-a884a5e58349",
@@ -4483,10 +4273,6 @@
{
"dest-uuid": "ecdbd431-d62b-4b30-8663-b1ecb4304ec0",
"type": "used-by"
- },
- {
- "dest-uuid": "cad3ba95-8c89-4146-ab10-08daa813f9de",
- "type": "similar"
}
],
"uuid": "5321aa75-924c-47ae-b97a-b36f023abf2a",
@@ -4499,7 +4285,7 @@
"platforms": [
"macOS"
],
- "software_attack_id": "S5316",
+ "software_attack_id": "S3129",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -4532,10 +4318,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "cbf646f1-7db5-4dc6-808b-0094313949df",
- "type": "similar"
}
],
"uuid": "b3dd424b-ee96-449c-aa52-abbc7d4dfb86",
@@ -4564,6 +4346,10 @@
"dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572",
"type": "used-by"
},
+ {
+ "dest-uuid": "04b73cf2-33f4-4206-be9e-c80c4c9b54e8",
+ "type": "used-by"
+ },
{
"dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f",
"type": "used-by"
@@ -4691,10 +4477,6 @@
{
"dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb",
"type": "used-by"
- },
- {
- "dest-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e",
- "type": "similar"
}
],
"uuid": "98d89476-63ec-4baf-b2b3-86c52170f5d8",
@@ -4707,7 +4489,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5089",
+ "software_attack_id": "S3201",
"source": "Tidal Cyber",
"tags": [
"96bff827-e51f-47de-bde6-d2eec0f99767",
@@ -4734,7 +4516,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5090",
+ "software_attack_id": "S3202",
"source": "Tidal Cyber",
"tags": [
"4c8f8830-0b2c-4c79-b1db-8659ede492f0",
@@ -4756,7 +4538,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5091",
+ "software_attack_id": "S3203",
"source": "Tidal Cyber",
"tags": [
"65938118-2f00-48a1-856e-d1a75a08e3c6",
@@ -4789,12 +4571,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "0c242cc5-58d3-4fe3-a866-b00a4b6fb817",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "fbd3f71a-e123-5527-908c-9e7ea0d646e8",
"value": "COATHANGER"
},
@@ -4834,6 +4611,10 @@
"dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47",
"type": "used-by"
},
+ {
+ "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5",
+ "type": "used-by"
+ },
{
"dest-uuid": "b8a349a6-cde1-4d95-b20f-44c62bbfc786",
"type": "used-by"
@@ -4977,10 +4758,6 @@
{
"dest-uuid": "713e2963-fbf4-406f-a8cf-6a4489d90439",
"type": "used-by"
- },
- {
- "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616",
- "type": "similar"
}
],
"uuid": "9b6bcbba-3ab4-4a4c-a233-cd12254823f6",
@@ -4995,7 +4772,7 @@
"macOS",
"Windows"
],
- "software_attack_id": "S5057",
+ "software_attack_id": "S3080",
"source": "Tidal Cyber",
"tags": [
"ed2b3f47-3e07-4019-a9bf-ec9d87f28c96",
@@ -5029,12 +4806,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "aa1462a1-d065-416c-b354-bedd04998c7f",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "d4e6f9f7-7f4d-47c2-be24-b267d9317303",
"value": "Cobian RAT"
},
@@ -5045,7 +4817,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5185",
+ "software_attack_id": "S3306",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -5071,12 +4843,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "d1531eaa-9e17-473e-a680-3298469662c3",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "b0d9b31a-072b-4744-8d2f-3a63256a932f",
"value": "CoinTicker"
},
@@ -5087,7 +4854,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5092",
+ "software_attack_id": "S3204",
"source": "Tidal Cyber",
"tags": [
"884eb1b1-aede-4db0-8443-ba50624682e1",
@@ -5114,12 +4881,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "341fc709-4908-4e41-8df3-554dae6d72b0",
"value": "Comnie"
},
@@ -5142,10 +4904,6 @@
{
"dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2",
"type": "used-by"
- },
- {
- "dest-uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565",
- "type": "similar"
}
],
"uuid": "300c5997-a486-4a61-8213-93a180c22849",
@@ -5158,7 +4916,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5202",
+ "software_attack_id": "S3323",
"source": "Tidal Cyber",
"tags": [
"758c3085-2f79-40a8-ab95-f8a684737927",
@@ -5203,12 +4961,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "58eddbaf-7416-419a-ad7b-e65b9d4c3b55",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "ef33f1fa-18a3-4b30-b359-17b7930f43a7",
"value": "Conficker"
},
@@ -5219,7 +4972,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5093",
+ "software_attack_id": "S3205",
"source": "Tidal Cyber",
"tags": [
"d99039e1-e677-4226-8b63-e698d6642535",
@@ -5241,7 +4994,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5094",
+ "software_attack_id": "S3206",
"source": "Tidal Cyber",
"tags": [
"ea54037d-e07b-42b0-afe6-33576ec36f44",
@@ -5287,6 +5040,18 @@
]
},
"related": [
+ {
+ "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5",
+ "type": "used-by"
+ },
+ {
+ "dest-uuid": "7a28cff6-80df-49e1-8457-a0305e736897",
+ "type": "used-by"
+ },
+ {
+ "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e",
+ "type": "used-by"
+ },
{
"dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0",
"type": "used-by"
@@ -5310,10 +5075,6 @@
{
"dest-uuid": "b4d068ac-9b68-4cd8-bf0c-019f910ef8e3",
"type": "used-by"
- },
- {
- "dest-uuid": "842976c7-f9c8-41b2-8371-41dc64fbe261",
- "type": "similar"
}
],
"uuid": "6f9bb24d-cce2-49de-bedd-1849d9bde7a0",
@@ -5328,6 +5089,7 @@
"software_attack_id": "S0575",
"source": "MITRE",
"tags": [
+ "a3d78265-f5b3-4254-8af5-c629dbb795d4",
"64d3f7d8-30b7-4b03-bee2-a6029672216c",
"375983b3-6e87-4281-99e2-1561519dd17b",
"3ed2343c-a29c-42e2-8259-410381164c6a",
@@ -5359,10 +5121,6 @@
{
"dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8",
"type": "used-by"
- },
- {
- "dest-uuid": "4dea7d8e-af94-4bfb-afe4-7ff54f59308b",
- "type": "similar"
}
],
"uuid": "8e995c29-2759-4aeb-9a0f-bb7cd97b06e5",
@@ -5375,7 +5133,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5095",
+ "software_attack_id": "S3207",
"source": "Tidal Cyber",
"tags": [
"53ac2b35-d302-4bdd-9931-5b6c6cb31b96",
@@ -5402,12 +5160,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "eedc01d5-95e6-4d21-bcd4-1121b1df4586",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "6e2c4aef-2f69-4507-9ee3-55432d76341e",
"value": "CookieMiner"
},
@@ -5430,10 +5183,6 @@
{
"dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66",
"type": "used-by"
- },
- {
- "dest-uuid": "8ab98e25-1672-4b5f-a2fb-e60f08a5ea9e",
- "type": "similar"
}
],
"uuid": "f13c8455-d615-4f8d-9d9c-5b31e593cd8a",
@@ -5446,7 +5195,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5209",
+ "software_attack_id": "S3330",
"source": "Tidal Cyber",
"tags": [
"a19a158e-aec4-410a-8c3e-e9080b111183",
@@ -5480,15 +5229,36 @@
{
"dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5",
"type": "used-by"
- },
- {
- "dest-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81",
- "type": "similar"
}
],
"uuid": "3b193f62-2b49-4eff-bdf4-501fb8a28274",
"value": "CORESHELL"
},
+ {
+ "description": "Corona is a suspected variant of the popular Mirai botnet, which has been observed since at least 2020 (its name likely relates to the COVID-19 pandemic).[[Akamai Corona Zero-Day August 28 2024](/references/140284f8-075c-4225-99dd-519ba5cebabe)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Linux"
+ ],
+ "software_attack_id": "S3167",
+ "source": "Tidal Cyber",
+ "tags": [
+ "55cb344a-cbd5-4fd1-a1e9-30bbc956527e",
+ "f925e659-1120-4b76-92b6-071a7fb757d6",
+ "06236145-e9d6-461c-b7e4-284b3de5f561",
+ "a98d7a43-f227-478e-81de-e7299639a355",
+ "33d35d5e-f0cf-4c66-9be3-a3ffe6610b1a",
+ "e809d252-12cc-494d-94f5-954c49eb87ce"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [],
+ "uuid": "e4e37a06-ee31-44bf-a818-efa236ada136",
+ "value": "Corona (Mirai Botnet Variant)"
+ },
{
"description": "[CosmicDuke](https://app.tidalcyber.com/software/43b317c6-5b4f-47b8-b7b4-15cd6f455091) is malware that was used by [APT29](https://app.tidalcyber.com/groups/4c3e48b9-4426-4271-a7af-c3dfad79f447) from 2010 to 2015. [[F-Secure The Dukes](https://app.tidalcyber.com/references/cc0dc623-ceb5-4ac6-bfbb-4f8514d45a27)]",
"meta": {
@@ -5508,10 +5278,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee",
- "type": "similar"
}
],
"uuid": "43b317c6-5b4f-47b8-b7b4-15cd6f455091",
@@ -5529,12 +5295,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "5d342981-5194-41e7-b33f-8e91998d7d88",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "ea9e2d19-89fe-4039-a1e0-467b14554c6f",
"value": "CostaBricks"
},
@@ -5557,10 +5318,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754",
- "type": "similar"
}
],
"uuid": "c2353daa-fd4c-44e1-8013-55400439965a",
@@ -5575,6 +5332,12 @@
"software_attack_id": "S0488",
"source": "MITRE",
"tags": [
+ "af5e9be5-b86e-47af-91dd-966a5e34a186",
+ "35e694ec-5133-46e3-b7e1-5831867c3b55",
+ "d8f7e071-fbfd-46f8-b431-e241bb1513ac",
+ "61cdbb28-cbfd-498b-9ab1-1f14337f9524",
+ "e551ae97-d1b4-484e-9267-89f33829ec2c",
+ "15787198-6c8b-4f79-bf50-258d55072fee",
"e1af18e3-3224-4e4c-9d0f-533768474508",
"ed2b3f47-3e07-4019-a9bf-ec9d87f28c96",
"e81ba503-60b0-4b64-8f20-ef93e7783796"
@@ -5603,10 +5366,6 @@
{
"dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff",
"type": "used-by"
- },
- {
- "dest-uuid": "c4810609-7da6-48ec-8057-1b70a7814db0",
- "type": "similar"
}
],
"uuid": "47e710b4-1397-47cf-a979-20891192f313",
@@ -5619,7 +5378,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5210",
+ "software_attack_id": "S3331",
"source": "Tidal Cyber",
"tags": [
"7beee233-2b65-4593-88e6-a5c0c02c6a08",
@@ -5641,7 +5400,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5074",
+ "software_attack_id": "S3099",
"source": "Tidal Cyber",
"tags": [
"904ad11a-20ca-479c-ad72-74bd5d9dc7e4",
@@ -5682,10 +5441,6 @@
{
"dest-uuid": "7fbd7514-76e9-4696-8c66-9f95546e3315",
"type": "used-by"
- },
- {
- "dest-uuid": "750eb92a-7fdf-451e-9592-1d42357018f1",
- "type": "similar"
}
],
"uuid": "7f7f05c3-fbb1-475e-b672-2113709065c8",
@@ -5707,10 +5462,6 @@
{
"dest-uuid": "7fbd7514-76e9-4696-8c66-9f95546e3315",
"type": "used-by"
- },
- {
- "dest-uuid": "d23de441-f9cf-4802-b1ff-f588a11a896b",
- "type": "similar"
}
],
"uuid": "11ce380c-481b-4c9b-b44e-06f1a91c01c1",
@@ -5735,10 +5486,6 @@
{
"dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25",
"type": "used-by"
- },
- {
- "dest-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2",
- "type": "similar"
}
],
"uuid": "3b3f296f-20a6-459a-98c5-62ebdee3701f",
@@ -5762,10 +5509,6 @@
{
"dest-uuid": "7ad94dbf-9909-42dd-8b62-a435481bdb14",
"type": "used-by"
- },
- {
- "dest-uuid": "a5e91d50-24fa-44ec-9894-39a88f658cea",
- "type": "similar"
}
],
"uuid": "38811c3b-f548-43fa-ab26-c7243b84a055",
@@ -5787,10 +5530,6 @@
{
"dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2",
"type": "used-by"
- },
- {
- "dest-uuid": "925a6c52-5cf0-4fec-99de-b0d6917d8593",
- "type": "similar"
}
],
"uuid": "e1ad229b-d750-4148-a1f3-36e767b03cd1",
@@ -5812,10 +5551,6 @@
{
"dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08",
"type": "used-by"
- },
- {
- "dest-uuid": "a04d9a4c-bb52-40bf-98ec-e350c2d6a862",
- "type": "similar"
}
],
"uuid": "12ce6d04-ebe5-440e-b342-0283b7c8a0c8",
@@ -5828,7 +5563,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5096",
+ "software_attack_id": "S3208",
"source": "Tidal Cyber",
"tags": [
"2ee25dd6-256c-4659-b1b6-f5afc943ccc1",
@@ -5855,7 +5590,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5097",
+ "software_attack_id": "S3209",
"source": "Tidal Cyber",
"tags": [
"7cae5f59-dbbf-406f-928d-118430d2bdd0",
@@ -5877,7 +5612,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5211",
+ "software_attack_id": "S3332",
"source": "Tidal Cyber",
"tags": [
"86bb7f3c-652c-4f77-af2a-34677ff42315",
@@ -5908,10 +5643,6 @@
{
"dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1",
"type": "used-by"
- },
- {
- "dest-uuid": "5256c0f8-9108-4c92-8b09-482dfacdcd94",
- "type": "similar"
}
],
"uuid": "eb481db6-d7ba-4873-a171-76a228c9eb97",
@@ -5955,10 +5686,6 @@
{
"dest-uuid": "c2015888-72c0-4367-b2cf-df85688a56b7",
"type": "used-by"
- },
- {
- "dest-uuid": "6cd07296-14aa-403d-9229-6343d03d4752",
- "type": "similar"
}
],
"uuid": "095064c6-144e-4935-b878-f82151bc08e4",
@@ -5971,7 +5698,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5098",
+ "software_attack_id": "S3210",
"source": "Tidal Cyber",
"tags": [
"536c3d51-9fc4-445e-9723-e11b69f0d6d5",
@@ -6006,10 +5733,6 @@
{
"dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666",
"type": "used-by"
- },
- {
- "dest-uuid": "b350b47f-88fe-4921-8538-6d9c59bac84e",
- "type": "similar"
}
],
"uuid": "68792756-7dbf-41fd-8d48-ac3cc2b52712",
@@ -6033,10 +5756,6 @@
{
"dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08",
"type": "used-by"
- },
- {
- "dest-uuid": "3aa169f8-bbf6-44bb-b57d-7f6ada5c2128",
- "type": "similar"
}
],
"uuid": "9d521c18-09f0-47be-bfe5-e1bf26f7b928",
@@ -6061,10 +5780,6 @@
{
"dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735",
"type": "used-by"
- },
- {
- "dest-uuid": "b8d48deb-450c-44f6-a934-ac8765aa89cb",
- "type": "similar"
}
],
"uuid": "131c0eb2-9191-4ccd-a2d6-5f36046a8f2f",
@@ -6097,10 +5812,6 @@
{
"dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25",
"type": "used-by"
- },
- {
- "dest-uuid": "53ab35c2-d00e-491a-8753-41d35ae7e547",
- "type": "similar"
}
],
"uuid": "74f88899-56d0-4de8-97de-539b3590ab90",
@@ -6115,6 +5826,7 @@
"software_attack_id": "S1111",
"source": "MITRE",
"tags": [
+ "7b774e30-5065-41bd-85e2-e02d09e419ed",
"84615fe0-c2a5-4e07-8957-78ebc29b4635"
],
"type": [
@@ -6125,10 +5837,6 @@
{
"dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a",
"type": "used-by"
- },
- {
- "dest-uuid": "6f6f67c9-556d-4459-95c2-78d272190e52",
- "type": "similar"
}
],
"uuid": "39d81c48-8f7c-54cb-8fac-485598e31a55",
@@ -6171,12 +5879,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "5faaf81a-aa5b-4a4b-bae5-522439e068f8",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "35abcb6b-3259-57c1-94fc-50cfd5bde786",
"value": "DarkTortilla"
},
@@ -6195,12 +5898,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "63686509-069b-4143-99ea-4e59cad6cb2a",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "740a0327-4caf-4d90-8b51-f3f9a4d59b37",
"value": "DarkWatchman"
},
@@ -6220,10 +5918,6 @@
{
"dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb",
"type": "used-by"
- },
- {
- "dest-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a",
- "type": "similar"
}
],
"uuid": "fad65026-57c4-4d4f-8803-87178dd4b887",
@@ -6236,7 +5930,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5099",
+ "software_attack_id": "S3211",
"source": "Tidal Cyber",
"tags": [
"0576be43-65c6-4d1a-8a06-ed8232ca0120",
@@ -6258,7 +5952,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5287",
+ "software_attack_id": "S3002",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -6293,10 +5987,6 @@
{
"dest-uuid": "a41725c5-eb3a-4772-8d1e-17c3bbade79c",
"type": "used-by"
- },
- {
- "dest-uuid": "5633ffd3-81ef-4f98-8f93-4896b03998f0",
- "type": "similar"
}
],
"uuid": "26ae3cd1-6710-4807-b674-957bd67d3e76",
@@ -6315,10 +6005,6 @@
{
"dest-uuid": "021b3c71-6467-4e46-a413-8b726f066f2c",
"type": "used-by"
- },
- {
- "dest-uuid": "d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb",
- "type": "similar"
}
],
"uuid": "0657b804-a889-400a-97d7-a4989809a623",
@@ -6339,12 +6025,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "c46eb8e6-bf29-4696-8008-3ddb0b4ca470",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "e9533664-90c5-5b40-a40e-a69a2eda8bc9",
"value": "DEADEYE"
},
@@ -6367,10 +6048,6 @@
{
"dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5",
"type": "used-by"
- },
- {
- "dest-uuid": "8f460983-1bbb-4e7e-8094-f0b5e720f658",
- "type": "similar"
}
],
"uuid": "64dc5d44-2304-4875-b517-316ab98512c2",
@@ -6392,12 +6069,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "6de9cad1-eed2-4e27-b0b5-39fa29349ea0",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "832f5ab1-1267-40c9-84ef-f32d6373be4e",
"value": "DEATHRANSOM"
},
@@ -6408,7 +6080,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5212",
+ "software_attack_id": "S3333",
"source": "Tidal Cyber",
"tags": [
"4f7be515-680e-4375-81f6-c71c83dd440d",
@@ -6430,7 +6102,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5029",
+ "software_attack_id": "S3031",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -6477,10 +6149,6 @@
{
"dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145",
"type": "used-by"
- },
- {
- "dest-uuid": "f25aab1a-0cef-4910-a85d-bb38b32ea41a",
- "type": "similar"
}
],
"uuid": "df4002d2-f557-4f95-af7a-9a4582fb7068",
@@ -6493,7 +6161,7 @@
"platforms": [
"IaaS"
],
- "software_attack_id": "S5313",
+ "software_attack_id": "S3126",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -6541,10 +6209,6 @@
{
"dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9",
"type": "used-by"
- },
- {
- "dest-uuid": "94379dec-5c87-49db-b36e-66abc0b81344",
- "type": "similar"
}
],
"uuid": "9222aa77-922e-43c7-89ad-71067c428fb2",
@@ -6557,7 +6221,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5188",
+ "software_attack_id": "S3309",
"source": "Tidal Cyber",
"tags": [
"7ad2b1d5-c228-4bf5-bf8e-c80a8fef0079",
@@ -6579,7 +6243,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5100",
+ "software_attack_id": "S3212",
"source": "Tidal Cyber",
"tags": [
"acc0e091-a071-4e83-b0b1-4f3adebeafa3",
@@ -6601,7 +6265,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5101",
+ "software_attack_id": "S3213",
"source": "Tidal Cyber",
"tags": [
"2a08c2eb-e90e-4bdb-a2dd-9da06de7ed25",
@@ -6623,7 +6287,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5213",
+ "software_attack_id": "S3334",
"source": "Tidal Cyber",
"tags": [
"bb814941-0155-49b1-8f93-39626d4f0ddd",
@@ -6645,7 +6309,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5214",
+ "software_attack_id": "S3335",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -6666,7 +6330,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5252",
+ "software_attack_id": "S3373",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -6687,7 +6351,7 @@
"platforms": [
"Linux"
],
- "software_attack_id": "S5021",
+ "software_attack_id": "S3059",
"source": "Tidal Cyber",
"tags": [
"a98d7a43-f227-478e-81de-e7299639a355",
@@ -6708,7 +6372,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5189",
+ "software_attack_id": "S3310",
"source": "Tidal Cyber",
"tags": [
"91fd24c3-f371-4c3b-b997-cd85e25c0967",
@@ -6730,7 +6394,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5102",
+ "software_attack_id": "S3214",
"source": "Tidal Cyber",
"tags": [
"18d6d91d-7df0-44c8-88fe-986d9ba00b8d",
@@ -6752,7 +6416,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5103",
+ "software_attack_id": "S3215",
"source": "Tidal Cyber",
"tags": [
"96f9b39f-0c59-48a0-9702-01920c1293a7",
@@ -6787,10 +6451,6 @@
{
"dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8",
"type": "used-by"
- },
- {
- "dest-uuid": "4e9bdf9a-4957-47f6-87b3-c76898d3f623",
- "type": "similar"
}
],
"uuid": "d057b6e7-1de4-4f2f-b374-7e879caecd67",
@@ -6812,10 +6472,6 @@
{
"dest-uuid": "f036b992-4c3f-47b7-a458-94ac133bce74",
"type": "used-by"
- },
- {
- "dest-uuid": "e170995d-4f61-4f17-b60e-04f9a06ee517",
- "type": "similar"
}
],
"uuid": "226ee563-4d49-48c2-aa91-82999f43ce30",
@@ -6837,10 +6493,6 @@
{
"dest-uuid": "f31df12e-66ea-5a49-87bc-2bc1756a89fc",
"type": "used-by"
- },
- {
- "dest-uuid": "e1445afd-c359-45ed-8f27-626dc4d5e157",
- "type": "similar"
}
],
"uuid": "194314e3-4edc-5346-96b6-d2d7bf5d830a",
@@ -6853,7 +6505,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5104",
+ "software_attack_id": "S3216",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -6874,7 +6526,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5016",
+ "software_attack_id": "S3217",
"source": "Tidal Cyber",
"tags": [
"a45f9597-09c4-4e70-a7d3-d8235d2451a3",
@@ -6919,10 +6571,6 @@
{
"dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735",
"type": "used-by"
- },
- {
- "dest-uuid": "8a2867f9-e8fc-4bf1-a860-ef6e46311900",
- "type": "similar"
}
],
"uuid": "e69a913d-4ddc-4d69-9961-25a31cae5899",
@@ -6935,7 +6583,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5215",
+ "software_attack_id": "S3336",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -6968,10 +6616,6 @@
{
"dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66",
"type": "used-by"
- },
- {
- "dest-uuid": "0852567d-7958-4f4b-8947-4f840ec8d57d",
- "type": "similar"
}
],
"uuid": "81ce23c0-f505-4d75-9928-4fbd627d3bc2",
@@ -6989,12 +6633,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "f36b2598-515f-4345-84e5-5ccde253edbe",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "dfa14314-3c64-4a10-9889-0423b884f7aa",
"value": "Dok"
},
@@ -7014,12 +6653,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "4f1c389e-a80e-4a3e-9b0e-9be8c91df64f",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "e6160c55-1868-47bd-bec6-7becbf236bbb",
"value": "Doki"
},
@@ -7043,10 +6677,6 @@
{
"dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87",
"type": "used-by"
- },
- {
- "dest-uuid": "a7b5df47-73bb-4d47-b701-869f185633a6",
- "type": "similar"
}
],
"uuid": "40d25a38-91f4-4e07-bb97-8866bed8e44f",
@@ -7059,7 +6689,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5216",
+ "software_attack_id": "S3337",
"source": "Tidal Cyber",
"tags": [
"09c24b93-bf06-4cbb-acb0-d7b9657a41dc",
@@ -7074,6 +6704,33 @@
"uuid": "1bcd9c93-0944-4671-ab01-cabc5ffe30bf",
"value": "Dotnet"
},
+ {
+ "description": "DOWNBAIT is a downloader, one of a series of software associated with China-based espionage actor Earth Preta (aka Mustang Panda) reported by researchers in September 2024.[[Trend Micro September 9 2024](/references/0fdc9ee2-5be2-43e0-afb9-c9a94fde3867)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S3177",
+ "source": "Tidal Cyber",
+ "tags": [
+ "84615fe0-c2a5-4e07-8957-78ebc29b4635",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "bd55fa7c-7747-4d3d-8176-e6c56870b2a3",
+ "value": "DOWNBAIT"
+ },
{
"description": "[Downdelph](https://app.tidalcyber.com/software/f7b64b81-f9e7-46bf-8f63-6d7520da832c) is a first-stage downloader written in Delphi that has been used by [APT28](https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5) in rare instances between 2013 and 2015. [[ESET Sednit Part 3](https://app.tidalcyber.com/references/7c2be444-a947-49bc-b5f6-8f6bec870c6a)]",
"meta": {
@@ -7093,10 +6750,6 @@
{
"dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5",
"type": "used-by"
- },
- {
- "dest-uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519",
- "type": "similar"
}
],
"uuid": "f7b64b81-f9e7-46bf-8f63-6d7520da832c",
@@ -7121,10 +6774,6 @@
{
"dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb",
"type": "used-by"
- },
- {
- "dest-uuid": "8be7c69e-d8e3-4970-9668-61de08e508cc",
- "type": "similar"
}
],
"uuid": "20b796cf-6c90-4928-999e-88107078e15e",
@@ -7138,6 +6787,9 @@
],
"software_attack_id": "S0186",
"source": "MITRE",
+ "tags": [
+ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f"
+ ],
"type": [
"malware"
]
@@ -7146,10 +6798,6 @@
{
"dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4",
"type": "used-by"
- },
- {
- "dest-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148",
- "type": "similar"
}
],
"uuid": "fc433c9d-a7fe-4915-8aa0-06b58f288249",
@@ -7167,12 +6815,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "56aa3c82-ed40-4b5a-84bf-7231356d9e96",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "c6c79fc5-e4b1-4f6c-a71d-d22d699d5caf",
"value": "DRATzarus"
},
@@ -7199,10 +6842,6 @@
{
"dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1",
"type": "used-by"
- },
- {
- "dest-uuid": "f01e2711-4b48-4192-a2e8-5f56c945ca19",
- "type": "similar"
}
],
"uuid": "e3cd4405-b698-41d9-88e4-fff29e7a19e2",
@@ -7224,10 +6863,6 @@
{
"dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6",
"type": "used-by"
- },
- {
- "dest-uuid": "3ae6097d-d700-46c6-8b21-42fc0bcb48fa",
- "type": "similar"
}
],
"uuid": "9c44d3f9-7a7b-4716-9cfa-640b36548ab0",
@@ -7254,10 +6889,6 @@
{
"dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5",
"type": "used-by"
- },
- {
- "dest-uuid": "99164b38-1775-40bc-b77b-a2373b14540a",
- "type": "similar"
}
],
"uuid": "bb7f7c19-ffb5-4bfe-99b1-ead3525c5e7b",
@@ -7270,7 +6901,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5217",
+ "software_attack_id": "S3338",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -7310,10 +6941,6 @@
{
"dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f",
"type": "used-by"
- },
- {
- "dest-uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe",
- "type": "similar"
}
],
"uuid": "06402bdc-a4a1-4e4a-bfc4-09f2c159af75",
@@ -7338,10 +6965,6 @@
{
"dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08",
"type": "used-by"
- },
- {
- "dest-uuid": "f8774023-8021-4ece-9aca-383ac89d2759",
- "type": "similar"
}
],
"uuid": "aa21462d-9653-48eb-a82e-5c93c9db5f7a",
@@ -7354,7 +6977,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5218",
+ "software_attack_id": "S3339",
"source": "Tidal Cyber",
"tags": [
"0f09c7f5-ba57-4ef0-a196-e85558804496",
@@ -7369,6 +6992,34 @@
"uuid": "13482336-e22b-48e9-bd49-c6e6fc6612ec",
"value": "Dump64"
},
+ {
+ "description": "Dumpert is an open-source tool that provides credential dumping capabilities. It has been leveraged by adversaries including North Korean state-sponsored espionage groups.[[GitHub outflanknl Dumpert](/references/ab375812-def9-4491-a69f-62755fb26910)][[U.S. CISA Andariel July 25 2024](/references/b615953e-3c6c-4201-914c-4b75e45bb9ed)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S3166",
+ "source": "Tidal Cyber",
+ "tags": [
+ "bdeef9bf-b9d5-41ec-9d4c-0315709639a2",
+ "af5e9be5-b86e-47af-91dd-966a5e34a186",
+ "27a117ce-bb19-4f79-9bc2-a851b69c5c50",
+ "6070668f-1cbd-4878-8066-c636d1d8659c",
+ "61cdbb28-cbfd-498b-9ab1-1f14337f9524",
+ "e551ae97-d1b4-484e-9267-89f33829ec2c",
+ "15787198-6c8b-4f79-bf50-258d55072fee",
+ "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c",
+ "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96"
+ ],
+ "type": [
+ "tool"
+ ]
+ },
+ "related": [],
+ "uuid": "0ffc1b99-5ca1-4af4-95c7-7a311a32f911",
+ "value": "Dumpert"
+ },
{
"description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Dump tool part Visual Studio 2022\n\n**Author:** mr.d0x\n\n**Paths:**\n* C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Common7\\IDE\\Extensions\\TestPlatform\\Extensions\n\n**Resources:**\n* [https://twitter.com/mrd0x/status/1511415432888131586](https://twitter.com/mrd0x/status/1511415432888131586)\n\n**Detection:**\n* Sigma: [proc_creation_win_dumpminitool_execution.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml)\n* Sigma: [proc_creation_win_dumpminitool_susp_execution.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml)\n* Sigma: [proc_creation_win_devinit_lolbin_usage.yml](https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml)[[DumpMinitool.exe - LOLBAS Project](/references/4634e025-c005-46fe-b97c-5d7dda455ba0)]",
"meta": {
@@ -7376,7 +7027,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5219",
+ "software_attack_id": "S3340",
"source": "Tidal Cyber",
"tags": [
"3b6ad94f-83ce-47bf-b82d-b98358d23434",
@@ -7406,12 +7057,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "68dca94f-c11d-421e-9287-7c501108e18c",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "d4a664e5-9819-4f33-8b2b-e6f8e6a64999",
"value": "Duqu"
},
@@ -7434,10 +7080,6 @@
{
"dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6",
"type": "used-by"
- },
- {
- "dest-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54",
- "type": "similar"
}
],
"uuid": "77506f02-104f-4aac-a4e0-9649bd7efe2e",
@@ -7450,7 +7092,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5220",
+ "software_attack_id": "S3341",
"source": "Tidal Cyber",
"tags": [
"6d065f28-e32d-4e87-b315-c43ebc45532a",
@@ -7481,10 +7123,6 @@
{
"dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8",
"type": "used-by"
- },
- {
- "dest-uuid": "63c2a130-8a5b-452f-ad96-07cf0af12ffe",
- "type": "similar"
}
],
"uuid": "38e012f7-fb3a-4250-a129-92da3a488724",
@@ -7497,7 +7135,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5013",
+ "software_attack_id": "S3053",
"source": "Tidal Cyber",
"tags": [
"ed2b3f47-3e07-4019-a9bf-ec9d87f28c96",
@@ -7541,10 +7179,6 @@
{
"dest-uuid": "eeb69751-8c22-4a5f-8da2-239cc7d7746c",
"type": "used-by"
- },
- {
- "dest-uuid": "d6b3fcd0-1c86-4350-96f0-965ed02fcc51",
- "type": "similar"
}
],
"uuid": "2375465a-e6a9-40ab-b631-a5b04cf5c689",
@@ -7570,10 +7204,6 @@
{
"dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08",
"type": "used-by"
- },
- {
- "dest-uuid": "e928333f-f3df-4039-9b8b-556c2add0e42",
- "type": "similar"
}
],
"uuid": "70f703b3-0e24-4ffe-9772-f0e386ec607f",
@@ -7595,10 +7225,6 @@
{
"dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322",
"type": "used-by"
- },
- {
- "dest-uuid": "292eb0c5-b8e8-4af6-9e8f-0fda6b4528d3",
- "type": "similar"
}
],
"uuid": "6508d3dc-eb22-468c-9122-dcf541caa69c",
@@ -7611,7 +7237,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5332",
+ "software_attack_id": "S3147",
"source": "Tidal Cyber",
"tags": [
"39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb",
@@ -7626,11 +7252,72 @@
{
"dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5",
"type": "used-by"
+ },
+ {
+ "dest-uuid": "04b73cf2-33f4-4206-be9e-c80c4c9b54e8",
+ "type": "used-by"
}
],
"uuid": "1233436f-2a00-4557-89a4-8cbc45e6f9f7",
"value": "EDRKillShifter"
},
+ {
+ "description": "An open-source, multi-purpose tool with defense evasion, credential dumping, and privilege escalation capabilities, observed in use during ransomware intrusions.[[GitHub wavestone-cdt EDRSandBlast](/references/228dd3e1-1952-447c-a500-31663a2efe45)][[Morphisec September 3 2024](/references/90549699-8815-45e8-820c-4f5a7fc584b8)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S3165",
+ "source": "Tidal Cyber",
+ "tags": [
+ "835c9c79-3824-41ec-8d5a-1e2526e89e0b",
+ "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96",
+ "7de7d799-f836-4555-97a4-0db776eb6932",
+ "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c",
+ "e1af18e3-3224-4e4c-9d0f-533768474508",
+ "39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb"
+ ],
+ "type": [
+ "tool"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "7a28cff6-80df-49e1-8457-a0305e736897",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "fbd2d7b0-0aa8-459f-8bfa-16daae769282",
+ "value": "EDRSandBlast"
+ },
+ {
+ "description": "A credential dumping tool associated with Iran-linked espionage group OilRig.[[ESET OilRig September 21 2023](/references/21ee3e95-ac4b-48f7-b948-249e1884bc96)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S3157",
+ "source": "Tidal Cyber",
+ "tags": [
+ "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "d1279b84-11f4-4804-9e5e-05c650960aac",
+ "value": "Edumper"
+ },
{
"description": "[Egregor](https://app.tidalcyber.com/software/0e36b62f-a6e2-4406-b3d9-e05204e14a66) is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Researchers have noted code similarities between [Egregor](https://app.tidalcyber.com/software/0e36b62f-a6e2-4406-b3d9-e05204e14a66) and Sekhmet ransomware, as well as [Maze](https://app.tidalcyber.com/software/3c206491-45c0-4ff7-9f40-45f9aae4de64) ransomware.[[NHS Digital Egregor Nov 2020](https://app.tidalcyber.com/references/92f74037-2a20-4667-820d-2ccc0e4dbd3d)][[Cyble Egregor Oct 2020](https://app.tidalcyber.com/references/545a131d-88fc-4b34-923c-0b759b45fc7f)][[Security Boulevard Egregor Oct 2020](https://app.tidalcyber.com/references/cd37a000-9e15-45a3-a7c9-bb508c10e55d)]",
"meta": {
@@ -7650,12 +7337,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "cc4c1287-9c86-4447-810c-744f3880ec37",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "0e36b62f-a6e2-4406-b3d9-e05204e14a66",
"value": "Egregor"
},
@@ -7676,12 +7358,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "00e7d565-9883-4ee5-b642-8fd17fd6a3f5",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "cd7821cb-32f3-4d81-a5d1-0cdee94a15c4",
"value": "EKANS"
},
@@ -7693,7 +7370,7 @@
"Linux",
"Windows"
],
- "software_attack_id": "S5330",
+ "software_attack_id": "S3145",
"source": "Tidal Cyber",
"tags": [
"a2e000da-8181-4327-bacd-32013dbd3654",
@@ -7735,10 +7412,6 @@
{
"dest-uuid": "2849455a-cf39-4a9f-bd89-c2b3c1e5dd52",
"type": "used-by"
- },
- {
- "dest-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913",
- "type": "similar"
}
],
"uuid": "fd5efee9-8710-4536-861f-c88d882f4d24",
@@ -7760,10 +7433,6 @@
{
"dest-uuid": "06a05175-0812-44f5-a529-30eba07d1762",
"type": "used-by"
- },
- {
- "dest-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c",
- "type": "similar"
}
],
"uuid": "6a3ca97e-6dd6-44e5-a5f0-7225099ab474",
@@ -7785,10 +7454,6 @@
{
"dest-uuid": "2849455a-cf39-4a9f-bd89-c2b3c1e5dd52",
"type": "used-by"
- },
- {
- "dest-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1",
- "type": "similar"
}
],
"uuid": "fd95d38d-83f9-4b31-8292-ba2b04275b36",
@@ -7823,10 +7488,6 @@
{
"dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8",
"type": "used-by"
- },
- {
- "dest-uuid": "32066e94-3112-48ca-b9eb-ba2b59d2f023",
- "type": "similar"
}
],
"uuid": "c987d255-a351-4736-913f-91e2f28d0654",
@@ -7926,10 +7587,6 @@
{
"dest-uuid": "345e553a-164d-4c9d-8bf9-19fcf8a51533",
"type": "used-by"
- },
- {
- "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3",
- "type": "similar"
}
],
"uuid": "fea655ac-558f-4dd0-867f-9a5553626207",
@@ -7944,6 +7601,7 @@
"software_attack_id": "S0634",
"source": "MITRE",
"tags": [
+ "542316f4-baf4-4cf7-929b-b1deed09d23b",
"84615fe0-c2a5-4e07-8957-78ebc29b4635"
],
"type": [
@@ -7954,10 +7612,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "2f8229dc-da94-41c6-89ba-b5b6c32f6b7d",
- "type": "similar"
}
],
"uuid": "8da6fbf0-a18d-49a0-9235-101300d49d5e",
@@ -7982,10 +7636,6 @@
{
"dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2",
"type": "used-by"
- },
- {
- "dest-uuid": "6b62e336-176f-417b-856a-8552dd8c44e1",
- "type": "similar"
}
],
"uuid": "a7e71387-b276-413c-a0de-4cf07e39b158",
@@ -8016,10 +7666,6 @@
{
"dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322",
"type": "used-by"
- },
- {
- "dest-uuid": "c256da91-6dd5-40b2-beeb-ee3b22ab3d27",
- "type": "similar"
}
],
"uuid": "a7589733-6b04-4215-a4e7-4b62cd4610fa",
@@ -8032,7 +7678,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5105",
+ "software_attack_id": "S3219",
"source": "Tidal Cyber",
"tags": [
"59d03fb8-0620-468a-951c-069473cb86bc",
@@ -8059,12 +7705,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "a8a778f5-0035-4870-bb25-53dc05029586",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "300e8176-e7ee-44ef-8d10-dff96502f6c6",
"value": "EvilBunny"
},
@@ -8075,7 +7716,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5078",
+ "software_attack_id": "S3103",
"source": "Tidal Cyber",
"tags": [
"fe28cf32-a15c-44cf-892c-faa0360d6109",
@@ -8119,10 +7760,6 @@
{
"dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322",
"type": "used-by"
- },
- {
- "dest-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78",
- "type": "similar"
}
],
"uuid": "e862419c-d6b6-4433-a02a-c1cc98ea6f9e",
@@ -8147,10 +7784,6 @@
{
"dest-uuid": "4bdc62c9-af6a-4377-8431-58a6f39235dd",
"type": "used-by"
- },
- {
- "dest-uuid": "7cdfccda-2950-4167-981a-60872ff5d0db",
- "type": "similar"
}
],
"uuid": "e0eaae6d-5137-4053-bf37-ff90bf5767a9",
@@ -8172,10 +7805,6 @@
{
"dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666",
"type": "used-by"
- },
- {
- "dest-uuid": "11194d8b-fdce-45d2-8047-df15bb8f16bd",
- "type": "similar"
}
],
"uuid": "c773f709-b5fe-4514-9d88-24ceb0dd8063",
@@ -8197,10 +7826,6 @@
{
"dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666",
"type": "used-by"
- },
- {
- "dest-uuid": "051eaca1-958f-4091-9e5f-a9acd8f820b5",
- "type": "similar"
}
],
"uuid": "21569dfb-c9f1-468e-903e-348f19dbae1f",
@@ -8213,7 +7838,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5221",
+ "software_attack_id": "S3342",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -8234,7 +7859,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5054",
+ "software_attack_id": "S3077",
"source": "Tidal Cyber",
"tags": [
"8bf128ad-288b-41bc-904f-093f4fdde745"
@@ -8269,12 +7894,7 @@
"tool"
]
},
- "related": [
- {
- "dest-uuid": "ca656c25-44f1-471b-9d9f-e2a3bbb84973",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "5d7a39e3-c667-45b3-987e-3b0ca49cff61",
"value": "Expand"
},
@@ -8285,7 +7905,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5106",
+ "software_attack_id": "S3221",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -8324,10 +7944,6 @@
{
"dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937",
"type": "used-by"
- },
- {
- "dest-uuid": "6a21e3a4-5ffe-4581-af9a-6a54c7536f44",
- "type": "similar"
}
],
"uuid": "572eec55-2855-49ac-a82e-2c21e9aca27e",
@@ -8340,7 +7956,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5107",
+ "software_attack_id": "S3222",
"source": "Tidal Cyber",
"tags": [
"5b81675a-742a-4ffd-b410-44ce3f1b0831",
@@ -8362,7 +7978,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5030",
+ "software_attack_id": "S3032",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -8397,7 +8013,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5108",
+ "software_attack_id": "S3223",
"source": "Tidal Cyber",
"tags": [
"92092803-19a9-4288-b7fb-08e92e8ea693",
@@ -8428,10 +8044,6 @@
{
"dest-uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4",
"type": "used-by"
- },
- {
- "dest-uuid": "bb3c1098-d654-4620-bf40-694386d28921",
- "type": "similar"
}
],
"uuid": "8c64a330-1457-4c32-ab2f-12b6eb37d607",
@@ -8444,7 +8056,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5321",
+ "software_attack_id": "S3136",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -8481,10 +8093,6 @@
{
"dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08",
"type": "used-by"
- },
- {
- "dest-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e",
- "type": "similar"
}
],
"uuid": "ea47f1fd-0171-4254-8c92-92b7a5eec5e1",
@@ -8509,15 +8117,38 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "54a01db0-9fab-4d5f-8209-53cef8425f4a",
- "type": "similar"
}
],
"uuid": "997ff740-1b00-40b6-887a-ef4101e93295",
"value": "FatDuke"
},
+ {
+ "description": "FDMTP is a downloader, one of a series of software associated with China-based espionage actor Earth Preta (aka Mustang Panda) reported by researchers in September 2024.[[Trend Micro September 9 2024](/references/0fdc9ee2-5be2-43e0-afb9-c9a94fde3867)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S3173",
+ "source": "Tidal Cyber",
+ "tags": [
+ "84615fe0-c2a5-4e07-8957-78ebc29b4635",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "8e623e62-524f-43de-934c-3792bfd69d3f",
+ "value": "FDMTP"
+ },
{
"description": "[Felismus](https://app.tidalcyber.com/software/c66ed8ab-4692-4948-820e-5ce87cc78db5) is a modular backdoor that has been used by [Sowbug](https://app.tidalcyber.com/groups/6632f07f-7c6b-4d12-8544-82edc6a7a577). [[Symantec Sowbug Nov 2017](https://app.tidalcyber.com/references/14f49074-fc46-45d3-bf7e-30c896c39c07)] [[Forcepoint Felismus Mar 2017](https://app.tidalcyber.com/references/23b94586-3856-4937-9b02-4fe184b7ba01)]",
"meta": {
@@ -8534,10 +8165,6 @@
{
"dest-uuid": "6632f07f-7c6b-4d12-8544-82edc6a7a577",
"type": "used-by"
- },
- {
- "dest-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1",
- "type": "similar"
}
],
"uuid": "c66ed8ab-4692-4948-820e-5ce87cc78db5",
@@ -8555,12 +8182,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "cf8df906-179c-4a78-bd6e-6605e30f6624",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "4b1a07cd-4c1f-4d93-a454-07fd59b3039a",
"value": "FELIXROOT"
},
@@ -8580,10 +8202,6 @@
{
"dest-uuid": "73da066d-b25f-45ba-862b-1a69228c6baa",
"type": "used-by"
- },
- {
- "dest-uuid": "73d08401-005f-4e1f-90b9-8f45d120879f",
- "type": "similar"
}
],
"uuid": "3e54ba7a-fd4c-477f-9c2d-34b4f69fc091",
@@ -8601,12 +8219,7 @@
"tool"
]
},
- "related": [
- {
- "dest-uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "1bbf04bb-d869-48c5-a538-70a25503de1d",
"value": "Fgdump"
},
@@ -8617,7 +8230,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5031",
+ "software_attack_id": "S3033",
"source": "Tidal Cyber",
"tags": [
"c5a258ce-9045-48d9-b254-ec2bf6437bb5",
@@ -8676,10 +8289,6 @@
{
"dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66",
"type": "used-by"
- },
- {
- "dest-uuid": "a2282af0-f9dd-4373-9b92-eaf9e11e0c71",
- "type": "similar"
}
],
"uuid": "eb4dc358-e353-47fc-8207-b7cb10d580f7",
@@ -8692,7 +8301,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5109",
+ "software_attack_id": "S3224",
"source": "Tidal Cyber",
"tags": [
"6ca537bb-94b6-4b12-8978-6250baa6a5cb",
@@ -8733,10 +8342,6 @@
{
"dest-uuid": "7ad94dbf-9909-42dd-8b62-a435481bdb14",
"type": "used-by"
- },
- {
- "dest-uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858",
- "type": "similar"
}
],
"uuid": "41f54ce1-842c-428a-977f-518a5b63b4d7",
@@ -8749,7 +8354,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5110",
+ "software_attack_id": "S3225",
"source": "Tidal Cyber",
"tags": [
"1da4f610-4c54-46a3-b9b3-c38a002b623e",
@@ -8787,10 +8392,6 @@
{
"dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44",
"type": "used-by"
- },
- {
- "dest-uuid": "f464354c-7103-47c6-969b-8766f0157ed2",
- "type": "similar"
}
],
"uuid": "84187393-2fe9-4136-8720-a6893734ee8c",
@@ -8815,10 +8416,6 @@
{
"dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb",
"type": "used-by"
- },
- {
- "dest-uuid": "592260fb-dd5c-4a30-8d99-106a0485be0d",
- "type": "similar"
}
],
"uuid": "977aaf8a-2216-40f0-8682-61dd91638147",
@@ -8839,12 +8436,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "87604333-638f-4f4a-94e0-16aa825dd5b8",
"value": "Flame"
},
@@ -8864,10 +8456,6 @@
{
"dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f",
"type": "used-by"
- },
- {
- "dest-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a",
- "type": "similar"
}
],
"uuid": "44a5e62a-6de4-49d2-8f1b-e68ecdf9f332",
@@ -8896,10 +8484,6 @@
{
"dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c",
"type": "used-by"
- },
- {
- "dest-uuid": "432555de-63bf-4f2a-a3fa-f720a4561078",
- "type": "similar"
}
],
"uuid": "308dbe77-3d58-40bb-b0a5-cd00f152dc60",
@@ -8914,6 +8498,7 @@
"software_attack_id": "S0383",
"source": "MITRE",
"tags": [
+ "ede6e717-5e5f-4321-9ddd-d0d7ab315a89",
"1dc8fd1e-0737-405a-98a1-111dd557f1b5",
"15787198-6c8b-4f79-bf50-258d55072fee",
"84615fe0-c2a5-4e07-8957-78ebc29b4635",
@@ -8935,10 +8520,6 @@
{
"dest-uuid": "eb10ed9e-ea8d-4b61-bfc3-5994d30970df",
"type": "used-by"
- },
- {
- "dest-uuid": "43155329-3edf-47a6-9a14-7dac899b01e4",
- "type": "similar"
}
],
"uuid": "c558e948-c817-4494-a95d-ad3207f10e26",
@@ -8951,7 +8532,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5056",
+ "software_attack_id": "S3079",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -8991,10 +8572,6 @@
{
"dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83",
"type": "used-by"
- },
- {
- "dest-uuid": "0e18b800-906c-4e44-a143-b11c72b3448b",
- "type": "similar"
}
],
"uuid": "18002747-ddcc-42c1-b0ca-1e598a9f1919",
@@ -9007,7 +8584,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5111",
+ "software_attack_id": "S3226",
"source": "Tidal Cyber",
"tags": [
"49bbb074-2406-4f27-ad77-d2e433ba1ccb",
@@ -9041,10 +8618,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "72911fe3-f085-40f7-b4f2-f25a4221fe44",
- "type": "similar"
}
],
"uuid": "bc11844e-0348-4eed-a48a-0554d68db38c",
@@ -9057,7 +8630,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5331",
+ "software_attack_id": "S3146",
"source": "Tidal Cyber",
"tags": [
"562e535e-19f5-4d6c-81ed-ce2aec544f09",
@@ -9101,10 +8674,6 @@
{
"dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5",
"type": "used-by"
- },
- {
- "dest-uuid": "90ec2b22-7061-4469-b539-0989ec4f96c2",
- "type": "similar"
}
],
"uuid": "c6dc67a6-587d-4700-a7de-bee043a0031a",
@@ -9117,7 +8686,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5288",
+ "software_attack_id": "S3003",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -9144,12 +8713,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "bcaae558-9697-47a2-9ec7-c75000ddf58c",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "83721b89-df58-50bf-be2a-0b696fb0da78",
"value": "FRAMESTING"
},
@@ -9166,10 +8730,6 @@
{
"dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c",
"type": "used-by"
- },
- {
- "dest-uuid": "1cdbbcab-903a-414d-8eb0-439a97343737",
- "type": "similar"
}
],
"uuid": "aef7cbbc-5163-419c-8e4b-3f73bed50474",
@@ -9182,7 +8742,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5032",
+ "software_attack_id": "S3034",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -9222,12 +8782,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "4a98e44a-bd52-461e-af1e-a4457de87a36",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "3a05085e-5a1f-4a74-b489-d679b80e2c18",
"value": "FruitFly"
},
@@ -9238,7 +8793,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5222",
+ "software_attack_id": "S3343",
"source": "Tidal Cyber",
"tags": [
"7a4b56fa-5419-411b-86fe-68c9b0ddd3c5",
@@ -9269,7 +8824,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5223",
+ "software_attack_id": "S3344",
"source": "Tidal Cyber",
"tags": [
"c5d1a687-8a36-4995-b8cb-415f33661821",
@@ -9291,7 +8846,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5112",
+ "software_attack_id": "S3228",
"source": "Tidal Cyber",
"tags": [
"76bb7541-94da-4d66-9a57-77f788330287",
@@ -9346,10 +8901,6 @@
{
"dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac",
"type": "used-by"
- },
- {
- "dest-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565",
- "type": "similar"
}
],
"uuid": "062deac9-8f05-44e2-b347-96b59ba166ca",
@@ -9370,12 +8921,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "be25c1c0-1590-4219-a3d5-6f31799d1d1b",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "d0490e1d-8287-44d3-8342-944d1203b237",
"value": "FunnyDream"
},
@@ -9395,10 +8941,6 @@
{
"dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322",
"type": "used-by"
- },
- {
- "dest-uuid": "434ba392-ebdc-488b-b1ef-518deea65774",
- "type": "similar"
}
],
"uuid": "be9a2ae5-373a-4dee-9c1e-b54235dafed0",
@@ -9423,15 +8965,35 @@
{
"dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5",
"type": "used-by"
- },
- {
- "dest-uuid": "50d6688b-0985-4f3d-8cbe-0c796b30703b",
- "type": "similar"
}
],
"uuid": "317a7647-aee7-4ce1-a8f8-33a61190f55d",
"value": "Fysbis"
},
+ {
+ "description": "Gamarue is a longstanding family of malicious software which can provide backdoor access to a system. Researchers have observed Gamarue variants with worm-like redistribution capabilities. Gamarue is often observed being delivered via exploit kits, as an attachment to a spam email, or via USB or other removable media.[[microsoft.com April 2 2012](/references/de44abcc-9467-4c63-b0c4-c3a3b282ae39)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S5282",
+ "source": "Tidal Cyber",
+ "tags": [
+ "ca440076-2a36-405a-bf4c-d4529e91b641",
+ "e809d252-12cc-494d-94f5-954c49eb87ce",
+ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [],
+ "uuid": "cac54152-17ad-4bb9-a412-53a35af1e95a",
+ "value": "Gamarue"
+ },
{
"description": "[Gazer](https://app.tidalcyber.com/software/7a60b984-b0c8-4acc-be24-841f4b652872) is a backdoor used by [Turla](https://app.tidalcyber.com/groups/47ae4fb1-fc61-4e8e-9310-66dda706e1a2) since at least 2016. [[ESET Gazer Aug 2017](https://app.tidalcyber.com/references/9d1c40af-d4bc-4d4a-b667-a17378942685)]",
"meta": {
@@ -9451,10 +9013,6 @@
{
"dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2",
"type": "used-by"
- },
- {
- "dest-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4",
- "type": "similar"
}
],
"uuid": "7a60b984-b0c8-4acc-be24-841f4b652872",
@@ -9472,12 +9030,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "efa7c4d6-8e30-41d9-a8fd-26dc337f4a1b",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "9a117508-1d22-4fea-aa65-db670c13a5c9",
"value": "Gelsemium"
},
@@ -9497,10 +9050,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6",
- "type": "similar"
}
],
"uuid": "97f32f68-dcd2-4f80-9967-cc87305dc342",
@@ -9525,10 +9074,6 @@
{
"dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1",
"type": "used-by"
- },
- {
- "dest-uuid": "099ecff2-41b8-436d-843c-038a9aa9aa69",
- "type": "similar"
}
],
"uuid": "a997aaaf-edfc-4489-80a9-3f8d64545de1",
@@ -9541,7 +9086,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5186",
+ "software_attack_id": "S3307",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -9611,10 +9156,6 @@
{
"dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5",
"type": "used-by"
- },
- {
- "dest-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24",
- "type": "similar"
}
],
"uuid": "269ef8f5-35c8-44ba-afe4-63f4c6431427",
@@ -9632,12 +9173,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "554e010d-726b-439d-9a1a-f60fff0cc109",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "5c1a1ce5-927c-5c79-8a14-2789756d41ee",
"value": "GLASSTOKEN"
},
@@ -9657,10 +9193,6 @@
{
"dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f",
"type": "used-by"
- },
- {
- "dest-uuid": "f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2",
- "type": "similar"
}
],
"uuid": "09fdec78-5253-433d-8680-294ba6847be9",
@@ -9673,9 +9205,10 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5033",
+ "software_attack_id": "S3035",
"source": "Tidal Cyber",
"tags": [
+ "e551ae97-d1b4-484e-9267-89f33829ec2c",
"e1af18e3-3224-4e4c-9d0f-533768474508",
"39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb",
"ed2b3f47-3e07-4019-a9bf-ec9d87f28c96",
@@ -9693,6 +9226,10 @@
]
},
"related": [
+ {
+ "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e",
+ "type": "used-by"
+ },
{
"dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59",
"type": "used-by"
@@ -9725,10 +9262,6 @@
{
"dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1",
"type": "used-by"
- },
- {
- "dest-uuid": "b9799466-9dd7-4098-b2d6-f999ce50b9a8",
- "type": "similar"
}
],
"uuid": "348fdeb5-6a74-4803-ac6e-e0133ecd7263",
@@ -9749,12 +9282,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "b9704a7d-feef-4af9-8898-5280f1686326",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "1b135393-c799-4698-a880-c6a86782adee",
"value": "GoldenSpy"
},
@@ -9774,10 +9302,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "b7010785-699f-412f-ba49-524da6033c76",
- "type": "similar"
}
],
"uuid": "4e8c58c5-443e-4f73-91e9-89146f04e307",
@@ -9803,10 +9327,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "5c747acd-47f0-4c5a-b9e5-213541fc01e0",
- "type": "similar"
}
],
"uuid": "b05a9763-4288-4656-bf4e-ba02bb8b35d6",
@@ -9831,10 +9351,6 @@
{
"dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145",
"type": "used-by"
- },
- {
- "dest-uuid": "eac3d77f-2b7b-4599-ba74-948dc16633ad",
- "type": "similar"
}
],
"uuid": "a75855fd-2b6b-43d8-99a5-2be03b544f34",
@@ -9847,7 +9363,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5318",
+ "software_attack_id": "S3131",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -9875,9 +9391,10 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5289",
+ "software_attack_id": "S3004",
"source": "Tidal Cyber",
"tags": [
+ "870fdd22-b373-4cb2-8a00-0acfa4aac897",
"e551ae97-d1b4-484e-9267-89f33829ec2c",
"15787198-6c8b-4f79-bf50-258d55072fee",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -9904,7 +9421,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5113",
+ "software_attack_id": "S3230",
"source": "Tidal Cyber",
"tags": [
"2ca5c5e4-ee7f-4698-84ec-ce04d2c1e9cc",
@@ -9934,12 +9451,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "958b5d06-8bb0-4c5b-a2e7-0130fe654ac7",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "61d277f2-abdc-4f2b-b50a-10d0fe91e588",
"value": "Grandoreiro"
},
@@ -9950,7 +9462,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5077",
+ "software_attack_id": "S3102",
"source": "Tidal Cyber",
"type": [
"malware"
@@ -9977,12 +9489,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "1d1fce2f-0db5-402b-9843-4278a0694637",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "08cb425d-7b7a-41dc-a897-9057ce57fea9",
"value": "GravityRAT"
},
@@ -10001,12 +9508,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "59c8a28c-200c-4565-9af1-cbdb24870ba0",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "f5691425-6690-4e5e-8304-3ede9d2f5a90",
"value": "Green Lambert"
},
@@ -10026,10 +9528,6 @@
{
"dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666",
"type": "used-by"
- },
- {
- "dest-uuid": "308b3d68-a084-4dfb-885a-3125e1a9c1e8",
- "type": "similar"
}
],
"uuid": "f646e7f9-4d09-46f6-9831-54668fa20483",
@@ -10054,10 +9552,6 @@
{
"dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff",
"type": "used-by"
- },
- {
- "dest-uuid": "04fc1842-f9e4-47cf-8cb8-5c61becad142",
- "type": "similar"
}
],
"uuid": "ad358082-d83a-4c22-81a1-6c34dd67af26",
@@ -10086,10 +9580,6 @@
{
"dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8",
"type": "used-by"
- },
- {
- "dest-uuid": "c9b99d03-ff11-4a48-95f0-82660d582c25",
- "type": "similar"
}
],
"uuid": "c40a71d4-8592-4f82-8af5-18f763e52caf",
@@ -10102,7 +9592,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5079",
+ "software_attack_id": "S3064",
"source": "Tidal Cyber",
"tags": [
"4d767e87-4cf6-438a-927a-43d2d0beaab7"
@@ -10155,10 +9645,6 @@
{
"dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5",
"type": "used-by"
- },
- {
- "dest-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54",
- "type": "similar"
}
],
"uuid": "5ffe662f-9da1-4b6f-ad3a-f296383e828c",
@@ -10173,20 +9659,13 @@
"software_attack_id": "S0561",
"source": "MITRE",
"tags": [
- "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
- "2feda37d-5579-4102-a073-aa02e82cb49f",
"84615fe0-c2a5-4e07-8957-78ebc29b4635"
],
"type": [
"malware"
]
},
- "related": [
- {
- "dest-uuid": "45c759ac-b490-48bb-80d4-c8eee3431027",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "03e985d6-870b-4533-af13-08b1e0511444",
"value": "GuLoader"
},
@@ -10202,12 +9681,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "5f1602fe-a4ce-4932-9cf9-ec842f2c58f1",
"value": "H1N1"
},
@@ -10220,12 +9694,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "4b62ab58-c23b-4704-9c15-edd568cd59f8",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "75db2ac3-901e-4b1f-9a0d-bac6562d57a3",
"value": "Hacking Team UEFI Rootkit"
},
@@ -10242,10 +9711,6 @@
{
"dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff",
"type": "used-by"
- },
- {
- "dest-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f",
- "type": "similar"
}
],
"uuid": "5edf0ef7-a960-4500-8a89-8c8b4fdf8824",
@@ -10270,10 +9735,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4",
- "type": "similar"
}
],
"uuid": "cc07f03f-9919-4856-9b30-f4d88940b0ec",
@@ -10294,12 +9755,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "ef2247bf-8062-404b-894f-d65d00564817",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "4eee3272-07fa-48ee-a7b9-9dfee3e4550a",
"value": "Hancitor"
},
@@ -10316,10 +9772,6 @@
{
"dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66",
"type": "used-by"
- },
- {
- "dest-uuid": "211cfe9f-2676-4e1c-a5f5-2c8091da2a68",
- "type": "similar"
}
],
"uuid": "c2c31b2e-5da6-4feb-80e3-14ea6d0ea7e8",
@@ -10341,10 +9793,6 @@
{
"dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08",
"type": "used-by"
- },
- {
- "dest-uuid": "bd0536d7-b081-43ae-a773-cfb057c5b988",
- "type": "similar"
}
],
"uuid": "ad0ae3b7-88aa-48b3-86ca-6a5d8b5309a7",
@@ -10363,10 +9811,6 @@
{
"dest-uuid": "e38bcb42-12c1-4202-a794-ec26cd830caa",
"type": "used-by"
- },
- {
- "dest-uuid": "fbd727ea-c0dc-42a9-8448-9e12962d1ab5",
- "type": "similar"
}
],
"uuid": "8bd36306-bd4b-4a76-8842-44acb0cedbcc",
@@ -10384,12 +9828,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "12a7450d-b03e-4990-a5b8-b405ab9c803b",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "392c5a32-53b5-4ce8-a946-226cb533cc4e",
"value": "HAWKBALL"
},
@@ -10409,10 +9848,6 @@
{
"dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7",
"type": "used-by"
- },
- {
- "dest-uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e",
- "type": "similar"
}
],
"uuid": "a7ffe1bd-45ca-4ca4-94da-3b6c583a868d",
@@ -10434,10 +9869,6 @@
{
"dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d",
"type": "used-by"
- },
- {
- "dest-uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b",
- "type": "similar"
}
],
"uuid": "f155b6f9-258d-4446-8867-fe5ee26d8c72",
@@ -10467,10 +9898,6 @@
{
"dest-uuid": "2e2d3e75-1160-4ba5-80cc-8e7685fcfc44",
"type": "used-by"
- },
- {
- "dest-uuid": "5d11d418-95dd-4377-b782-23160dfa17b4",
- "type": "similar"
}
],
"uuid": "813a4ca1-84fe-42dc-89de-5873d028f98d",
@@ -10495,10 +9922,6 @@
{
"dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2",
"type": "used-by"
- },
- {
- "dest-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e",
- "type": "similar"
}
],
"uuid": "d6560c81-1e7e-4d01-9814-4be4fb43e655",
@@ -10519,12 +9942,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "a0ab8a96-40c9-4483-8a54-3fafa6d6007a",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "f0456f14-4913-4861-b4ad-5e7f3960040e",
"value": "HermeticWiper"
},
@@ -10543,12 +9961,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "ff7ed9c1-dca3-4e62-9da6-72c5d388b8fa",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "36ddc8cd-8f80-489e-a702-c682936b5393",
"value": "HermeticWizard"
},
@@ -10571,10 +9984,6 @@
{
"dest-uuid": "454402a3-0503-45bf-b2e0-177fa2e2d412",
"type": "used-by"
- },
- {
- "dest-uuid": "dff90475-9f72-41a6-84ed-1fbefd3874c0",
- "type": "similar"
}
],
"uuid": "1841a6e8-6c23-46a1-9c81-783746083764",
@@ -10587,7 +9996,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5114",
+ "software_attack_id": "S3231",
"source": "Tidal Cyber",
"tags": [
"7d028d1e-7a95-47f0-9367-55517f9ef170",
@@ -10614,12 +10023,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "fc774af4-533b-4724-96d2-ac1026316794",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "ec02fb9c-bf9f-404d-bc54-819f2b3fb040",
"value": "HiddenWasp"
},
@@ -10642,10 +10046,6 @@
{
"dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5",
"type": "used-by"
- },
- {
- "dest-uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4",
- "type": "similar"
}
],
"uuid": "ce1af464-0b14-4fe9-8591-a6fe58aa96c7",
@@ -10667,10 +10067,6 @@
{
"dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca",
"type": "used-by"
- },
- {
- "dest-uuid": "95047f03-4811-4300-922e-1ba937d53a61",
- "type": "similar"
}
],
"uuid": "8046c80c-4339-4cfb-8bfd-464801db2bfe",
@@ -10698,15 +10094,38 @@
{
"dest-uuid": "325c11be-e1ee-47db-afa6-44ac5d16f0e7",
"type": "used-by"
- },
- {
- "dest-uuid": "40a1b8ec-7295-416c-a6b1-68181d86f120",
- "type": "similar"
}
],
"uuid": "7ef8cd3a-33cf-43bb-a3b8-a78fc844ce0c",
"value": "Hildegard"
},
+ {
+ "description": "HIUPAN is a worm, one of a series of software associated with China-based espionage actor Earth Preta (aka Mustang Panda) reported by researchers in September 2024.[[Trend Micro September 9 2024](/references/0fdc9ee2-5be2-43e0-afb9-c9a94fde3867)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S3174",
+ "source": "Tidal Cyber",
+ "tags": [
+ "e809d252-12cc-494d-94f5-954c49eb87ce",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "d4f74243-0d2d-4095-b66a-6d8291019125",
+ "value": "HIUPAN"
+ },
{
"description": "[Hi-Zor](https://app.tidalcyber.com/software/286184d9-f28a-4d5a-a9dd-2216b3c47809) is a remote access tool (RAT) that has characteristics similar to [Sakula](https://app.tidalcyber.com/software/a316c704-144a-4d14-8e4e-685bb6ae391c). It was used in a campaign named INOCNATION. [[Fidelis Hi-Zor](https://app.tidalcyber.com/references/0c9ff201-283a-4527-8cb8-6f0d05a4f724)]",
"meta": {
@@ -10722,12 +10141,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "286184d9-f28a-4d5a-a9dd-2216b3c47809",
"value": "Hi-Zor"
},
@@ -10747,10 +10161,6 @@
{
"dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871",
"type": "used-by"
- },
- {
- "dest-uuid": "7451bcf9-e6e6-4a70-bc3d-1599173d0035",
- "type": "similar"
}
],
"uuid": "16db13f2-f350-4323-96cb-c5f4ac36c3e0",
@@ -10776,10 +10186,6 @@
{
"dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08",
"type": "used-by"
- },
- {
- "dest-uuid": "454fe82d-6fd2-4ac6-91ab-28a33fe01369",
- "type": "similar"
}
],
"uuid": "4d94594c-2224-46ca-8bc3-28b12ed139f9",
@@ -10801,10 +10207,6 @@
{
"dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08",
"type": "used-by"
- },
- {
- "dest-uuid": "aad11e34-02ca-4220-91cd-2ed420af4db3",
- "type": "similar"
}
],
"uuid": "a00e7fcc-b4e8-4f64-83d2-f9db64f0f3fe",
@@ -10834,10 +10236,6 @@
{
"dest-uuid": "225314a7-8f40-48d4-9cff-3ec39b177762",
"type": "used-by"
- },
- {
- "dest-uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e",
- "type": "similar"
}
],
"uuid": "b98d9fe7-9aa3-409a-bf5c-eadb01bac948",
@@ -10863,10 +10261,6 @@
{
"dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7",
"type": "used-by"
- },
- {
- "dest-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360",
- "type": "similar"
}
],
"uuid": "c4fe23f7-f18c-40f6-b431-0b104b497eaa",
@@ -10888,10 +10282,6 @@
{
"dest-uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c",
"type": "used-by"
- },
- {
- "dest-uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0",
- "type": "similar"
}
],
"uuid": "bf19eba4-7ea1-4c24-95c6-6bcfb44f4c49",
@@ -10917,10 +10307,6 @@
{
"dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322",
"type": "used-by"
- },
- {
- "dest-uuid": "54089fba-8662-4f37-9a44-6ad25a5f630a",
- "type": "similar"
}
],
"uuid": "2df88e4e-5a89-5535-ae1a-4c68b19d9078",
@@ -10950,10 +10336,6 @@
{
"dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca",
"type": "used-by"
- },
- {
- "dest-uuid": "73a4793a-ce55-4159-b2a6-208ef29b326f",
- "type": "similar"
}
],
"uuid": "4ffbca79-358a-4ba5-bfbb-dc1694c45646",
@@ -10968,6 +10350,7 @@
"software_attack_id": "S0398",
"source": "MITRE",
"tags": [
+ "84e6dbc1-98c7-4619-b796-a8c8d562ea7b",
"f8669b82-2194-49a9-8e20-92e7f9ab0a6f"
],
"type": [
@@ -10978,10 +10361,6 @@
{
"dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5",
"type": "used-by"
- },
- {
- "dest-uuid": "5e814485-012d-423d-b769-026bfed0f451",
- "type": "similar"
}
],
"uuid": "57cec527-26fb-44a1-b1a9-506a3af2c9f2",
@@ -11003,10 +10382,6 @@
{
"dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2",
"type": "used-by"
- },
- {
- "dest-uuid": "2cf7dec3-66fc-423f-b2c7-58f1de243b4e",
- "type": "similar"
}
],
"uuid": "ba3236e9-c86b-4b5d-89ed-7f71940a0588",
@@ -11024,12 +10399,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "dd889a55-fb2c-4ec7-8e9f-c399939a49e1",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "5a73defd-6a1a-4132-8427-cec649e8267a",
"value": "IceApple"
},
@@ -11042,6 +10412,7 @@
"software_attack_id": "S0483",
"source": "MITRE",
"tags": [
+ "7d2804e4-a4e4-4ef7-acd5-2fca9cc92556",
"f8669b82-2194-49a9-8e20-92e7f9ab0a6f"
],
"type": [
@@ -11060,15 +10431,38 @@
{
"dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3",
"type": "used-by"
- },
- {
- "dest-uuid": "5147ef15-1cae-4707-8ea1-bee8d98b7f1d",
- "type": "similar"
}
],
"uuid": "7f59bb7c-5fa9-497d-9d8e-ba9349fd9433",
"value": "IcedID"
},
+ {
+ "description": "A credential dumping tool associated with Iran-linked espionage group OilRig.[[ESET OilRig September 21 2023](/references/21ee3e95-ac4b-48f7-b948-249e1884bc96)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S3159",
+ "source": "Tidal Cyber",
+ "tags": [
+ "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "1c0ab9a0-eb02-4428-a319-83a504e1b22b",
+ "value": "Idumper"
+ },
{
"description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Executes commands from a specially prepared ie4uinit.inf file.\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* c:\\windows\\system32\\ie4uinit.exe\n* c:\\windows\\sysWOW64\\ie4uinit.exe\n* c:\\windows\\system32\\ieuinit.inf\n* c:\\windows\\sysWOW64\\ieuinit.inf\n\n**Resources:**\n* [https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/](https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/)\n\n**Detection:**\n* IOC: ie4uinit.exe copied outside of %windir%\n* IOC: ie4uinit.exe loading an inf file (ieuinit.inf) from outside %windir%\n* Sigma: [proc_creation_win_lolbin_ie4uinit.yml](https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml)[[Ie4uinit.exe - LOLBAS Project](/references/01f9a368-5933-47a1-85a9-e5883a5ca266)]",
"meta": {
@@ -11076,7 +10470,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5116",
+ "software_attack_id": "S3233",
"source": "Tidal Cyber",
"tags": [
"f32f1513-7277-4257-9c35-c8ab3da17c84",
@@ -11098,7 +10492,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5190",
+ "software_attack_id": "S3311",
"source": "Tidal Cyber",
"tags": [
"e794994d-c38a-44d9-9253-53191ca9e56b",
@@ -11120,7 +10514,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5117",
+ "software_attack_id": "S3234",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -11141,7 +10535,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5118",
+ "software_attack_id": "S3235",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -11162,7 +10556,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5191",
+ "software_attack_id": "S3312",
"source": "Tidal Cyber",
"tags": [
"fc23fb85-8c48-4f0b-aeb6-b78fd6e25e0a",
@@ -11186,12 +10580,7 @@
"tool"
]
},
- "related": [
- {
- "dest-uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "93ab16d1-625e-4b1c-bb28-28974c269c47",
"value": "ifconfig"
},
@@ -11207,12 +10596,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "2cfe8a26-5be7-4a09-8915-ea3d9e787513",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "71098f6e-a2c0-434f-b991-6c079fd3e82d",
"value": "iKitten"
},
@@ -11223,7 +10607,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5119",
+ "software_attack_id": "S3236",
"source": "Tidal Cyber",
"tags": [
"8bcce456-e1dc-4dd0-99a9-8334fd6f2847",
@@ -11245,7 +10629,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5308",
+ "software_attack_id": "S3088",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -11272,7 +10656,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5115",
+ "software_attack_id": "S3232",
"source": "Tidal Cyber",
"tags": [
"796962fe-56d7-4816-9193-153da0be7c10",
@@ -11310,10 +10694,6 @@
{
"dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be",
"type": "used-by"
- },
- {
- "dest-uuid": "8f8cd191-902c-4e83-bf20-b57c8c4640e9",
- "type": "similar"
}
],
"uuid": "925fc0db-9315-4703-9353-1d0e9ecb1439",
@@ -11357,6 +10737,10 @@
"dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46",
"type": "used-by"
},
+ {
+ "dest-uuid": "04b73cf2-33f4-4206-be9e-c80c4c9b54e8",
+ "type": "used-by"
+ },
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
@@ -11436,15 +10820,40 @@
{
"dest-uuid": "7f52cadb-7a12-4b9d-9290-1ef02123fbe4",
"type": "used-by"
- },
- {
- "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b",
- "type": "similar"
}
],
"uuid": "cf2c5666-e8ad-49c1-ac8f-30ed65f9e52c",
"value": "Impacket"
},
+ {
+ "description": "INC is a ransomware operation that emerged in July 2023. Operators of INC ransomware typically publicly extort their victims.[[SentinelOne September 21 2023](/references/7e793738-c132-47bf-90aa-1f0659564d16)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Linux",
+ "Windows"
+ ],
+ "software_attack_id": "S3189",
+ "source": "Tidal Cyber",
+ "tags": [
+ "5e7433ad-a894-4489-93bc-41e90da90019",
+ "7e7b0c67-bb85-4996-a289-da0e792d7172",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "41b71db3-9779-445e-a0b5-7cd7174a7026",
+ "value": "INC Ransomware"
+ },
{
"description": "[Industroyer](https://app.tidalcyber.com/software/09398a7c-aee5-44af-b99d-f73d3b39c299) is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.[[ESET Industroyer](https://app.tidalcyber.com/references/9197f712-3c53-4746-9722-30e248511611)] [Industroyer](https://app.tidalcyber.com/software/09398a7c-aee5-44af-b99d-f73d3b39c299) was used in the attacks on the Ukrainian power grid in December 2016.[[Dragos Crashoverride 2017](https://app.tidalcyber.com/references/c8f624e3-2ba2-4564-bd1c-f06b9a6a8bce)] This is the first publicly known malware specifically designed to target and impact operations in the electric grid.[[Dragos Crashoverride 2018](https://app.tidalcyber.com/references/d14442d5-2557-4a92-9a29-b15a20752f56)]",
"meta": {
@@ -11465,10 +10874,6 @@
{
"dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666",
"type": "used-by"
- },
- {
- "dest-uuid": "e401d4fe-f0c9-44f0-98e6-f93487678808",
- "type": "similar"
}
],
"uuid": "09398a7c-aee5-44af-b99d-f73d3b39c299",
@@ -11491,10 +10896,6 @@
{
"dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666",
"type": "used-by"
- },
- {
- "dest-uuid": "6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5",
- "type": "similar"
}
],
"uuid": "53c5fb76-a690-55c3-9e02-39577990da2a",
@@ -11507,7 +10908,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5120",
+ "software_attack_id": "S3237",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -11533,12 +10934,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "c8b6cc43-ce61-42ae-87f3-a5f10526f952",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "e42bf572-1e70-4467-a4b7-5e22c776c758",
"value": "InnaputRAT"
},
@@ -11549,7 +10945,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5121",
+ "software_attack_id": "S3238",
"source": "Tidal Cyber",
"tags": [
"a3f84674-3813-4993-9e34-39cdaa19cbd1",
@@ -11571,7 +10967,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5049",
+ "software_attack_id": "S3073",
"source": "Tidal Cyber",
"tags": [
"ed2b3f47-3e07-4019-a9bf-ec9d87f28c96",
@@ -11592,7 +10988,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5272",
+ "software_attack_id": "S3113",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -11619,12 +11015,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "47afe41c-4c08-485e-b062-c3bd209a1cce",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "3ee4c49d-2f2c-4677-b193-69f16f2851a4",
"value": "InvisiMole"
},
@@ -11641,10 +11032,6 @@
{
"dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666",
"type": "used-by"
- },
- {
- "dest-uuid": "b52d6583-14a2-4ddc-8527-87fd2142558f",
- "type": "similar"
}
],
"uuid": "2200a647-3312-44c0-9691-4a26153febbb",
@@ -11657,7 +11044,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5080",
+ "software_attack_id": "S3104",
"source": "Tidal Cyber",
"tags": [
"d819ae1a-e385-49fd-88d5-f66660729ecb",
@@ -11776,10 +11163,6 @@
{
"dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5",
"type": "used-by"
- },
- {
- "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11",
- "type": "similar"
}
],
"uuid": "4f519002-0576-4f8e-8add-73ebac9a86e6",
@@ -11804,10 +11187,6 @@
{
"dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2",
"type": "used-by"
- },
- {
- "dest-uuid": "b1595ddd-a783-482a-90e1-8afc8d48467e",
- "type": "similar"
}
],
"uuid": "9ca96281-8ff9-4619-a79d-16c5a9594eae",
@@ -11832,10 +11211,6 @@
{
"dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2",
"type": "used-by"
- },
- {
- "dest-uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324",
- "type": "similar"
}
],
"uuid": "752ab0fc-7fa1-4e54-bd9a-7a280a38ed77",
@@ -11857,10 +11232,6 @@
{
"dest-uuid": "225314a7-8f40-48d4-9cff-3ec39b177762",
"type": "used-by"
- },
- {
- "dest-uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06",
- "type": "similar"
}
],
"uuid": "6dbf31cf-0ba0-48b4-be82-38889450845c",
@@ -11873,7 +11244,7 @@
"platforms": [
"Network"
],
- "software_attack_id": "S5061",
+ "software_attack_id": "S3067",
"source": "Tidal Cyber",
"tags": [
"b20e7912-6a8d-46e3-8e13-9a3fc4813852",
@@ -11907,12 +11278,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "234e7770-99b0-4f65-b983-d3230f76a60b",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "a4debf1f-8a37-4c89-8ebc-31de71d33f79",
"value": "Janicab"
},
@@ -11928,12 +11294,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "64122557-5940-4271-9123-25bfc0c693db",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "853d3d18-d746-4650-a9bd-c36a0e86dd02",
"value": "Javali"
},
@@ -11950,12 +11311,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "aaf3fa65-8b27-4e68-91de-2b7738fe4c82",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "41ec0bbc-65ca-4913-a763-1638215d7b2f",
"value": "JCry"
},
@@ -11978,10 +11334,6 @@
{
"dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5",
"type": "used-by"
- },
- {
- "dest-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2",
- "type": "similar"
}
],
"uuid": "d50ef3fc-7d1c-4a82-b1cf-2319d83da3ae",
@@ -12003,10 +11355,6 @@
{
"dest-uuid": "f036b992-4c3f-47b7-a458-94ac133bce74",
"type": "used-by"
- },
- {
- "dest-uuid": "de6cb631-52f6-4169-a73b-7965390b0c30",
- "type": "similar"
}
],
"uuid": "c96fce69-6b9c-4bbc-bb42-f6a8fb6eb88f",
@@ -12034,10 +11382,6 @@
{
"dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be",
"type": "used-by"
- },
- {
- "dest-uuid": "efece7e8-e40b-49c2-9f84-c55c5c93d05c",
- "type": "similar"
}
],
"uuid": "42fe9795-5cf6-4ad7-b56e-2aa655377992",
@@ -12050,7 +11394,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5122",
+ "software_attack_id": "S3239",
"source": "Tidal Cyber",
"tags": [
"ee16a0c7-b3cf-4303-9681-b3076da9bff0",
@@ -12085,10 +11429,6 @@
{
"dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff",
"type": "used-by"
- },
- {
- "dest-uuid": "f559f945-eb8b-48b1-904c-68568deebed3",
- "type": "similar"
}
],
"uuid": "c67f3029-a26c-4752-b7f1-8e3369c2f79d",
@@ -12101,9 +11441,10 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5303",
+ "software_attack_id": "S3069",
"source": "Tidal Cyber",
"tags": [
+ "4ac8deac-b33f-4276-b9ee-2d810138aedc",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"ed2b3f47-3e07-4019-a9bf-ec9d87f28c96",
"2feda37d-5579-4102-a073-aa02e82cb49f"
@@ -12137,10 +11478,6 @@
{
"dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66",
"type": "used-by"
- },
- {
- "dest-uuid": "3c02fb1f-cbdb-48f5-abaf-8c81d6e0c322",
- "type": "similar"
}
],
"uuid": "ca883d21-97ca-420d-a66b-ef19a8355467",
@@ -12161,12 +11498,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "1896b9c9-a93e-4220-b4c2-6c4c9c5ca297",
"value": "Kasidet"
},
@@ -12190,10 +11522,6 @@
{
"dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2",
"type": "used-by"
- },
- {
- "dest-uuid": "536be338-e2ef-4a6b-afb6-8d5568b91eb2",
- "type": "similar"
}
],
"uuid": "e93990a0-4841-4867-8b74-ac2806d787bf",
@@ -12218,10 +11546,6 @@
{
"dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145",
"type": "used-by"
- },
- {
- "dest-uuid": "8c1d01ff-fdc0-4586-99bd-c248e0761af5",
- "type": "similar"
}
],
"uuid": "17c28e46-1005-4737-8567-d4ad9f1aefd1",
@@ -12239,12 +11563,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "c984b414-b766-44c5-814a-2fe96c913c12",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "32f1e0d3-753f-4b51-aec5-cfaa393cedc3",
"value": "Kessel"
},
@@ -12264,10 +11583,6 @@
{
"dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735",
"type": "used-by"
- },
- {
- "dest-uuid": "e7863f5d-cb6a-4f81-8804-0a635eec160a",
- "type": "similar"
}
],
"uuid": "b9730d7c-aa57-4d6f-9125-57dcb65b02e0",
@@ -12289,10 +11604,6 @@
{
"dest-uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b",
"type": "used-by"
- },
- {
- "dest-uuid": "5dd649c0-bca4-488b-bd85-b180474ec62e",
- "type": "similar"
}
],
"uuid": "6ec39371-d50b-43b6-937c-52de00491eab",
@@ -12310,12 +11621,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "4b072c90-bc7a-432b-940e-016fc1c01761",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "aefbe6ff-7ce4-479e-916d-e8f0259d81f6",
"value": "Keydnap"
},
@@ -12335,10 +11641,6 @@
{
"dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08",
"type": "used-by"
- },
- {
- "dest-uuid": "11e36d5b-6a92-4bf9-8eb7-85eb24f59e22",
- "type": "similar"
}
],
"uuid": "a644f61e-6a9b-41ab-beca-72518351c27f",
@@ -12361,10 +11663,6 @@
{
"dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9",
"type": "used-by"
- },
- {
- "dest-uuid": "6c575670-d14c-4c7f-9b9d-fd1b363e255d",
- "type": "similar"
}
],
"uuid": "ba9e56b9-7904-5ec8-bb39-7f82f7b2e89a",
@@ -12386,10 +11684,6 @@
{
"dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1",
"type": "used-by"
- },
- {
- "dest-uuid": "8bdfe255-e658-4ddd-a11c-b854762e451d",
- "type": "similar"
}
],
"uuid": "c1e1ab6a-d5ce-4520-98c5-c6df41005fd9",
@@ -12421,10 +11715,6 @@
{
"dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666",
"type": "used-by"
- },
- {
- "dest-uuid": "e221eb77-1502-4129-af1d-fe1ad55e7ec6",
- "type": "similar"
}
],
"uuid": "b5532e91-d267-4819-a05d-8c5358995add",
@@ -12447,12 +11737,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "d6e55656-e43f-411f-a7af-45df650471c5",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "7b4f157c-4b34-4f55-9c20-ff787495e9ba",
"value": "Kinsing"
},
@@ -12472,10 +11757,6 @@
{
"dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb",
"type": "used-by"
- },
- {
- "dest-uuid": "b2d134a1-7bd5-4293-94d4-8fc978cb1cd7",
- "type": "similar"
}
],
"uuid": "673ed346-9562-4997-80b2-e701b1a99a58",
@@ -12509,10 +11790,6 @@
{
"dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5",
"type": "used-by"
- },
- {
- "dest-uuid": "c8655260-9f4b-44e3-85e1-6538a5f6e4f4",
- "type": "similar"
}
],
"uuid": "5e981594-d00a-4c7f-8ed0-3d4a60cc3fcd",
@@ -12530,12 +11807,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "9abdda30-08e0-4ab1-9cf0-d447654c6de9",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "bf918663-90bd-489e-91e7-6951a18a25fd",
"value": "Kobalos"
},
@@ -12555,10 +11827,6 @@
{
"dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091",
"type": "used-by"
- },
- {
- "dest-uuid": "df9b350b-d4f9-4e79-a826-75cc75fbc1eb",
- "type": "similar"
}
],
"uuid": "3e13d07d-d9e1-4456-bec3-b2375e404753",
@@ -12580,10 +11848,6 @@
{
"dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5",
"type": "used-by"
- },
- {
- "dest-uuid": "f108215f-3487-489d-be8b-80e346d32518",
- "type": "similar"
}
],
"uuid": "2cf1be0d-2fba-4fd0-ab2f-3695716d1735",
@@ -12605,10 +11869,6 @@
{
"dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145",
"type": "used-by"
- },
- {
- "dest-uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a",
- "type": "similar"
}
],
"uuid": "3067f148-2e2b-4aac-9652-59823b3ad4f1",
@@ -12629,12 +11889,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "86b92f6c-9c05-4c51-b361-4c7bb13e21a1",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "d381de2a-30cb-4d50-bbce-fd1e489c4889",
"value": "KONNI"
},
@@ -12654,10 +11909,6 @@
{
"dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2",
"type": "used-by"
- },
- {
- "dest-uuid": "09fcc02f-f9d4-43fa-8609-5e5e186b7103",
- "type": "similar"
}
],
"uuid": "d09c4459-1aa3-547d-99f4-7ac73b8043f0",
@@ -12679,10 +11930,6 @@
{
"dest-uuid": "863b7013-133d-4a82-93d2-51b53a8fd30e",
"type": "used-by"
- },
- {
- "dest-uuid": "c2417bab-3189-4d4d-9d60-96de2cdaf0ab",
- "type": "similar"
}
],
"uuid": "35ac4018-8506-4025-a9e3-bd017700b3b3",
@@ -12695,7 +11942,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5258",
+ "software_attack_id": "S3379",
"source": "Tidal Cyber",
"tags": [
"5be0da70-9249-44fa-8c3b-7394ef26b2e0",
@@ -12742,6 +11989,10 @@
]
},
"related": [
+ {
+ "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5",
+ "type": "used-by"
+ },
{
"dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9",
"type": "used-by"
@@ -12809,10 +12060,6 @@
{
"dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8",
"type": "used-by"
- },
- {
- "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b",
- "type": "similar"
}
],
"uuid": "f5558af4-e3e2-47c2-b8fe-72850bd30f37",
@@ -12825,7 +12072,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5017",
+ "software_attack_id": "S3240",
"source": "Tidal Cyber",
"tags": [
"cea43301-9f7a-46a5-be3a-3a09f0f3c09e",
@@ -12861,7 +12108,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5020",
+ "software_attack_id": "S3022",
"source": "Tidal Cyber",
"tags": [
"15787198-6c8b-4f79-bf50-258d55072fee",
@@ -12889,7 +12136,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5067",
+ "software_attack_id": "S3092",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -12930,10 +12177,6 @@
{
"dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2",
"type": "used-by"
- },
- {
- "dest-uuid": "6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb",
- "type": "similar"
}
],
"uuid": "c9d2f023-d54b-4d08-9598-a42fb92b3161",
@@ -12951,12 +12194,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "5dc9e8ec-9917-4de7-b8ab-16007899dd80",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "1b3af76f-f9a1-58ce-8c7d-aec535f8d0c0",
"value": "LIGHTWIRE"
},
@@ -12967,7 +12205,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5034",
+ "software_attack_id": "S3036",
"source": "Tidal Cyber",
"tags": [
"e551ae97-d1b4-484e-9267-89f33829ec2c",
@@ -12992,6 +12230,10 @@
"dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d",
"type": "used-by"
},
+ {
+ "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6",
+ "type": "used-by"
+ },
{
"dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59",
"type": "used-by"
@@ -13011,7 +12253,7 @@
"platforms": [
"Network"
],
- "software_attack_id": "S5284",
+ "software_attack_id": "S3132",
"source": "Tidal Cyber",
"tags": [
"a159c91c-5258-49ea-af7d-e803008d97d3",
@@ -13036,7 +12278,7 @@
"platforms": [
"Network"
],
- "software_attack_id": "S5285",
+ "software_attack_id": "S3133",
"source": "Tidal Cyber",
"tags": [
"a159c91c-5258-49ea-af7d-e803008d97d3",
@@ -13071,10 +12313,6 @@
{
"dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca",
"type": "used-by"
- },
- {
- "dest-uuid": "e9e9bfe2-76f4-4870-a2a1-b7af89808613",
- "type": "similar"
}
],
"uuid": "925975f8-e8ff-411f-a40e-f799968046f7",
@@ -13096,12 +12334,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "0efefea5-78da-4022-92bc-d726139e8883",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "d017e133-fce9-4982-a2df-6867a80089e7",
"value": "Linux Rabbit"
},
@@ -13124,10 +12357,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "95e2cbae-d82c-4f7b-b63c-16462015d35d",
- "type": "similar"
}
],
"uuid": "71e4028c-9ca1-45ce-bc44-98209ae9f6bd",
@@ -13149,10 +12378,6 @@
{
"dest-uuid": "73da066d-b25f-45ba-862b-1a69228c6baa",
"type": "used-by"
- },
- {
- "dest-uuid": "9020f5c7-efde-4125-a4f1-1b70f1274ddd",
- "type": "similar"
}
],
"uuid": "cc568409-71ff-468b-9c38-d0dd9020e409",
@@ -13170,12 +12395,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "19256855-65e9-48f2-8b74-9f3d0a994428",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "c9c5e7ad-6e95-5d53-b4db-f6b51c7167ca",
"value": "LITTLELAMB.WOOLTEA"
},
@@ -13205,10 +12425,6 @@
{
"dest-uuid": "393da13e-016c-41a3-9d89-b33173adecbf",
"type": "used-by"
- },
- {
- "dest-uuid": "f74a5069-015d-4404-83ad-5ca01056c0dc",
- "type": "similar"
}
],
"uuid": "65d46aab-b3ce-4f5b-b1fc-871db2573fa1",
@@ -13221,9 +12437,10 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5047",
+ "software_attack_id": "S3015",
"source": "Tidal Cyber",
"tags": [
+ "ba2210ad-0cf7-4a28-8d40-c1dbec5fb202",
"562e535e-19f5-4d6c-81ed-ce2aec544f09",
"fdd53e62-5bf1-41f1-8bd6-b970a866c39d",
"d431939f-2dc0-410b-83f7-86c458125444",
@@ -13271,10 +12488,6 @@
{
"dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c",
"type": "used-by"
- },
- {
- "dest-uuid": "5af7a825-2d9f-400d-931a-e00eb9e27f48",
- "type": "similar"
}
],
"uuid": "65bc8e81-0a08-49f6-9d04-a2d63d512342",
@@ -13296,10 +12509,6 @@
{
"dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b",
"type": "used-by"
- },
- {
- "dest-uuid": "452da2d9-706c-4185-ad6f-f5edaf4b9f48",
- "type": "similar"
}
],
"uuid": "d28c3706-df25-59e2-939f-131abaf8a1eb",
@@ -13312,7 +12521,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5073",
+ "software_attack_id": "S3098",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -13361,10 +12570,6 @@
{
"dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5",
"type": "used-by"
- },
- {
- "dest-uuid": "b865dded-0553-4962-a44b-6fe7863effed",
- "type": "similar"
}
],
"uuid": "039f34e9-f379-4a24-a53f-b28ba579854c",
@@ -13389,10 +12594,6 @@
{
"dest-uuid": "e47ae2a7-d34d-4528-ba67-c9c07daa91ba",
"type": "used-by"
- },
- {
- "dest-uuid": "cb741463-f0fe-42e0-8d45-bc7e8335f5ae",
- "type": "similar"
}
],
"uuid": "4fead65c-499d-4f44-8879-2c35b24dac68",
@@ -13410,12 +12611,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "c9ccc4df-1f56-49e7-ad57-b383e1451688",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "bfd2a077-5000-4500-82c4-5c85fb98dd5a",
"value": "LookBack"
},
@@ -13426,7 +12622,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5035",
+ "software_attack_id": "S3037",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -13470,12 +12666,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "f99f3dcc-683f-4936-8791-075ac5e58f10",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "f503535b-406c-4e24-8123-0e22fec995bb",
"value": "LoudMiner"
},
@@ -13495,10 +12686,6 @@
{
"dest-uuid": "8567136b-f84a-45ed-8cce-46324c7da60e",
"type": "used-by"
- },
- {
- "dest-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b",
- "type": "similar"
}
],
"uuid": "fce1117a-e699-4aef-b1fc-04c3967acc33",
@@ -13523,10 +12710,6 @@
{
"dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f",
"type": "used-by"
- },
- {
- "dest-uuid": "2fab555f-7664-4623-b4e0-1675ae38190b",
- "type": "similar"
}
],
"uuid": "37a5ae23-3da5-4cbc-a21a-a7ef98a3b7cc",
@@ -13544,12 +12727,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "54a73038-1937-4d71-a253-316e76d5413c",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "723d9a27-74fd-4333-a8db-63df2a8b4dd4",
"value": "Lucifer"
},
@@ -13569,15 +12747,34 @@
{
"dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446",
"type": "used-by"
- },
- {
- "dest-uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad",
- "type": "similar"
}
],
"uuid": "0cc9e24b-d458-4782-a332-4e4fd68c057b",
"value": "Lurid"
},
+ {
+ "description": "Lynx is a Windows-focused ransomware that was identified in July 2024. Rapid7 researchers note potential code similarities between Lynx and INC ransomware.[[Rapid7 Blog September 12 2024](/references/21d393ae-d135-4c5a-8c6d-1baa8c0a1e08)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S3169",
+ "source": "Tidal Cyber",
+ "tags": [
+ "5e7433ad-a894-4489-93bc-41e90da90019",
+ "7e7b0c67-bb85-4996-a289-da0e792d7172",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [],
+ "uuid": "f5d55fa5-afb8-46ff-b5b5-c792060fd7d3",
+ "value": "Lynx Ransomware"
+ },
{
"description": "[Machete](https://app.tidalcyber.com/software/be8a1630-9562-41ad-a621-65989f961a10) is a cyber espionage toolset used by [Machete](https://app.tidalcyber.com/groups/a3be79a2-3d4f-4697-a8a1-83f0884220af). It is a Python-based backdoor targeting Windows machines that was first observed in 2010.[[ESET Machete July 2019](https://app.tidalcyber.com/references/408d5e33-fcb6-4d21-8be9-7aa5a8bd3385)][[Securelist Machete Aug 2014](https://app.tidalcyber.com/references/fc7be240-bd15-4ec4-bc01-f8891d7210d9)][[360 Machete Sep 2020](https://app.tidalcyber.com/references/682c843d-1bb8-4f30-9d2e-35e8d41b1976)]",
"meta": {
@@ -13594,10 +12791,6 @@
{
"dest-uuid": "a3be79a2-3d4f-4697-a8a1-83f0884220af",
"type": "used-by"
- },
- {
- "dest-uuid": "35cd1d01-1ede-44d2-b073-a264d727bc04",
- "type": "similar"
}
],
"uuid": "be8a1630-9562-41ad-a621-65989f961a10",
@@ -13615,12 +12808,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "bdee9574-7479-4073-a7dc-e86d8acd073a",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "7e5a643d-ebfd-4ec6-9fdc-79d6f47fafdb",
"value": "MacMa"
},
@@ -13636,12 +12824,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "2a59a237-1530-4d55-91f9-2aebf961cc37",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "74feb557-21bc-40fb-8ab5-45d3af84c380",
"value": "macOS.OSAMiner"
},
@@ -13657,12 +12840,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "f72251cb-2be5-421f-a081-99c29a1209e7",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "e5e67c67-e658-45b5-850b-044312be4258",
"value": "MacSpy"
},
@@ -13682,10 +12860,6 @@
{
"dest-uuid": "a3a3a1d3-7fe7-5578-8c5f-9c0f2f68079b",
"type": "used-by"
- },
- {
- "dest-uuid": "3be1fb7a-0f7e-415e-8e3a-74a80d596e68",
- "type": "similar"
}
],
"uuid": "7506616c-b808-54fb-9982-072a0dcf8a04",
@@ -13713,10 +12887,6 @@
{
"dest-uuid": "b5c28235-d441-40d9-8da2-d49ba2f2568b",
"type": "used-by"
- },
- {
- "dest-uuid": "999c4e6e-b8dc-4b4f-8d6e-1b829f29997e",
- "type": "similar"
}
],
"uuid": "d762974a-ca7e-45ee-bc1d-f5218bf46c84",
@@ -13729,7 +12899,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5123",
+ "software_attack_id": "S3241",
"source": "Tidal Cyber",
"tags": [
"758c3085-2f79-40a8-ab95-f8a684737927",
@@ -13765,7 +12935,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5259",
+ "software_attack_id": "S3380",
"source": "Tidal Cyber",
"tags": [
"ff10869f-fed4-4f21-b83a-9939e7381d6e",
@@ -13780,6 +12950,33 @@
"uuid": "9b6b705e-55ae-4d9e-9c57-baf1358cc324",
"value": "Manage-bde"
},
+ {
+ "description": "A backdoor capability associated with Iran-linked espionage group OilRig.[[ESET OilRig September 21 2023](/references/21ee3e95-ac4b-48f7-b948-249e1884bc96)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S3162",
+ "source": "Tidal Cyber",
+ "tags": [
+ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "9702e486-e5b9-486f-84f3-289c599d3d72",
+ "value": "Mango"
+ },
{
"description": "[MarkiRAT](https://app.tidalcyber.com/software/40806539-1496-4a64-b740-66f6a1467f40) is a remote access Trojan (RAT) compiled with Visual Studio that has been used by [Ferocious Kitten](https://app.tidalcyber.com/groups/275ca7b0-3b21-4c3a-8b6f-57b6f0ffb6fb) since at least 2015.[[Kaspersky Ferocious Kitten Jun 2021](https://app.tidalcyber.com/references/b8f8020d-3f5c-4b5e-8761-6ecdd63fcd50)]",
"meta": {
@@ -13799,10 +12996,6 @@
{
"dest-uuid": "275ca7b0-3b21-4c3a-8b6f-57b6f0ffb6fb",
"type": "used-by"
- },
- {
- "dest-uuid": "532c6004-b1e8-415b-9516-f7c14ba783b1",
- "type": "similar"
}
],
"uuid": "40806539-1496-4a64-b740-66f6a1467f40",
@@ -13817,7 +13010,7 @@
"macOS",
"Windows"
],
- "software_attack_id": "S5282",
+ "software_attack_id": "S3121",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -13858,10 +13051,6 @@
{
"dest-uuid": "6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b",
"type": "used-by"
- },
- {
- "dest-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458",
- "type": "similar"
}
],
"uuid": "eeb700ea-2819-46f4-936d-f7592f20dedc",
@@ -13874,7 +13063,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5124",
+ "software_attack_id": "S3242",
"source": "Tidal Cyber",
"tags": [
"724c3509-ad5e-46a3-a72c-6f3807b13793",
@@ -13898,6 +13087,7 @@
"software_attack_id": "S0449",
"source": "MITRE",
"tags": [
+ "5b4ce6cb-0929-4f74-a3b2-bd1afa916d36",
"562e535e-19f5-4d6c-81ed-ce2aec544f09",
"3c3f9078-5d1e-4c29-a5eb-28f237bbd1ad",
"1cc90752-70a3-4a17-b370-e1473a212f79",
@@ -13920,10 +13110,6 @@
{
"dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff",
"type": "used-by"
- },
- {
- "dest-uuid": "d9f7383c-95ec-4080-bbce-121c9384457b",
- "type": "similar"
}
],
"uuid": "3c206491-45c0-4ff7-9f40-45f9aae4de64",
@@ -13936,7 +13122,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5297",
+ "software_attack_id": "S3020",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -13972,10 +13158,6 @@
{
"dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1",
"type": "used-by"
- },
- {
- "dest-uuid": "975737f1-b10d-476f-8bda-3ec26ea57172",
- "type": "similar"
}
],
"uuid": "939cbe39-5b63-4651-b0c0-85ac39cb9f0e",
@@ -13997,10 +13179,6 @@
{
"dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1",
"type": "used-by"
- },
- {
- "dest-uuid": "dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2",
- "type": "similar"
}
],
"uuid": "31cbe3c8-be88-4a4f-891d-04c3bb7ed482",
@@ -14013,9 +13191,10 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5022",
+ "software_attack_id": "S3066",
"source": "Tidal Cyber",
"tags": [
+ "0512bbd3-0596-4426-9ee6-d2bfeb8fd219",
"562e535e-19f5-4d6c-81ed-ce2aec544f09",
"5e7433ad-a894-4489-93bc-41e90da90019",
"7e7b0c67-bb85-4996-a289-da0e792d7172"
@@ -14054,10 +13233,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830",
- "type": "similar"
}
],
"uuid": "6c3bbcae-3217-43c7-b709-5c54bc7636b1",
@@ -14072,7 +13247,7 @@
"Linux",
"Windows"
],
- "software_attack_id": "S5328",
+ "software_attack_id": "S3143",
"source": "Tidal Cyber",
"tags": [
"8bf128ad-288b-41bc-904f-093f4fdde745",
@@ -14111,12 +13286,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "909617c3-6d87-4330-8f32-bd3af38c3b92",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "d8a4a817-2914-47b0-867c-ad8eeb7efd10",
"value": "MegaCortex"
},
@@ -14129,7 +13299,7 @@
"macOS",
"Windows"
],
- "software_attack_id": "S5005",
+ "software_attack_id": "S3021",
"source": "Tidal Cyber",
"tags": [
"c5a258ce-9045-48d9-b254-ec2bf6437bb5",
@@ -14153,6 +13323,10 @@
]
},
"related": [
+ {
+ "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f",
+ "type": "used-by"
+ },
{
"dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd",
"type": "used-by"
@@ -14201,12 +13375,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "d3105fb5-c494-4fd1-a7be-414eab9e0c96",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "aa844e6b-feda-4928-8c6d-c59f7be88da0",
"value": "Melcoz"
},
@@ -14226,10 +13395,6 @@
{
"dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9",
"type": "used-by"
- },
- {
- "dest-uuid": "9b19d6b4-cfcb-492f-8ca8-8449e7331573",
- "type": "similar"
}
],
"uuid": "15d7e478-349d-42e6-802d-f16302b98319",
@@ -14251,10 +13416,6 @@
{
"dest-uuid": "a3a3a1d3-7fe7-5578-8c5f-9c0f2f68079b",
"type": "used-by"
- },
- {
- "dest-uuid": "df350889-4de9-44e5-8cb3-888b8343e97c",
- "type": "similar"
}
],
"uuid": "0a9874bf-4f02-5fab-8ab6-d0f42c6bc71d",
@@ -14275,12 +13436,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "81c57a96-fc8c-4f91-af8e-63e24c2927c2",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "ca607087-25ad-4a91-af83-608646cccbcb",
"value": "Metamorfo"
},
@@ -14293,9 +13449,12 @@
"macOS",
"Windows"
],
- "software_attack_id": "S5050",
+ "software_attack_id": "S3068",
"source": "Tidal Cyber",
"tags": [
+ "677c5953-3cc8-44bb-89bc-d9a31f9d170c",
+ "d903e38b-600d-4736-9e3b-cf1a6e436481",
+ "d819ae1a-e385-49fd-88d5-f66660729ecb",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"2feda37d-5579-4102-a073-aa02e82cb49f",
"ed2b3f47-3e07-4019-a9bf-ec9d87f28c96",
@@ -14307,6 +13466,10 @@
]
},
"related": [
+ {
+ "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5",
+ "type": "used-by"
+ },
{
"dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7",
"type": "used-by"
@@ -14326,7 +13489,7 @@
"platforms": [
"macOS"
],
- "software_attack_id": "S5315",
+ "software_attack_id": "S3128",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -14348,16 +13511,14 @@
],
"software_attack_id": "S0688",
"source": "MITRE",
+ "tags": [
+ "f68659fd-4d2f-4c9c-959d-b9f7ef91c228"
+ ],
"type": [
"malware"
]
},
- "related": [
- {
- "dest-uuid": "d79e7a60-5de9-448e-a074-f95d2d80f8d0",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "ee07030e-ff50-404b-ad27-ab999fc1a23a",
"value": "Meteor"
},
@@ -14368,7 +13529,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5224",
+ "software_attack_id": "S3345",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -14401,10 +13562,6 @@
{
"dest-uuid": "e3c5164e-49cf-5bb1-955d-6775585abb14",
"type": "used-by"
- },
- {
- "dest-uuid": "8c050cea-86e1-4b63-bf21-7af4fa483349",
- "type": "similar"
}
],
"uuid": "5879efc1-f122-43ec-a80d-e25aa449594d",
@@ -14417,7 +13574,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5225",
+ "software_attack_id": "S3346",
"source": "Tidal Cyber",
"tags": [
"eb75bfce-e0d6-41b3-a3f0-df34e6e9b476",
@@ -14439,7 +13596,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5125",
+ "software_attack_id": "S3243",
"source": "Tidal Cyber",
"tags": [
"b48e3fa8-25b4-42be-97e7-086068a150c5",
@@ -14473,10 +13630,6 @@
{
"dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735",
"type": "used-by"
- },
- {
- "dest-uuid": "aea6d6b8-d832-4c90-a1bb-f52c6684db6c",
- "type": "similar"
}
],
"uuid": "57545dbc-c72a-409d-a373-bc35e25160cd",
@@ -14526,6 +13679,10 @@
"dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e",
"type": "used-by"
},
+ {
+ "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5",
+ "type": "used-by"
+ },
{
"dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1",
"type": "used-by"
@@ -14761,10 +13918,6 @@
{
"dest-uuid": "570198e3-b59c-5772-b1ee-15d7ea14d48a",
"type": "used-by"
- },
- {
- "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60",
- "type": "similar"
}
],
"uuid": "b8e7c0b4-49e4-4e8d-9467-b17f305ddf16",
@@ -14789,10 +13942,6 @@
{
"dest-uuid": "325c11be-e1ee-47db-afa6-44ac5d16f0e7",
"type": "used-by"
- },
- {
- "dest-uuid": "5a33468d-844d-4b1f-98c9-0e786c556b27",
- "type": "similar"
}
],
"uuid": "42350632-b59a-4cc5-995e-d95d8c608553",
@@ -14807,12 +13956,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "17dec760-9c8f-4f1b-9b4b-0ac47a453234",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "c0dea9db-1551-4f6c-8a19-182efc34093a",
"value": "Miner-C"
},
@@ -14835,10 +13979,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c",
- "type": "similar"
}
],
"uuid": "2bb16809-6bc3-46c3-b28a-39cb49410340",
@@ -14863,10 +14003,6 @@
{
"dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8",
"type": "used-by"
- },
- {
- "dest-uuid": "e3cedcfe-6515-4348-af65-7f2c4157bf0d",
- "type": "similar"
}
],
"uuid": "535f1b97-7a70-4d18-be4e-3a9f74ccf78a",
@@ -14884,12 +14020,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "4048afa2-79c8-4d38-8219-2207adddd884",
"value": "Misdat"
},
@@ -14912,10 +14043,6 @@
{
"dest-uuid": "803f8018-6e45-5b0f-978f-1fe96b217120",
"type": "used-by"
- },
- {
- "dest-uuid": "4e6464d2-69df-4e56-8d4c-1973f84d7b80",
- "type": "similar"
}
],
"uuid": "758e5226-6015-5cc7-af4b-20fa35c9bac1",
@@ -14933,12 +14060,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "fe554d2e-f974-41d6-8e7a-701bd758355d",
"value": "Mis-Type"
},
@@ -14958,15 +14080,38 @@
{
"dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b",
"type": "used-by"
- },
- {
- "dest-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3",
- "type": "similar"
}
],
"uuid": "f603ea32-91c3-4b62-a60f-57670433b080",
"value": "Mivast"
},
+ {
+ "description": "A credential dumping tool associated with Iran-linked espionage group OilRig.[[ESET OilRig September 21 2023](/references/21ee3e95-ac4b-48f7-b948-249e1884bc96)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S3160",
+ "source": "Tidal Cyber",
+ "tags": [
+ "dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "7bded42d-ad82-4b00-88c7-c1129c11894d",
+ "value": "MKG"
+ },
{
"description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Load snap-ins to locally and remotely manage Windows systems\n\n**Author:** @bohops\n\n**Paths:**\n* C:\\Windows\\System32\\mmc.exe\n* C:\\Windows\\SysWOW64\\mmc.exe\n\n**Resources:**\n* [https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/](https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/)\n* [https://offsec.almond.consulting/UAC-bypass-dotnet.html](https://offsec.almond.consulting/UAC-bypass-dotnet.html)\n\n**Detection:**\n* Sigma: [proc_creation_win_mmc_susp_child_process.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml)\n* Sigma: [file_event_win_uac_bypass_dotnet_profiler.yml](https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml)[[Mmc.exe - LOLBAS Project](/references/490b6769-e386-4a3d-972e-5a919cb2f6f5)]",
"meta": {
@@ -14974,7 +14119,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5126",
+ "software_attack_id": "S3244",
"source": "Tidal Cyber",
"tags": [
"f9e6382f-e41e-438e-bd7e-57a57046d9e6",
@@ -15002,10 +14147,6 @@
{
"dest-uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4",
"type": "used-by"
- },
- {
- "dest-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4",
- "type": "similar"
}
],
"uuid": "116f913c-0d5e-43d1-ba0d-3a12127af8f6",
@@ -15030,10 +14171,6 @@
{
"dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6",
"type": "used-by"
- },
- {
- "dest-uuid": "8a59f456-79a0-4151-9f56-9b1a67332af2",
- "type": "similar"
}
],
"uuid": "7ca5debb-f813-4e06-98f8-d1186552e5d2",
@@ -15058,15 +14195,35 @@
{
"dest-uuid": "454402a3-0503-45bf-b2e0-177fa2e2d412",
"type": "used-by"
- },
- {
- "dest-uuid": "6fb36c6f-bb3d-4ed6-9471-cb9933e5c154",
- "type": "similar"
}
],
"uuid": "7f5355b3-e819-4c82-a0fa-b80fda8fd6e6",
"value": "Mongall"
},
+ {
+ "description": "Monti is a ransomware identified in June 2022. Researchers have drawn comparisons between Monti and Conti ransomware, whose source code was leaked earlier that year. Windows and Linux variants of Monti have been identified.[[Trend Micro August 14 2023](/references/12d2fbc5-f9cb-41b5-96a6-1cd100b5a173)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Linux",
+ "Windows"
+ ],
+ "software_attack_id": "S3170",
+ "source": "Tidal Cyber",
+ "tags": [
+ "5e7433ad-a894-4489-93bc-41e90da90019",
+ "7e7b0c67-bb85-4996-a289-da0e792d7172",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [],
+ "uuid": "7d7905f9-22cf-4b30-bb8f-5b5da52d1036",
+ "value": "Monti Ransomware"
+ },
{
"description": "[MoonWind](https://app.tidalcyber.com/software/a699f32f-6596-4060-8fcd-42587a844b80) is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand. [[Palo Alto MoonWind March 2017](https://app.tidalcyber.com/references/4f3d7a08-2cf5-49ed-8bcd-6df180f3d194)]",
"meta": {
@@ -15079,12 +14236,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "a699f32f-6596-4060-8fcd-42587a844b80",
"value": "MoonWind"
},
@@ -15115,10 +14267,6 @@
{
"dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331",
"type": "used-by"
- },
- {
- "dest-uuid": "bfd2738c-8b43-43c3-bc9f-d523c8e88bf4",
- "type": "similar"
}
],
"uuid": "69f202e7-4bc9-4f4f-943f-330c053ae977",
@@ -15132,6 +14280,9 @@
],
"software_attack_id": "S1047",
"source": "MITRE",
+ "tags": [
+ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f"
+ ],
"type": [
"malware"
]
@@ -15140,10 +14291,6 @@
{
"dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6",
"type": "used-by"
- },
- {
- "dest-uuid": "7e100ca4-e639-48d9-9a9d-8ad84aa7b448",
- "type": "similar"
}
],
"uuid": "385e1eaf-9ba8-4381-981a-3c7af718a77d",
@@ -15168,10 +14315,6 @@
{
"dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2",
"type": "used-by"
- },
- {
- "dest-uuid": "92b55426-109f-4d93-899f-1833ce91ff90",
- "type": "similar"
}
],
"uuid": "c3939dad-d728-4ddb-804e-cf1e3743a55d",
@@ -15184,7 +14327,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5127",
+ "software_attack_id": "S3245",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -15205,7 +14348,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5128",
+ "software_attack_id": "S3246",
"source": "Tidal Cyber",
"tags": [
"dfda978e-e0a0-4e1a-85c7-d9ab2cd7ccc5",
@@ -15227,7 +14370,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5129",
+ "software_attack_id": "S3247",
"source": "Tidal Cyber",
"tags": [
"7e20fe4e-6883-457d-81f9-b4010e739f89",
@@ -15249,7 +14392,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5226",
+ "software_attack_id": "S3347",
"source": "Tidal Cyber",
"tags": [
"11452158-b8d2-4a33-952a-8896f961a2f5",
@@ -15271,7 +14414,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5130",
+ "software_attack_id": "S3248",
"source": "Tidal Cyber",
"tags": [
"8c30b46b-3651-4ccd-9d91-34fe89bc6843",
@@ -15293,7 +14436,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5131",
+ "software_attack_id": "S3249",
"source": "Tidal Cyber",
"tags": [
"5bd3af6b-cb96-4d96-9576-26521dd76513",
@@ -15315,7 +14458,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5182",
+ "software_attack_id": "S3303",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -15336,7 +14479,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5183",
+ "software_attack_id": "S3304",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -15357,7 +14500,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5132",
+ "software_attack_id": "S3250",
"source": "Tidal Cyber",
"tags": [
"d819ae1a-e385-49fd-88d5-f66660729ecb",
@@ -15444,7 +14587,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5192",
+ "software_attack_id": "S3313",
"source": "Tidal Cyber",
"tags": [
"46338353-52ee-4f8d-9f18-f1b32644dd76",
@@ -15466,7 +14609,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5133",
+ "software_attack_id": "S3251",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -15510,7 +14653,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5227",
+ "software_attack_id": "S3348",
"source": "Tidal Cyber",
"tags": [
"874c053b-d6b8-42c2-accc-cd256bb4d350",
@@ -15532,7 +14675,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5228",
+ "software_attack_id": "S3349",
"source": "Tidal Cyber",
"tags": [
"a523dcb0-9181-4170-a113-126df84594ca",
@@ -15554,7 +14697,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5229",
+ "software_attack_id": "S3350",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -15589,10 +14732,6 @@
{
"dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871",
"type": "used-by"
- },
- {
- "dest-uuid": "049ff071-0b3c-4712-95d2-d21c6aa54501",
- "type": "similar"
}
],
"uuid": "768111f9-0948-474b-82a6-cd5455079513",
@@ -15616,12 +14755,7 @@
"tool"
]
},
- "related": [
- {
- "dest-uuid": "d505fc8b-2e64-46eb-96d6-9ef7ffca5b66",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "f1398367-a0af-4a89-b240-50cae4985ed9",
"value": "Mythic"
},
@@ -15644,10 +14778,6 @@
{
"dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca",
"type": "used-by"
- },
- {
- "dest-uuid": "48523614-309e-43bf-a2b8-705c2b45d7b2",
- "type": "similar"
}
],
"uuid": "5cfd6135-c53b-4234-a17e-759494b2101f",
@@ -15669,10 +14799,6 @@
{
"dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871",
"type": "used-by"
- },
- {
- "dest-uuid": "705f0783-5f7d-4491-b6b7-9628e6e006d2",
- "type": "similar"
}
],
"uuid": "0e28dfc9-8948-4c08-b7d8-9e80e19cc464",
@@ -15710,10 +14836,6 @@
{
"dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac",
"type": "used-by"
- },
- {
- "dest-uuid": "b4d80f8b-d2b9-4448-8844-4bef777ed676",
- "type": "similar"
}
],
"uuid": "db05dbaa-eb3a-4303-b37e-18d67e7e85a1",
@@ -15738,10 +14860,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "b4783be3-35d9-4a56-ac8d-1f3e1c9d9a84",
- "type": "similar"
}
],
"uuid": "a814fd1d-8c2c-41b3-bb3a-30c4318c74c0",
@@ -15766,10 +14884,6 @@
{
"dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66",
"type": "used-by"
- },
- {
- "dest-uuid": "53a42597-1974-4b8e-84fd-3675e8992053",
- "type": "similar"
}
],
"uuid": "b410d30c-4db6-4239-950e-9b0e0521f0d2",
@@ -15821,10 +14935,6 @@
{
"dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e",
"type": "used-by"
- },
- {
- "dest-uuid": "b63970b7-ddfb-4aee-97b1-80d335e033a8",
- "type": "similar"
}
],
"uuid": "950f13e6-3ae3-411e-a2b2-4ba1afe6cb76",
@@ -15843,10 +14953,6 @@
{
"dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2",
"type": "used-by"
- },
- {
- "dest-uuid": "b35068ec-107a-4266-bda8-eb7036267aea",
- "type": "similar"
}
],
"uuid": "81c2fc9b-8c2c-40f6-a327-dcdd64b70a7e",
@@ -15868,10 +14974,6 @@
{
"dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a",
"type": "used-by"
- },
- {
- "dest-uuid": "d1183cb9-258e-4f2f-8415-50ac8252c49e",
- "type": "similar"
}
],
"uuid": "6d42e6c5-3056-4ff1-8d5d-a736807ec84c",
@@ -15893,10 +14995,6 @@
{
"dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d",
"type": "used-by"
- },
- {
- "dest-uuid": "22b17791-45bf-45c0-9322-ff1a0af5cf2b",
- "type": "similar"
}
],
"uuid": "38510bab-aece-4d7b-b621-7594c2c4fe14",
@@ -15921,10 +15019,6 @@
{
"dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8",
"type": "used-by"
- },
- {
- "dest-uuid": "4d7bf2ac-f953-4907-b114-be44dc174d67",
- "type": "similar"
}
],
"uuid": "8662e29e-5766-4311-894e-5ca52515ccbe",
@@ -15946,10 +15040,6 @@
{
"dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca",
"type": "used-by"
- },
- {
- "dest-uuid": "c251e4a5-9a2e-4166-8e42-442af75c3b9a",
- "type": "similar"
}
],
"uuid": "de8b18c9-ebab-4126-96a9-282fa8829877",
@@ -16134,10 +15224,6 @@
{
"dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f",
"type": "used-by"
- },
- {
- "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23",
- "type": "similar"
}
],
"uuid": "c9b8522f-126d-40ff-b44e-1f46098bd8cc",
@@ -16159,10 +15245,6 @@
{
"dest-uuid": "c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07",
"type": "used-by"
- },
- {
- "dest-uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704",
- "type": "similar"
}
],
"uuid": "947c6212-4da8-48dd-9da9-ce4b077dd759",
@@ -16187,10 +15269,6 @@
{
"dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f",
"type": "used-by"
- },
- {
- "dest-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2",
- "type": "similar"
}
],
"uuid": "852c300d-9313-442d-9b49-9883522c3f4b",
@@ -16264,10 +15342,6 @@
{
"dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4",
"type": "used-by"
- },
- {
- "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71",
- "type": "similar"
}
],
"uuid": "803192b8-747b-4108-ae15-2d7481d39162",
@@ -16338,10 +15412,6 @@
{
"dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5",
"type": "used-by"
- },
- {
- "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111",
- "type": "similar"
}
],
"uuid": "132fb908-9f13-4bcf-aa64-74cbc72f5491",
@@ -16356,9 +15426,10 @@
"Linux",
"Windows"
],
- "software_attack_id": "S5320",
+ "software_attack_id": "S3135",
"source": "Tidal Cyber",
"tags": [
+ "6307a146-7a64-41a7-b765-8ea935027895",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"e1af18e3-3224-4e4c-9d0f-533768474508",
"e727eaa6-ef41-4965-b93a-8ad0c51d0236",
@@ -16370,6 +15441,10 @@
]
},
"related": [
+ {
+ "dest-uuid": "54a13c54-a1d5-46e9-b155-56d981a5ad8f",
+ "type": "used-by"
+ },
{
"dest-uuid": "ee2da206-2532-44e3-a343-d66e9bfdbca0",
"type": "used-by"
@@ -16401,10 +15476,6 @@
{
"dest-uuid": "e343c1f1-458c-467b-bc4a-c1b97b2127e3",
"type": "used-by"
- },
- {
- "dest-uuid": "cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e",
- "type": "similar"
}
],
"uuid": "1b8f9cf9-db8f-437d-800e-5ddd090fe30d",
@@ -16419,6 +15490,7 @@
"software_attack_id": "S0457",
"source": "MITRE",
"tags": [
+ "24f88c63-2917-4895-b0ea-e3a5556b85c1",
"89c5b94b-ecf4-4d53-9b74-3465086d4565",
"562e535e-19f5-4d6c-81ed-ce2aec544f09",
"242bc007-5ac5-4d96-8638-699a06d06d24",
@@ -16434,12 +15506,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "754effde-613c-4244-a83e-fb659b2a4d06",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "5b4b395f-f61a-4bd6-94c1-fb45ed3cd13d",
"value": "Netwalker"
},
@@ -16454,6 +15521,7 @@
"software_attack_id": "S0198",
"source": "MITRE",
"tags": [
+ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f",
"6c6c0125-9631-4c2c-90ab-cfef374d5198"
],
"type": [
@@ -16476,10 +15544,6 @@
{
"dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac",
"type": "used-by"
- },
- {
- "dest-uuid": "2a70812b-f1ef-44db-8578-a496a227aef2",
- "type": "similar"
}
],
"uuid": "c7d0e881-80a1-49ea-9c1f-b6e53cf399a8",
@@ -16492,7 +15556,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5278",
+ "software_attack_id": "S3118",
"source": "Tidal Cyber",
"tags": [
"d819ae1a-e385-49fd-88d5-f66660729ecb",
@@ -16526,12 +15590,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "72b5f07f-5448-4e00-9ff2-08bc193a7b77",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "48b161fe-3ae1-5551-9f26-d6f2d6b5afb9",
"value": "NGLite"
},
@@ -16610,10 +15669,6 @@
{
"dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d",
"type": "used-by"
- },
- {
- "dest-uuid": "2f7f03bb-f367-4a5a-ad9b-310a12a48906",
- "type": "similar"
}
],
"uuid": "316ecd9d-ac0b-58c7-8083-5d9214c770f6",
@@ -16626,7 +15681,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5333",
+ "software_attack_id": "S3148",
"source": "Tidal Cyber",
"tags": [
"f8669b82-2194-49a9-8e20-92e7f9ab0a6f",
@@ -16662,10 +15717,6 @@
{
"dest-uuid": "06549082-ff70-43bf-985e-88c695c7113c",
"type": "used-by"
- },
- {
- "dest-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe",
- "type": "similar"
}
],
"uuid": "3ae9acd7-39f8-45c6-b557-c7d9a40eed2c",
@@ -16687,10 +15738,6 @@
{
"dest-uuid": "f31df12e-66ea-5a49-87bc-2bc1756a89fc",
"type": "used-by"
- },
- {
- "dest-uuid": "91c57ed3-7c32-4c68-b388-7db00cb8dac6",
- "type": "similar"
}
],
"uuid": "b1963876-dbdc-5beb-ace3-acb6d7705543",
@@ -16712,10 +15759,6 @@
{
"dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b",
"type": "used-by"
- },
- {
- "dest-uuid": "023254de-caaf-4a05-b2c7-e4e2f283f7a5",
- "type": "similar"
}
],
"uuid": "2dd26ff0-22d6-591b-9054-78e84fa3e05c",
@@ -16728,7 +15771,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5271",
+ "software_attack_id": "S3112",
"source": "Tidal Cyber",
"tags": [
"d819ae1a-e385-49fd-88d5-f66660729ecb",
@@ -16800,10 +15843,6 @@
{
"dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25",
"type": "used-by"
- },
- {
- "dest-uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945",
- "type": "similar"
}
],
"uuid": "82996f6f-0575-45cd-8f7c-ba1b063d5b9f",
@@ -16823,12 +15862,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "bd2ebee8-7c38-408a-871d-221012104222",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "e26988e0-e755-54a4-8234-e8f961266d82",
"value": "NKAbuse"
},
@@ -16894,10 +15928,6 @@
{
"dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3",
"type": "used-by"
- },
- {
- "dest-uuid": "981acc4c-2ede-4b56-be6e-fa1a75f37acf",
- "type": "similar"
}
],
"uuid": "fbb1546a-f288-4e43-9e5c-14c94423c4f6",
@@ -16910,9 +15940,12 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5051",
+ "software_attack_id": "S3074",
"source": "Tidal Cyber",
"tags": [
+ "af5e9be5-b86e-47af-91dd-966a5e34a186",
+ "d903e38b-600d-4736-9e3b-cf1a6e436481",
+ "d819ae1a-e385-49fd-88d5-f66660729ecb",
"509a90c7-9ca9-4b23-bca2-cd38ef6a6207",
"96d58ca1-ab18-4e53-8891-d8ba62a47e5d",
"6070668f-1cbd-4878-8066-c636d1d8659c",
@@ -16932,6 +15965,10 @@
]
},
"related": [
+ {
+ "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5",
+ "type": "used-by"
+ },
{
"dest-uuid": "7c3ef21c-0e1c-43d5-afb0-3a07c5a66937",
"type": "used-by"
@@ -16971,10 +16008,6 @@
{
"dest-uuid": "37f317d8-02f0-43d4-8a7d-7a65ce8aadf1",
"type": "used-by"
- },
- {
- "dest-uuid": "071d5d65-83ec-4a55-acfa-be7d5f28ba9a",
- "type": "similar"
}
],
"uuid": "31aa0433-fb6b-4290-8af5-a0d0c6c18548",
@@ -17004,10 +16037,6 @@
{
"dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666",
"type": "used-by"
- },
- {
- "dest-uuid": "5719af9d-6b16-46f9-9b28-fb019541ddbb",
- "type": "similar"
}
],
"uuid": "2538e0fe-1290-4ae1-aef9-e55d83c9eb23",
@@ -17020,7 +16049,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5052",
+ "software_attack_id": "S3075",
"source": "Tidal Cyber",
"tags": [
"15787198-6c8b-4f79-bf50-258d55072fee",
@@ -17041,7 +16070,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5018",
+ "software_attack_id": "S3057",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -17114,10 +16143,6 @@
{
"dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25",
"type": "used-by"
- },
- {
- "dest-uuid": "5864e59f-eb4c-43ad-83b2-b5e4fae056c9",
- "type": "similar"
}
],
"uuid": "97e8148c-e146-444c-9de5-6e2fdbda2f9f",
@@ -17135,12 +16160,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "288fa242-e894-4c7e-ac86-856deedf5cea",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "f1723994-058b-4525-8e11-2f0c80d8f3a4",
"value": "OceanSalt"
},
@@ -17160,15 +16180,39 @@
{
"dest-uuid": "5f8c6ee0-f302-403b-b712-f1e3df064c0c",
"type": "used-by"
- },
- {
- "dest-uuid": "e2031fd5-02c2-43d4-85e2-b64f474530c2",
- "type": "similar"
}
],
"uuid": "8f04e609-8773-4529-b247-d32f530cc453",
"value": "Octopus"
},
+ {
+ "description": "This is one of a series of malicious downloaders attributed to Iran-linked espionage actor OilRig, which were found to rely on legitimate cloud service providers for command and control purposes.[[ESET OilRig December 14 2023](/references/f96b74d5-ff75-47c6-a9a2-b2f43db351bc)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S3155",
+ "source": "Tidal Cyber",
+ "tags": [
+ "15f2277a-a17e-4d85-8acd-480bf84f16b4",
+ "84615fe0-c2a5-4e07-8957-78ebc29b4635",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "0dd8fad0-9f4a-487d-b3f7-570bd2046e8a",
+ "value": "ODAgent"
+ },
{
"description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Used in Windows for managing ODBC connections\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\odbcconf.exe\n* C:\\Windows\\SysWOW64\\odbcconf.exe\n\n**Resources:**\n* [https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b](https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b)\n* [https://github.com/woanware/application-restriction-bypasses](https://github.com/woanware/application-restriction-bypasses)\n* [https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/](https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/)\n\n**Detection:**\n* Sigma: [proc_creation_win_odbcconf_response_file.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml)\n* Sigma: [proc_creation_win_odbcconf_response_file_susp.yml](https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml)\n* Elastic: [defense_evasion_unusual_process_network_connection.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml)\n* Elastic: [defense_evasion_network_connection_from_windows_binary.toml](https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml)[[LOLBAS Odbcconf](/references/febcaaec-b535-4347-a4c7-b3284b251897)]",
"meta": {
@@ -17176,7 +16220,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5134",
+ "software_attack_id": "S3253",
"source": "Tidal Cyber",
"tags": [
"64825d12-3cd6-4446-a93c-ff7d8ec13dc8",
@@ -17203,7 +16247,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5135",
+ "software_attack_id": "S3254",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -17217,6 +16261,62 @@
"uuid": "8bc7c62a-110d-451b-9ca6-bc48a13e72d4",
"value": "OfflineScannerShell"
},
+ {
+ "description": "This is one of a series of malicious downloaders attributed to Iran-linked espionage actor OilRig, which were found to rely on legitimate cloud service providers for command and control purposes.[[ESET OilRig December 14 2023](/references/f96b74d5-ff75-47c6-a9a2-b2f43db351bc)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S3153",
+ "source": "Tidal Cyber",
+ "tags": [
+ "15f2277a-a17e-4d85-8acd-480bf84f16b4",
+ "84615fe0-c2a5-4e07-8957-78ebc29b4635",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "01f8ef57-5c22-4dad-9300-12c0b0d63c1f",
+ "value": "OilBooster"
+ },
+ {
+ "description": "This is one of a series of malicious downloaders attributed to Iran-linked espionage actor OilRig, which were found to rely on legitimate cloud service providers for command and control purposes.[[ESET OilRig December 14 2023](/references/f96b74d5-ff75-47c6-a9a2-b2f43db351bc)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S3154",
+ "source": "Tidal Cyber",
+ "tags": [
+ "15f2277a-a17e-4d85-8acd-480bf84f16b4",
+ "84615fe0-c2a5-4e07-8957-78ebc29b4635",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "f41dcc5a-017d-4e79-86c1-c7055bd3b513",
+ "value": "OilCheck"
+ },
{
"description": "[Okrum](https://app.tidalcyber.com/software/f9bcf0a1-f287-44ec-8f53-6859d41e041c) is a Windows backdoor that has been seen in use since December 2016 with strong links to [Ke3chang](https://app.tidalcyber.com/groups/26c0925f-1a3c-4df6-b27a-62b9731299b8).[[ESET Okrum July 2019](https://app.tidalcyber.com/references/197163a8-1a38-4edd-ba73-f44e7a329f41)]",
"meta": {
@@ -17236,10 +16336,6 @@
{
"dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8",
"type": "used-by"
- },
- {
- "dest-uuid": "4b6ec280-7bbb-48ff-ae59-b189520ebe83",
- "type": "similar"
}
],
"uuid": "f9bcf0a1-f287-44ec-8f53-6859d41e041c",
@@ -17264,10 +16360,6 @@
{
"dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5",
"type": "used-by"
- },
- {
- "dest-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be",
- "type": "similar"
}
],
"uuid": "479814e2-2656-4ea2-9e79-fcdb818f703e",
@@ -17292,10 +16384,6 @@
{
"dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666",
"type": "used-by"
- },
- {
- "dest-uuid": "3249e92a-870b-426d-8790-ba311c1abfb4",
- "type": "similar"
}
],
"uuid": "073b5288-11d6-4db0-9f2c-a1816847d15c",
@@ -17308,7 +16396,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5136",
+ "software_attack_id": "S3255",
"source": "Tidal Cyber",
"tags": [
"b6116080-8fbf-4e9f-9206-20b025f2cf23",
@@ -17342,10 +16430,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "b136d088-a829-432c-ac26-5529c26d4c7e",
- "type": "similar"
}
],
"uuid": "6056bf36-fb45-498d-a285-5f98ae08b090",
@@ -17370,10 +16454,6 @@
{
"dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2",
"type": "used-by"
- },
- {
- "dest-uuid": "8e101fdd-9f7f-4916-bb04-6bd9e94c129c",
- "type": "similar"
}
],
"uuid": "4f1894d4-d085-4348-af50-dfda257a9e18",
@@ -17386,7 +16466,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5230",
+ "software_attack_id": "S3351",
"source": "Tidal Cyber",
"tags": [
"1dd2d703-fed1-41d2-9843-7b276ef3d6f2",
@@ -17408,7 +16488,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5273",
+ "software_attack_id": "S3017",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -17470,10 +16550,6 @@
{
"dest-uuid": "eadd78e3-3b5d-430a-b994-4360b172c871",
"type": "used-by"
- },
- {
- "dest-uuid": "06d735e7-1db1-4dbe-ab4b-acbe419f902b",
- "type": "similar"
}
],
"uuid": "45a52a29-00c0-458a-b705-1040e06a43f2",
@@ -17495,10 +16571,6 @@
{
"dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9",
"type": "used-by"
- },
- {
- "dest-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8",
- "type": "similar"
}
],
"uuid": "fa1e13b8-2fb7-42e8-b630-25f0edfbca65",
@@ -17523,10 +16595,6 @@
{
"dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145",
"type": "used-by"
- },
- {
- "dest-uuid": "b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29",
- "type": "similar"
}
],
"uuid": "a45904b5-0ada-4567-be4c-947146c7f574",
@@ -17544,12 +16612,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "f1314e75-ada8-49f4-b281-b1fb8b48f2a7",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "4d91d625-21d8-484a-b63f-0a3daa4ed434",
"value": "OSX/Shlayer"
},
@@ -17569,10 +16632,6 @@
{
"dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6",
"type": "used-by"
- },
- {
- "dest-uuid": "80c815bb-b24a-4b9c-9d73-ff4c075a278d",
- "type": "similar"
}
],
"uuid": "273b1e8d-a23d-4c22-8493-80f3d6639352",
@@ -17598,10 +16657,6 @@
{
"dest-uuid": "407274be-1820-4a84-939e-629313f4de1d",
"type": "used-by"
- },
- {
- "dest-uuid": "c113230f-f044-423b-af63-9b63c802f5ae",
- "type": "similar"
}
],
"uuid": "042fe42b-f60e-45e1-b47d-a913e0677976",
@@ -17619,12 +16674,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "6d8a8510-e6f1-49a7-b3a5-bd4664937147",
"value": "OwaAuth"
},
@@ -17640,12 +16690,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "b2c5d3ca-b43a-4888-ad8d-e2d43497bf85",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "916f8a7c-e487-4446-b6ee-c8da712a9569",
"value": "P2P ZeuS"
},
@@ -17665,10 +16710,6 @@
{
"dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322",
"type": "used-by"
- },
- {
- "dest-uuid": "7c58fff0-d206-4db1-96b1-e3a9e0e320b9",
- "type": "similar"
}
],
"uuid": "1933ad3d-3085-4b1b-82b9-ac51b440e2bf",
@@ -17691,10 +16732,6 @@
{
"dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910",
"type": "used-by"
- },
- {
- "dest-uuid": "647215dd-29a6-4528-b354-ca8b5e08fca1",
- "type": "similar"
}
],
"uuid": "13856c51-d81c-5d75-bb6a-0bbdcc857cdd",
@@ -17727,10 +16764,6 @@
{
"dest-uuid": "788ffbf6-1a36-481a-a504-bbcd9f907886",
"type": "used-by"
- },
- {
- "dest-uuid": "1b3b8f96-43b1-4460-8e02-1f53d7802fb9",
- "type": "similar"
}
],
"uuid": "e90eb529-1665-5fd7-a44e-695715e4081b",
@@ -17759,10 +16792,6 @@
{
"dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5",
"type": "used-by"
- },
- {
- "dest-uuid": "a545456a-f9a7-47ad-9ea6-8b017def38d1",
- "type": "similar"
}
],
"uuid": "320b0784-4f0f-46ea-99e9-c34bfcca1c2e",
@@ -17784,10 +16813,6 @@
{
"dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca",
"type": "used-by"
- },
- {
- "dest-uuid": "e811ff6a-4cef-4856-a6ae-a7daf9ed39ae",
- "type": "similar"
}
],
"uuid": "3f018e73-d09b-4c8d-815b-8b2c8faf7055",
@@ -17806,10 +16831,6 @@
{
"dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f",
"type": "used-by"
- },
- {
- "dest-uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69",
- "type": "similar"
}
],
"uuid": "8d007d52-8898-494c-8d72-354abd93da1e",
@@ -17822,7 +16843,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5037",
+ "software_attack_id": "S3039",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -17870,10 +16891,6 @@
{
"dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666",
"type": "used-by"
- },
- {
- "dest-uuid": "4800d0f9-00aa-47cd-a4d2-92198585b8fd",
- "type": "similar"
}
],
"uuid": "4d79530c-2fd9-4438-a8da-74f42119695a",
@@ -17900,10 +16917,6 @@
{
"dest-uuid": "7094468a-2310-48b5-ad24-e669152bd66d",
"type": "used-by"
- },
- {
- "dest-uuid": "77ca1aa3-280c-4b67-abaa-e8fb891a8f83",
- "type": "similar"
}
],
"uuid": "9aa21e50-726e-4002-8b7b-75697a03eb2b",
@@ -17916,7 +16929,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5137",
+ "software_attack_id": "S3256",
"source": "Tidal Cyber",
"tags": [
"074533ec-e14a-4dc3-98ae-c029904e3d6d",
@@ -17947,10 +16960,6 @@
{
"dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b",
"type": "used-by"
- },
- {
- "dest-uuid": "e4feffc2-53d1-45c9-904e-adb9faca0d15",
- "type": "similar"
}
],
"uuid": "873ede85-548b-5fc0-a29e-80bd5afc5bf4",
@@ -17963,7 +16972,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5038",
+ "software_attack_id": "S3040",
"source": "Tidal Cyber",
"tags": [
"c5a258ce-9045-48d9-b254-ec2bf6437bb5",
@@ -18021,10 +17030,6 @@
{
"dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910",
"type": "used-by"
- },
- {
- "dest-uuid": "3a53b207-aba2-4a2b-9cdb-273d633669e7",
- "type": "similar"
}
],
"uuid": "71eb2211-39aa-4b89-bd51-9dcabd363149",
@@ -18037,7 +17042,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5138",
+ "software_attack_id": "S3257",
"source": "Tidal Cyber",
"tags": [
"62496b72-7820-4512-b3f9-188464bb8161",
@@ -18059,7 +17064,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5193",
+ "software_attack_id": "S3314",
"source": "Tidal Cyber",
"tags": [
"ff5c357e-6b9b-4ef3-a7ed-e5d4c0091c0c",
@@ -18099,10 +17104,6 @@
{
"dest-uuid": "788ffbf6-1a36-481a-a504-bbcd9f907886",
"type": "used-by"
- },
- {
- "dest-uuid": "79dd477a-8226-4b3d-ad15-28623675f221",
- "type": "similar"
}
],
"uuid": "52a19c73-2454-4893-8f84-8d05c37a9472",
@@ -18124,10 +17125,6 @@
{
"dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2",
"type": "used-by"
- },
- {
- "dest-uuid": "d18cb958-f4ad-4fb3-bb4f-e8994d206550",
- "type": "similar"
}
],
"uuid": "951fad62-f636-4c01-b924-bb0ce87f5b20",
@@ -18149,10 +17146,6 @@
{
"dest-uuid": "441b91d1-256a-4763-bac6-8f1c76764a25",
"type": "used-by"
- },
- {
- "dest-uuid": "6c2550d5-a01a-4bbb-a004-6ead348ba623",
- "type": "similar"
}
],
"uuid": "1f080577-c002-4b49-a342-fa70983c1d58",
@@ -18165,7 +17158,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5264",
+ "software_attack_id": "S3385",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -18186,9 +17179,10 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5279",
+ "software_attack_id": "S3119",
"source": "Tidal Cyber",
"tags": [
+ "288f845a-9683-4bd7-a7a7-b25cbf297532",
"562e535e-19f5-4d6c-81ed-ce2aec544f09",
"d819ae1a-e385-49fd-88d5-f66660729ecb",
"e551ae97-d1b4-484e-9267-89f33829ec2c",
@@ -18216,7 +17210,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5307",
+ "software_attack_id": "S3086",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -18256,10 +17250,6 @@
{
"dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145",
"type": "used-by"
- },
- {
- "dest-uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e",
- "type": "similar"
}
],
"uuid": "fd63cec1-9f72-4ed0-9926-2dbbb3d9cead",
@@ -18272,9 +17262,10 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5265",
+ "software_attack_id": "S3106",
"source": "Tidal Cyber",
"tags": [
+ "ac70a2da-0b1a-40bd-9d1b-21b9ac789832",
"f8669b82-2194-49a9-8e20-92e7f9ab0a6f",
"84615fe0-c2a5-4e07-8957-78ebc29b4635"
],
@@ -18310,10 +17301,6 @@
{
"dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff",
"type": "used-by"
- },
- {
- "dest-uuid": "bd7a9e13-69fa-4243-a5e5-04326a63f9f2",
- "type": "similar"
}
],
"uuid": "db5d718b-1344-4aa2-8e6a-54e68d8adfb1",
@@ -18338,10 +17325,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164",
- "type": "similar"
}
],
"uuid": "ba2208c8-5e1e-46cd-bef1-ffa7a2be3be4",
@@ -18423,10 +17406,6 @@
{
"dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f",
"type": "used-by"
- },
- {
- "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47",
- "type": "similar"
}
],
"uuid": "4ea12106-c0a1-4546-bb64-a1675d9f5dc7",
@@ -18439,7 +17418,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5003",
+ "software_attack_id": "S3012",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -18489,10 +17468,6 @@
{
"dest-uuid": "15ff1ce0-44f0-4f1d-a4ef-83444570e572",
"type": "used-by"
- },
- {
- "dest-uuid": "3a0f6128-0a01-421d-8eca-e57d8671b1f1",
- "type": "similar"
}
],
"uuid": "4360cc62-7263-48b2-bd2a-a7737563545c",
@@ -18514,10 +17489,6 @@
{
"dest-uuid": "6932662a-53a7-4e43-877f-6e940e2d744b",
"type": "used-by"
- },
- {
- "dest-uuid": "8393dac0-0583-456a-9372-fd81691bca20",
- "type": "similar"
}
],
"uuid": "92744f7b-9f1a-472c-bae0-2d4a7ce68bb4",
@@ -18539,10 +17510,6 @@
{
"dest-uuid": "a0c31021-b281-4c41-9855-436768299fe7",
"type": "used-by"
- },
- {
- "dest-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236",
- "type": "similar"
}
],
"uuid": "14e65c5d-5164-41a3-92de-67fdd1d529d2",
@@ -18560,12 +17527,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "d79b1800-3b5d-4a4f-8863-8251eca793e2",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "c0e56f14-9768-5547-abcb-aa3f220d0e40",
"value": "PITSTOP"
},
@@ -18576,7 +17538,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5139",
+ "software_attack_id": "S3258",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -18606,10 +17568,6 @@
{
"dest-uuid": "021b3c71-6467-4e46-a413-8b726f066f2c",
"type": "used-by"
- },
- {
- "dest-uuid": "21c0b55b-5ff3-4654-a05e-e3fc1ee1ce1b",
- "type": "similar"
}
],
"uuid": "9445f18a-a796-447a-a35f-94a9fb72411c",
@@ -18622,9 +17580,10 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5300",
+ "software_attack_id": "S3062",
"source": "Tidal Cyber",
"tags": [
+ "8208249d-1f4c-4781-ba14-b591f74c081c",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"562e535e-19f5-4d6c-81ed-ce2aec544f09",
"5e7433ad-a894-4489-93bc-41e90da90019",
@@ -18664,10 +17623,6 @@
{
"dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb",
"type": "used-by"
- },
- {
- "dest-uuid": "b57f419e-8b12-49d3-886b-145383725dcd",
- "type": "similar"
}
],
"uuid": "9a890a85-afbe-4c35-a3e7-1adad481bdf7",
@@ -18680,7 +17635,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5041",
+ "software_attack_id": "S3043",
"source": "Tidal Cyber",
"tags": [
"27a117ce-bb19-4f79-9bc2-a851b69c5c50",
@@ -18797,10 +17752,6 @@
{
"dest-uuid": "6932662a-53a7-4e43-877f-6e940e2d744b",
"type": "used-by"
- },
- {
- "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd",
- "type": "similar"
}
],
"uuid": "070b56f4-7810-4dad-b85f-bdfce9c08c10",
@@ -18822,10 +17773,6 @@
{
"dest-uuid": "6005f4a9-fe26-4237-a44e-3f6cbb1fe75c",
"type": "used-by"
- },
- {
- "dest-uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d",
- "type": "similar"
}
],
"uuid": "95c273d2-3081-4cb5-8d41-37eb4e90264d",
@@ -18838,7 +17785,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5140",
+ "software_attack_id": "S3259",
"source": "Tidal Cyber",
"tags": [
"6d924d43-5de3-45de-8466-a8c47a5b9e68",
@@ -18865,12 +17812,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "79b4f277-3b18-4aa7-9f96-44b35b23166b",
"value": "PoetRAT"
},
@@ -18949,10 +17891,6 @@
{
"dest-uuid": "60936d3c-37ed-4116-a407-868da3aa4446",
"type": "used-by"
- },
- {
- "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b",
- "type": "similar"
}
],
"uuid": "1d87a695-7989-49ae-ac1a-b6601db565c3",
@@ -18977,10 +17915,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "3d57dcc4-be99-4613-9482-d5218f5ec13e",
- "type": "similar"
}
],
"uuid": "3b7179fa-7b8b-4068-b224-d8d9c642964d",
@@ -19001,12 +17935,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "222ba512-32d9-49ac-aefd-50ce981ce2ce",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "555b612e-3f0d-421d-b2a7-63eb2d1ece5f",
"value": "Pony"
},
@@ -19026,10 +17955,6 @@
{
"dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66",
"type": "used-by"
- },
- {
- "dest-uuid": "53d47b09-09c2-4015-8d37-6633ecd53f79",
- "type": "similar"
}
],
"uuid": "1353d695-5bae-4593-988f-9bd07a6fd1bb",
@@ -19042,7 +17967,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5336",
+ "software_attack_id": "S3151",
"source": "Tidal Cyber",
"tags": [
"39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb",
@@ -19103,10 +18028,6 @@
{
"dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735",
"type": "used-by"
- },
- {
- "dest-uuid": "4b57c098-f043-4da2-83ef-7588a6d426bc",
- "type": "similar"
}
],
"uuid": "a3a03835-79bf-4558-8e80-7983aeb842fb",
@@ -19131,10 +18052,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808",
- "type": "similar"
}
],
"uuid": "b92f28c4-cbc8-4721-ac79-2d8bdf5247e5",
@@ -19159,10 +18076,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a",
- "type": "similar"
}
],
"uuid": "d9e4f4a1-dd41-424e-986a-b9a39ebea805",
@@ -19176,6 +18089,9 @@
],
"software_attack_id": "S1012",
"source": "MITRE",
+ "tags": [
+ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f"
+ ],
"type": [
"malware"
]
@@ -19184,10 +18100,6 @@
{
"dest-uuid": "7a9d653c-8812-4b96-81d1-b0a27ca918b4",
"type": "used-by"
- },
- {
- "dest-uuid": "35ee9bf3-264b-4411-8a8f-b58cec8f35e4",
- "type": "similar"
}
],
"uuid": "8b9159c1-db48-472b-9897-34325da5dca7",
@@ -19202,12 +18114,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "018ee1d9-35af-49dc-a667-11b77cd76f46",
"value": "Power Loader"
},
@@ -19218,7 +18125,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5231",
+ "software_attack_id": "S3352",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -19251,10 +18158,6 @@
{
"dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067",
"type": "used-by"
- },
- {
- "dest-uuid": "d52291b4-bb23-45a8-aef0-3dc7e986ba15",
- "type": "similar"
}
],
"uuid": "e7cdaf70-5e28-442a-b34d-894484788dc5",
@@ -19276,10 +18179,6 @@
{
"dest-uuid": "d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6",
"type": "used-by"
- },
- {
- "dest-uuid": "53486bc7-7748-4716-8190-e4f1fde04c53",
- "type": "similar"
}
],
"uuid": "2ca245de-77a9-4857-ba93-fd0d6988df9d",
@@ -19304,10 +18203,6 @@
{
"dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff",
"type": "used-by"
- },
- {
- "dest-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351",
- "type": "similar"
}
],
"uuid": "a4700431-6578-489f-9782-52e394277296",
@@ -19374,10 +18269,6 @@
{
"dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac",
"type": "used-by"
- },
- {
- "dest-uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d",
- "type": "similar"
}
],
"uuid": "82fad10d-c921-4a87-a533-49def83d002b",
@@ -19402,10 +18293,6 @@
{
"dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2",
"type": "used-by"
- },
- {
- "dest-uuid": "dcac85c1-6485-4790-84f6-de5e6f6b91dd",
- "type": "similar"
}
],
"uuid": "837bcf97-37a7-4001-a466-306574fd7890",
@@ -19430,10 +18317,6 @@
{
"dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6",
"type": "used-by"
- },
- {
- "dest-uuid": "e8545794-b98c-492b-a5b3-4b5a02682e37",
- "type": "similar"
}
],
"uuid": "39fc59c6-f1aa-4c93-8e43-1f41563e9d9e",
@@ -19447,6 +18330,9 @@
],
"software_attack_id": "S0371",
"source": "MITRE",
+ "tags": [
+ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f"
+ ],
"type": [
"malware"
]
@@ -19455,10 +18341,6 @@
{
"dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac",
"type": "used-by"
- },
- {
- "dest-uuid": "e85cae1a-bce3-4ac4-b36b-b00acac0567b",
- "type": "similar"
}
],
"uuid": "b3c28750-3825-4e4d-ab92-f39a6b0827dd",
@@ -19471,7 +18353,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5039",
+ "software_attack_id": "S3041",
"source": "Tidal Cyber",
"tags": [
"c5a258ce-9045-48d9-b254-ec2bf6437bb5",
@@ -19495,6 +18377,10 @@
]
},
"related": [
+ {
+ "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e",
+ "type": "used-by"
+ },
{
"dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e",
"type": "used-by"
@@ -19526,7 +18412,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5294",
+ "software_attack_id": "S3016",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -19565,10 +18451,6 @@
{
"dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6",
"type": "used-by"
- },
- {
- "dest-uuid": "c19d19ae-dd58-4584-8469-966bbeaa80e3",
- "type": "similar"
}
],
"uuid": "7ed984bb-d098-4d0a-90fd-b03e68842479",
@@ -19593,10 +18475,6 @@
{
"dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2",
"type": "used-by"
- },
- {
- "dest-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46",
- "type": "similar"
}
],
"uuid": "67cdb7a6-5142-43fa-8b8d-d9bdd2a4dae4",
@@ -19609,7 +18487,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5141",
+ "software_attack_id": "S3260",
"source": "Tidal Cyber",
"tags": [
"0661bf1f-76ec-490c-937a-efa3f02bc59b",
@@ -19633,6 +18511,7 @@
"software_attack_id": "S1058",
"source": "MITRE",
"tags": [
+ "92ce4726-c01f-4e51-a36d-f72fcfa77d79",
"5e7433ad-a894-4489-93bc-41e90da90019",
"7e7b0c67-bb85-4996-a289-da0e792d7172"
],
@@ -19644,10 +18523,6 @@
{
"dest-uuid": "16a65ee9-cd60-4f04-ba34-f2f45fcfc666",
"type": "used-by"
- },
- {
- "dest-uuid": "1da748a5-875d-4212-9222-b4c23ab861be",
- "type": "similar"
}
],
"uuid": "4fb5b109-5a5c-5441-a0f9-f639ead5405e",
@@ -19668,12 +18543,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "1da989a8-41cc-4e89-a435-a88acb72ae0d",
"value": "Prikormka"
},
@@ -19684,7 +18554,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5142",
+ "software_attack_id": "S3261",
"source": "Tidal Cyber",
"tags": [
"01aca077-8cfb-4d1d-9b83-3678cd26f050",
@@ -19706,7 +18576,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5143",
+ "software_attack_id": "S3262",
"source": "Tidal Cyber",
"tags": [
"37a70ca8-a027-458c-9a48-7e0d307462be",
@@ -19728,7 +18598,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5036",
+ "software_attack_id": "S3038",
"source": "Tidal Cyber",
"tags": [
"27a117ce-bb19-4f79-9bc2-a851b69c5c50",
@@ -19771,7 +18641,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5040",
+ "software_attack_id": "S3042",
"source": "Tidal Cyber",
"tags": [
"d819ae1a-e385-49fd-88d5-f66660729ecb",
@@ -19829,12 +18699,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "471d0e9f-2c8a-4e4b-8f3b-f85d2407806e",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "c8af096e-c71e-4751-b203-70c285b7a7bd",
"value": "ProLock"
},
@@ -19845,7 +18710,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5232",
+ "software_attack_id": "S3353",
"source": "Tidal Cyber",
"tags": [
"77131d00-b8b2-42ef-afbd-1fbfc12729df",
@@ -19872,12 +18737,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "c541efb4-e7b1-4ad6-9da8-b4e113f5dd42",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "d3bcdbc4-5998-4e50-bd45-cba6a3278427",
"value": "Proton"
},
@@ -19888,7 +18748,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5144",
+ "software_attack_id": "S3263",
"source": "Tidal Cyber",
"tags": [
"9e5ec91c-0d0f-4e40-846d-d7b7eb941e17",
@@ -19903,6 +18763,34 @@
"uuid": "83e1ac24-3928-40ba-b701-d72549a9430c",
"value": "Provlaunch"
},
+ {
+ "description": "According to joint Cybersecurity Advisory AA24-249A (September 2024), ProxyChains is \"a tool used to route internal traffic through a series of proxies\". It has been abused by adversaries including Unit 29155 Russian military cyber actors.[[U.S. CISA Unit 29155 September 5 2024](/references/9631a46d-3e0a-4f25-962b-0b2501c47926)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "macOS",
+ "Linux"
+ ],
+ "software_attack_id": "S3168",
+ "source": "Tidal Cyber",
+ "tags": [
+ "af5e9be5-b86e-47af-91dd-966a5e34a186",
+ "35e694ec-5133-46e3-b7e1-5831867c3b55",
+ "d8f7e071-fbfd-46f8-b431-e241bb1513ac",
+ "61cdbb28-cbfd-498b-9ab1-1f14337f9524",
+ "e551ae97-d1b4-484e-9267-89f33829ec2c",
+ "15787198-6c8b-4f79-bf50-258d55072fee",
+ "ed2b3f47-3e07-4019-a9bf-ec9d87f28c96",
+ "be319849-fb2c-4b5f-8055-0bde562c280b"
+ ],
+ "type": [
+ "tool"
+ ]
+ },
+ "related": [],
+ "uuid": "b62c13d5-729c-46a8-ae4d-98bc1ab919cb",
+ "value": "ProxyChains"
+ },
{
"description": "[Proxysvc](https://app.tidalcyber.com/software/94f43629-243e-49dc-8c2b-cdf4fc15cf83) is a malicious DLL used by [Lazarus Group](https://app.tidalcyber.com/groups/0bc66e95-de93-4de7-b415-4041b7191f08) in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of [Proxysvc](https://app.tidalcyber.com/software/94f43629-243e-49dc-8c2b-cdf4fc15cf83) is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process. [[McAfee GhostSecret](https://app.tidalcyber.com/references/d1cd4f5b-253c-4833-8905-49fb58e7c016)]",
"meta": {
@@ -19919,10 +18807,6 @@
{
"dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08",
"type": "used-by"
- },
- {
- "dest-uuid": "069af411-9b24-4e85-b26c-623d035bbe84",
- "type": "similar"
}
],
"uuid": "94f43629-243e-49dc-8c2b-cdf4fc15cf83",
@@ -19940,12 +18824,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "13183cdf-280b-46be-913a-5c6df47831e7",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "8cd401ac-a233-4395-a8ae-d75db9d5b845",
"value": "PS1"
},
@@ -19958,6 +18837,8 @@
"software_attack_id": "S0029",
"source": "MITRE",
"tags": [
+ "d8f7e071-fbfd-46f8-b431-e241bb1513ac",
+ "61cdbb28-cbfd-498b-9ab1-1f14337f9524",
"d903e38b-600d-4736-9e3b-cf1a6e436481",
"e551ae97-d1b4-484e-9267-89f33829ec2c",
"d819ae1a-e385-49fd-88d5-f66660729ecb",
@@ -19985,6 +18866,10 @@
"dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e",
"type": "used-by"
},
+ {
+ "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5",
+ "type": "used-by"
+ },
{
"dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1",
"type": "used-by"
@@ -20160,10 +19045,6 @@
{
"dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f",
"type": "used-by"
- },
- {
- "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db",
- "type": "similar"
}
],
"uuid": "73eb32af-4bd3-4e21-8048-355edc55a9c6",
@@ -20176,7 +19057,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5145",
+ "software_attack_id": "S3264",
"source": "Tidal Cyber",
"tags": [
"08f4ef8d-94bb-42f7-b76d-71bcc809bcc9",
@@ -20207,10 +19088,6 @@
{
"dest-uuid": "6c1bdc51-f633-4512-8b20-04a11c2d97f4",
"type": "used-by"
- },
- {
- "dest-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b",
- "type": "similar"
}
],
"uuid": "8c35d349-2f70-4edb-8668-e1cc2b67e4a0",
@@ -20235,15 +19112,65 @@
{
"dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067",
"type": "used-by"
- },
- {
- "dest-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd",
- "type": "similar"
}
],
"uuid": "7fed4276-807e-4656-95f5-90878b6e2dbb",
"value": "Pteranodon"
},
+ {
+ "description": "PTSOCKET is an exfiltration tool, one of a series of software associated with China-based espionage actor Earth Preta (aka Mustang Panda) reported by researchers in September 2024.[[Trend Micro September 9 2024](/references/0fdc9ee2-5be2-43e0-afb9-c9a94fde3867)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S3175",
+ "source": "Tidal Cyber",
+ "tags": [
+ "8bf128ad-288b-41bc-904f-093f4fdde745",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "c1215fe3-95e4-49e1-9cb2-54d1827df0aa",
+ "value": "PTSOCKET"
+ },
+ {
+ "description": "PUBLOAD is a multi-purpose tool primarily used to orchestrate command and control, one of a series of software associated with China-based espionage actor Earth Preta (aka Mustang Panda) reported by researchers in September 2024.[[Trend Micro September 9 2024](/references/0fdc9ee2-5be2-43e0-afb9-c9a94fde3867)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S3176",
+ "source": "Tidal Cyber",
+ "tags": [
+ "84615fe0-c2a5-4e07-8957-78ebc29b4635",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "13ee9058-0902-484e-8096-670c882cb18d",
+ "value": "PUBLOAD"
+ },
{
"description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Proxy execution with Pubprn.vbs\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\pubprn.vbs\n* C:\\Windows\\SysWOW64\\Printing_Admin_Scripts\\en-US\\pubprn.vbs\n\n**Resources:**\n* [https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/](https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/)\n* [https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology](https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology)\n* [https://github.com/enigma0x3/windows-operating-system-archaeology](https://github.com/enigma0x3/windows-operating-system-archaeology)\n\n**Detection:**\n* BlockRule: [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)\n* Sigma: [proc_creation_win_lolbin_pubprn.yml](https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml)[[Pubprn.vbs - LOLBAS Project](/references/d2b6b9fd-5f80-41c0-ac22-06b78c86a9e5)]",
"meta": {
@@ -20251,7 +19178,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5260",
+ "software_attack_id": "S3381",
"source": "Tidal Cyber",
"tags": [
"8177e8ac-f80d-477d-b0af-c2ea243ddf00",
@@ -20288,10 +19215,6 @@
{
"dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910",
"type": "used-by"
- },
- {
- "dest-uuid": "9a097d18-d15f-4635-a4f1-189df7efdc40",
- "type": "similar"
}
],
"uuid": "d777204c-f93c-54d9-b80e-41641a3d55ce",
@@ -20304,7 +19227,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5068",
+ "software_attack_id": "S3093",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -20344,10 +19267,6 @@
{
"dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f",
"type": "used-by"
- },
- {
- "dest-uuid": "5c6ed2dc-37f4-40ea-b2e1-4c76140a388c",
- "type": "similar"
}
],
"uuid": "d8999d60-3818-4d75-8756-8a55531254d8",
@@ -20372,10 +19291,6 @@
{
"dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f",
"type": "used-by"
- },
- {
- "dest-uuid": "c4de7d83-e875-4c88-8b5d-06c41e5b7e79",
- "type": "similar"
}
],
"uuid": "1638d99b-fbcf-40ec-ac48-802ce5be520a",
@@ -20404,10 +19319,6 @@
{
"dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac",
"type": "used-by"
- },
- {
- "dest-uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4",
- "type": "similar"
}
],
"uuid": "0a8bedc2-b404-4a9a-b4f5-ff90ff8294be",
@@ -20420,7 +19331,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5291",
+ "software_attack_id": "S3007",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -20442,9 +19353,11 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5065",
+ "software_attack_id": "S3090",
"source": "Tidal Cyber",
"tags": [
+ "d903e38b-600d-4736-9e3b-cf1a6e436481",
+ "d819ae1a-e385-49fd-88d5-f66660729ecb",
"af5e9be5-b86e-47af-91dd-966a5e34a186",
"27a117ce-bb19-4f79-9bc2-a851b69c5c50",
"6070668f-1cbd-4878-8066-c636d1d8659c",
@@ -20463,6 +19376,14 @@
"dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46",
"type": "used-by"
},
+ {
+ "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5",
+ "type": "used-by"
+ },
+ {
+ "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e",
+ "type": "used-by"
+ },
{
"dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337",
"type": "used-by"
@@ -20484,6 +19405,7 @@
"software_attack_id": "S0006",
"source": "MITRE",
"tags": [
+ "c1f5abc0-340f-4b93-96d7-ca6ea7942b64",
"4d767e87-4cf6-438a-927a-43d2d0beaab7"
],
"type": [
@@ -20514,10 +19436,6 @@
{
"dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83",
"type": "used-by"
- },
- {
- "dest-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700",
- "type": "similar"
}
],
"uuid": "77f629db-d971-49d8-8b73-c7c779b7de3e",
@@ -20542,10 +19460,6 @@
{
"dest-uuid": "a41725c5-eb3a-4772-8d1e-17c3bbade79c",
"type": "used-by"
- },
- {
- "dest-uuid": "2ac41e8b-4865-4ced-839d-78e7852c47f3",
- "type": "similar"
}
],
"uuid": "51b2c56e-7d64-4e15-b1bd-45a980c9c44d",
@@ -20568,12 +19482,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "a19c1197-9414-46e3-986f-0f609ff4a46b",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "e0d5ecce-eca0-4f01-afcc-0c8e92323016",
"value": "Pysa"
},
@@ -20613,10 +19522,6 @@
{
"dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2",
"type": "used-by"
- },
- {
- "dest-uuid": "edc5e045-5401-42bb-ad92-52b5b2ee0de9",
- "type": "similar"
}
],
"uuid": "9050b418-5ffd-481a-a30d-f9059b0871ea",
@@ -20630,7 +19535,7 @@
"Linux",
"Windows"
],
- "software_attack_id": "S5326",
+ "software_attack_id": "S3141",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -20660,7 +19565,7 @@
"platforms": [
"Linux"
],
- "software_attack_id": "S5310",
+ "software_attack_id": "S3123",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -20678,6 +19583,33 @@
"uuid": "01a33c16-7eb3-4494-8c05-b163f871b951",
"value": "Qilin Ransomware (Linux)"
},
+ {
+ "description": "This object reflects ATT&CK Techniques associated with 7777 or Quad7, a botnet used to compromise network devices such as TP-LINK small office/home office (\"SOHO\") routers and use the infected devices to relay password spraying attacks against Microsoft 365 accounts.\n\nAdditional Techniques associated with the botnet's operators can be found in the related Group object, \"Quad7 Botnet Operators\".[[Sekoia.io Blog July 23 2024](/references/ae84e72a-56b3-4dc4-b053-d3766764ac0d)][[Sekoia.io Blog September 9 2024](/references/eb4a1888-3b04-449b-9738-d96ae26adfee)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Network"
+ ],
+ "software_attack_id": "S3171",
+ "source": "Tidal Cyber",
+ "tags": [
+ "e809d252-12cc-494d-94f5-954c49eb87ce",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "bf3d1108-0bcd-47ae-8d71-4df48e3e2b43",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "adcf70d6-74e0-4436-bc92-f05bc924bf80",
+ "value": "Quad7 Botnet"
+ },
{
"description": "[QUADAGENT](https://app.tidalcyber.com/software/2bf68242-1dbd-405b-ac35-330eda887081) is a PowerShell backdoor used by [OilRig](https://app.tidalcyber.com/groups/d01abdb1-0378-4654-aa38-1a4a292703e2). [[Unit 42 QUADAGENT July 2018](https://app.tidalcyber.com/references/320f49df-7b0a-4a6a-8542-17b0f56c94c9)]",
"meta": {
@@ -20697,15 +19629,44 @@
{
"dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2",
"type": "used-by"
- },
- {
- "dest-uuid": "7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77",
- "type": "similar"
}
],
"uuid": "2bf68242-1dbd-405b-ac35-330eda887081",
"value": "QUADAGENT"
},
+ {
+ "description": "Quantum Locker is a ransomware payload that derives from the MountLocker, AstroLocker, and XingLocker ransomware families. Actors that deploy Quantum ransomware are known to publicly extort their victims.[[Cybereason Quantum Ransomware May 9 2022](/references/19027620-216a-4921-8d78-f56377778a12)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S3184",
+ "source": "Tidal Cyber",
+ "tags": [
+ "562e535e-19f5-4d6c-81ed-ce2aec544f09",
+ "5e7433ad-a894-4489-93bc-41e90da90019",
+ "7e7b0c67-bb85-4996-a289-da0e792d7172",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f",
+ "type": "used-by"
+ },
+ {
+ "dest-uuid": "e75a1b98-be68-467f-a8df-bcb7671543b3",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "b0c18cd8-a859-4cd2-9558-33e5bcd4610c",
+ "value": "Quantum Locker"
+ },
{
"description": "[QuasarRAT](https://app.tidalcyber.com/software/4bab7c2b-5ec4-467e-8df4-f2e6996e136b) is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. [QuasarRAT](https://app.tidalcyber.com/software/4bab7c2b-5ec4-467e-8df4-f2e6996e136b) is developed in the C# language.[[GitHub QuasarRAT](https://app.tidalcyber.com/references/c87e4427-af97-4e93-9596-ad5a588aa171)][[Volexity Patchwork June 2018](https://app.tidalcyber.com/references/d3ed7dd9-0941-4160-aa6a-c0244c63560f)]",
"meta": {
@@ -20741,10 +19702,6 @@
{
"dest-uuid": "e5b0da2b-12bc-4113-9459-9c51329c9ae0",
"type": "used-by"
- },
- {
- "dest-uuid": "da04ac30-27da-4959-a67d-450ce47d9470",
- "type": "similar"
}
],
"uuid": "4bab7c2b-5ec4-467e-8df4-f2e6996e136b",
@@ -20757,7 +19714,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5319",
+ "software_attack_id": "S3134",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -20795,12 +19752,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "93289ecf-4d15-4d6b-a9c3-4ab27e145ef4",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "52d3515c-5184-5257-bf24-56adccb4cccd",
"value": "QUIETCANARY"
},
@@ -20823,10 +19775,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "4816d361-f82b-4a18-aa05-b215e7cf9200",
- "type": "similar"
}
],
"uuid": "947ab087-7550-577f-9ae9-5e82e9910610",
@@ -20851,10 +19799,6 @@
{
"dest-uuid": "41e8b4a4-2d31-46ee-bc56-12375084d067",
"type": "used-by"
- },
- {
- "dest-uuid": "03eb4a05-6a02-43f6-afb7-3c7835501828",
- "type": "similar"
}
],
"uuid": "dcdb74c5-4445-49bd-9f9c-236a7ecc7904",
@@ -20867,7 +19811,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5053",
+ "software_attack_id": "S3076",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -20908,7 +19852,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5070",
+ "software_attack_id": "S3095",
"source": "Tidal Cyber",
"tags": [
"15787198-6c8b-4f79-bf50-258d55072fee",
@@ -20934,7 +19878,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5281",
+ "software_attack_id": "S3120",
"source": "Tidal Cyber",
"tags": [
"c5a258ce-9045-48d9-b254-ec2bf6437bb5",
@@ -20976,8 +19920,6 @@
"software_attack_id": "S0481",
"source": "MITRE",
"tags": [
- "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
- "2feda37d-5579-4102-a073-aa02e82cb49f",
"cb5803f0-8ab4-4ada-8540-7758dfc126e2",
"5e7433ad-a894-4489-93bc-41e90da90019",
"a2e000da-8181-4327-bacd-32013dbd3654",
@@ -20991,10 +19933,6 @@
{
"dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f",
"type": "used-by"
- },
- {
- "dest-uuid": "54895630-efd2-4608-9c24-319de972a9eb",
- "type": "similar"
}
],
"uuid": "d25f7acd-a995-4b8b-8ffe-ccc9703cdf5f",
@@ -21019,10 +19957,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "4efc3e00-72f2-466a-ab7c-8a7dc6603b19",
- "type": "similar"
}
],
"uuid": "80295aeb-59e3-4c5d-ac39-9879158f8d23",
@@ -21044,10 +19978,6 @@
{
"dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d",
"type": "used-by"
- },
- {
- "dest-uuid": "29231689-5837-4a7a-aafc-1b65b3f50cc7",
- "type": "similar"
}
],
"uuid": "42b775bd-0c1d-4ad3-8f7f-cbb0ba84e19e",
@@ -21065,12 +19995,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "dc307b3c-9bc5-4624-b0bc-4807fa1fc57b",
"value": "Ramsay"
},
@@ -21081,9 +20006,12 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5325",
+ "software_attack_id": "S3140",
"source": "Tidal Cyber",
"tags": [
+ "d903e38b-600d-4736-9e3b-cf1a6e436481",
+ "d819ae1a-e385-49fd-88d5-f66660729ecb",
+ "15787198-6c8b-4f79-bf50-258d55072fee",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"89c5b94b-ecf4-4d53-9b74-3465086d4565",
"562e535e-19f5-4d6c-81ed-ce2aec544f09",
@@ -21107,6 +20035,10 @@
{
"dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5",
"type": "used-by"
+ },
+ {
+ "dest-uuid": "04b73cf2-33f4-4206-be9e-c80c4c9b54e8",
+ "type": "used-by"
}
],
"uuid": "a3044fb5-3aae-4590-b589-cc88bf0d1f34",
@@ -21129,15 +20061,41 @@
{
"dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910",
"type": "used-by"
- },
- {
- "dest-uuid": "880f7b3e-ad27-4158-8b03-d44c9357950b",
- "type": "similar"
}
],
"uuid": "129abb68-7992-554e-92fa-fa376279c0b6",
"value": "RAPIDPULSE"
},
+ {
+ "description": "Raptor Train is a large botnet, linked to Chinese espionage actor Flax Typhoon, that consisted of compromised small office/home office (SOHO) and IoT devices. Raptor Train is believed to have acted as a proxy to conceal further malicious activity such as targeted compromises of U.S. and Taiwanese networks.[[Black Lotus Raptor Train September 18 2024](/references/21e26577-887b-4b8c-a3f8-4ab8868bed69)][[FBI PRC Botnet September 18 2024](/references/cfb6f191-6c43-423b-9289-02beb3d721d1)]\n\nInitial compromises typically occurred through exploit of a large number of previously disclosed vulnerabilities, a list of which is provided in a [September 2024 U.S. cybersecurity advisory](https://www.ic3.gov/Media/News/2024/240918.pdf).[[FBI PRC Botnet September 18 2024](/references/cfb6f191-6c43-423b-9289-02beb3d721d1)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Network"
+ ],
+ "software_attack_id": "S3188",
+ "source": "Tidal Cyber",
+ "tags": [
+ "33d35d5e-f0cf-4c66-9be3-a3ffe6610b1a",
+ "a159c91c-5258-49ea-af7d-e803008d97d3",
+ "70dc52b0-f317-4134-8a42-71aea1443707",
+ "b20e7912-6a8d-46e3-8e13-9a3fc4813852",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "b39d8eae-12e3-4903-a387-4c31d16a73b2",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "6d516363-4f83-4ba9-9726-1821b167e5e3",
+ "value": "Raptor Train"
+ },
{
"description": "[RARSTONE](https://app.tidalcyber.com/software/a9c9fda8-c156-44f2-bc7e-1b696f3fbaa2) is malware used by the [Naikon](https://app.tidalcyber.com/groups/a80c00b2-b8b6-4780-99bb-df8fe921947d) group that has some characteristics similar to [PlugX](https://app.tidalcyber.com/software/070b56f4-7810-4dad-b85f-bdfce9c08c10). [[Aquino RARSTONE](https://app.tidalcyber.com/references/2327592e-4e8a-481e-bdf9-d548c776adee)]",
"meta": {
@@ -21157,10 +20115,6 @@
{
"dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d",
"type": "used-by"
- },
- {
- "dest-uuid": "8c553311-0baa-4146-997a-f79acef3d831",
- "type": "similar"
}
],
"uuid": "a9c9fda8-c156-44f2-bc7e-1b696f3fbaa2",
@@ -21173,7 +20127,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5146",
+ "software_attack_id": "S3265",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -21194,9 +20148,14 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5002",
+ "software_attack_id": "S3011",
"source": "Tidal Cyber",
"tags": [
+ "af5e9be5-b86e-47af-91dd-966a5e34a186",
+ "35e694ec-5133-46e3-b7e1-5831867c3b55",
+ "d8f7e071-fbfd-46f8-b431-e241bb1513ac",
+ "61cdbb28-cbfd-498b-9ab1-1f14337f9524",
+ "e551ae97-d1b4-484e-9267-89f33829ec2c",
"1dc8fd1e-0737-405a-98a1-111dd557f1b5",
"15787198-6c8b-4f79-bf50-258d55072fee",
"e809d252-12cc-494d-94f5-954c49eb87ce"
@@ -21230,10 +20189,6 @@
{
"dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08",
"type": "used-by"
- },
- {
- "dest-uuid": "9b325b06-35a1-457d-be46-a4ecc0b7ff0c",
- "type": "similar"
}
],
"uuid": "40466d7d-a107-46aa-a6fc-180e0eef2c6b",
@@ -21255,10 +20210,6 @@
{
"dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08",
"type": "used-by"
- },
- {
- "dest-uuid": "3ffbdc1f-d2bf-41ab-91a2-c7b857e98079",
- "type": "similar"
}
],
"uuid": "d86a562d-d235-4481-9a3f-273fa3ebe89a",
@@ -21280,10 +20231,6 @@
{
"dest-uuid": "7902f5cc-d6a5-4a57-8d54-4c75e0c58b83",
"type": "used-by"
- },
- {
- "dest-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090",
- "type": "similar"
}
],
"uuid": "6ea1bf95-fed8-4b94-8071-aa19a3af5e34",
@@ -21300,6 +20247,8 @@
"software_attack_id": "S1040",
"source": "MITRE",
"tags": [
+ "d8f7e071-fbfd-46f8-b431-e241bb1513ac",
+ "61cdbb28-cbfd-498b-9ab1-1f14337f9524",
"d903e38b-600d-4736-9e3b-cf1a6e436481",
"d819ae1a-e385-49fd-88d5-f66660729ecb",
"c5a258ce-9045-48d9-b254-ec2bf6437bb5",
@@ -21327,6 +20276,10 @@
"dest-uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7",
"type": "used-by"
},
+ {
+ "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5",
+ "type": "used-by"
+ },
{
"dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd",
"type": "used-by"
@@ -21374,10 +20327,6 @@
{
"dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c",
"type": "used-by"
- },
- {
- "dest-uuid": "59096109-a1dd-463b-87e7-a8d110fe3a79",
- "type": "similar"
}
],
"uuid": "1f3f15fa-1b4b-494d-abc8-c7f8a227b7b4",
@@ -21406,10 +20355,6 @@
{
"dest-uuid": "4a4641b1-7686-49da-8d83-00d8013f4b47",
"type": "used-by"
- },
- {
- "dest-uuid": "03acae53-9b98-46f6-b204-16b930839055",
- "type": "similar"
}
],
"uuid": "38c4d208-fe38-4965-871c-709fa1479ba3",
@@ -21422,7 +20367,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5233",
+ "software_attack_id": "S3354",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -21455,10 +20400,6 @@
{
"dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2",
"type": "used-by"
- },
- {
- "dest-uuid": "4b346d12-7f91-48d2-8f06-b26ffa0d825b",
- "type": "similar"
}
],
"uuid": "567da30e-fd4d-4ec5-a308-bf08788f3bfb",
@@ -21483,10 +20424,6 @@
{
"dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff",
"type": "used-by"
- },
- {
- "dest-uuid": "065196de-d7e8-4888-acfb-b2134022ba1b",
- "type": "similar"
}
],
"uuid": "ca4e973c-da15-46a9-8f3a-0b1560c9a783",
@@ -21499,7 +20436,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5012",
+ "software_attack_id": "S3052",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -21529,7 +20466,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5147",
+ "software_attack_id": "S3266",
"source": "Tidal Cyber",
"tags": [
"9fbc403c-bd2e-458a-a202-a65b8201e973",
@@ -21556,12 +20493,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "ca544771-d43e-4747-80e5-cf0f4a4836f3",
"value": "Reaver"
},
@@ -21581,10 +20513,6 @@
{
"dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322",
"type": "used-by"
- },
- {
- "dest-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5",
- "type": "similar"
}
],
"uuid": "5264c3ab-14e1-4ae1-854e-889ebde029b4",
@@ -21654,10 +20582,6 @@
{
"dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2",
"type": "used-by"
- },
- {
- "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f",
- "type": "similar"
}
],
"uuid": "d796615c-fa3d-4afd-817a-1a3db8c73532",
@@ -21670,7 +20594,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5148",
+ "software_attack_id": "S3268",
"source": "Tidal Cyber",
"tags": [
"7d31d8f7-375b-4fb3-a631-51b42e58d95a",
@@ -21704,10 +20628,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "47124daf-44be-4530-9c63-038bc64318dd",
- "type": "similar"
}
],
"uuid": "52dc08d8-82cc-46dc-91ae-383193d72963",
@@ -21720,7 +20640,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5149",
+ "software_attack_id": "S3269",
"source": "Tidal Cyber",
"tags": [
"36affa3d-c949-4e1b-8667-299490580dd5",
@@ -21747,12 +20667,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "e88bf527-bb9c-45c3-b86b-04a07dcd91fd",
"value": "Regin"
},
@@ -21763,7 +20678,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5150",
+ "software_attack_id": "S3270",
"source": "Tidal Cyber",
"tags": [
"288c6e19-cf6c-451a-aff3-547f371ff4ad",
@@ -21785,7 +20700,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5151",
+ "software_attack_id": "S3271",
"source": "Tidal Cyber",
"tags": [
"d379a1fb-1028-4986-ae6c-eb8cc068aa68",
@@ -21807,7 +20722,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5152",
+ "software_attack_id": "S3272",
"source": "Tidal Cyber",
"tags": [
"141e4dce-00be-4bd7-9f81-6202939f0359",
@@ -21829,7 +20744,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5153",
+ "software_attack_id": "S3273",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -21895,6 +20810,7 @@
"software_attack_id": "S0332",
"source": "MITRE",
"tags": [
+ "db8f1478-995a-4d9e-ad48-fd8583730e0b",
"f8669b82-2194-49a9-8e20-92e7f9ab0a6f"
],
"type": [
@@ -21909,10 +20825,6 @@
{
"dest-uuid": "12279b62-289e-49ee-97cb-c780edd3d091",
"type": "used-by"
- },
- {
- "dest-uuid": "7cd0bc75-055b-4098-a00e-83dc8beaff14",
- "type": "similar"
}
],
"uuid": "2eb92fa8-514e-4018-adc4-c9fe4f082567",
@@ -21934,10 +20846,6 @@
{
"dest-uuid": "a57b52c7-9f64-4ffe-a7c3-0de738fb2af1",
"type": "used-by"
- },
- {
- "dest-uuid": "ecc2f65a-b452-4eaf-9689-7e181f17f7a5",
- "type": "similar"
}
],
"uuid": "82d0bb4d-4711-49e3-9fe5-c522bbe5e8bb",
@@ -21950,7 +20858,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5234",
+ "software_attack_id": "S3355",
"source": "Tidal Cyber",
"tags": [
"828f1559-b13d-4426-9dcf-5f601fcb6ff0",
@@ -21981,10 +20889,6 @@
{
"dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9",
"type": "used-by"
- },
- {
- "dest-uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26",
- "type": "similar"
}
],
"uuid": "57fa64ea-975a-470a-a194-3428148ae9ee",
@@ -22006,10 +20910,6 @@
{
"dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6",
"type": "used-by"
- },
- {
- "dest-uuid": "03c6e0ea-96d3-4b23-9afb-05055663cf4b",
- "type": "similar"
}
],
"uuid": "8a7fa0df-c688-46be-94bf-462fae33b788",
@@ -22031,10 +20931,6 @@
{
"dest-uuid": "deb573c6-071a-4b50-9e92-4aa648d8bdc1",
"type": "used-by"
- },
- {
- "dest-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
- "type": "similar"
}
],
"uuid": "e3729cff-f25e-4c01-a7a1-e8b83e903b30",
@@ -22047,7 +20943,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5154",
+ "software_attack_id": "S3274",
"source": "Tidal Cyber",
"tags": [
"accb4d24-4b40-41ce-ae2e-adcca7e80b41",
@@ -22068,6 +20964,8 @@
"software_attack_id": "S0174",
"source": "MITRE",
"tags": [
+ "35e694ec-5133-46e3-b7e1-5831867c3b55",
+ "15787198-6c8b-4f79-bf50-258d55072fee",
"af5e9be5-b86e-47af-91dd-966a5e34a186",
"6070668f-1cbd-4878-8066-c636d1d8659c",
"d8f7e071-fbfd-46f8-b431-e241bb1513ac",
@@ -22087,10 +20985,6 @@
{
"dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08",
"type": "used-by"
- },
- {
- "dest-uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719",
- "type": "similar"
}
],
"uuid": "2a5ea3a7-9873-4a2e-b4b5-4e27a80db305",
@@ -22116,10 +21010,6 @@
{
"dest-uuid": "830079fe-9824-405b-93e0-c28592155c49",
"type": "used-by"
- },
- {
- "dest-uuid": "bdb27a1d-1844-42f1-a0c0-826027ae0326",
- "type": "similar"
}
],
"uuid": "f99712b4-37a2-437c-92d7-fb4f94a1f892",
@@ -22134,6 +21024,7 @@
"software_attack_id": "S0496",
"source": "MITRE",
"tags": [
+ "e755f9bf-0007-411c-950d-4b66934298b4",
"3ed3f7a6-b446-4fbc-a433-ff1d63c0e647",
"562e535e-19f5-4d6c-81ed-ce2aec544f09",
"286918d5-0b48-4655-9118-907b53de0ee0",
@@ -22165,10 +21056,6 @@
{
"dest-uuid": "28f3dbcc-b248-442f-9ff3-234210bb2f2a",
"type": "used-by"
- },
- {
- "dest-uuid": "ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5",
- "type": "similar"
}
],
"uuid": "9314531e-bf46-4cba-9c19-198279ccf9cd",
@@ -22193,10 +21080,6 @@
{
"dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2",
"type": "used-by"
- },
- {
- "dest-uuid": "b9eec47e-98f4-4b3c-b574-3fa8a87ebe05",
- "type": "similar"
}
],
"uuid": "d5649d69-52d4-4198-9683-b250348dea32",
@@ -22209,9 +21092,10 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5302",
+ "software_attack_id": "S3065",
"source": "Tidal Cyber",
"tags": [
+ "abea659c-fe23-4252-afc0-17b8adaa24f7",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"562e535e-19f5-4d6c-81ed-ce2aec544f09",
"5e7433ad-a894-4489-93bc-41e90da90019",
@@ -22223,6 +21107,10 @@
]
},
"related": [
+ {
+ "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f",
+ "type": "used-by"
+ },
{
"dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f",
"type": "used-by"
@@ -22247,10 +21135,6 @@
{
"dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46",
"type": "used-by"
- },
- {
- "dest-uuid": "44c75271-0e4d-496f-ae0a-a6d883a42a65",
- "type": "similar"
}
],
"uuid": "ca5ae7c8-467a-4434-82fc-db50ce3fc671",
@@ -22272,10 +21156,6 @@
{
"dest-uuid": "225314a7-8f40-48d4-9cff-3ec39b177762",
"type": "used-by"
- },
- {
- "dest-uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e",
- "type": "similar"
}
],
"uuid": "00fa4cc2-6f99-4b18-b927-689964ef57e1",
@@ -22293,12 +21173,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "56e6b6c2-e573-4969-8bab-783205cebbbf",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "19b1f1c8-5ef3-4328-b605-38e0bafc084d",
"value": "Rising Sun"
},
@@ -22318,10 +21193,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "6dbdc657-d8e0-4f2f-909b-7251b3e72c6d",
- "type": "similar"
}
],
"uuid": "15bc8e94-64d1-4f1f-bc99-08cfbac417dc",
@@ -22344,12 +21215,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "0a607c53-df52-45da-a75d-0e53df4dad5f",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "b65956ef-439a-463d-b85e-6606467f508a",
"value": "RobbinHood"
},
@@ -22369,10 +21235,6 @@
{
"dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9",
"type": "used-by"
- },
- {
- "dest-uuid": "cba78a1c-186f-4112-9e6a-be1839f030f7",
- "type": "similar"
}
],
"uuid": "cb7aa34e-312f-4210-be7b-47a1e3f5b7b5",
@@ -22394,10 +21256,6 @@
{
"dest-uuid": "f2b31240-0b4a-4fa4-82a4-6bb00e146e75",
"type": "used-by"
- },
- {
- "dest-uuid": "8ec6e3b4-b06d-4805-b6aa-af916acc2122",
- "type": "similar"
}
],
"uuid": "852cf78d-9cdc-4971-a972-405921027436",
@@ -22422,10 +21280,6 @@
{
"dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66",
"type": "used-by"
- },
- {
- "dest-uuid": "60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f",
- "type": "similar"
}
],
"uuid": "a3479628-af0b-4088-8d2a-fafa384731dd",
@@ -22438,7 +21292,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5295",
+ "software_attack_id": "S3018",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -22474,10 +21328,6 @@
{
"dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145",
"type": "used-by"
- },
- {
- "dest-uuid": "08e844a8-371f-4fe3-9d1f-e056e64a7fde",
- "type": "similar"
}
],
"uuid": "169bfcf6-544c-5824-a7cd-2d5070304b57",
@@ -22500,10 +21350,6 @@
{
"dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08",
"type": "used-by"
- },
- {
- "dest-uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de",
- "type": "similar"
}
],
"uuid": "3b755518-9085-474e-8bc4-4f9344d9c8af",
@@ -22521,12 +21367,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "ef38ff3e-fa36-46f2-a720-3abaca167b04",
"value": "Rover"
},
@@ -22539,6 +21380,7 @@
"software_attack_id": "S1073",
"source": "MITRE",
"tags": [
+ "b05fef45-bf36-47a0-b96a-cc76ac8a4f1e",
"e551ae97-d1b4-484e-9267-89f33829ec2c",
"a2e000da-8181-4327-bacd-32013dbd3654",
"5e7433ad-a894-4489-93bc-41e90da90019",
@@ -22557,10 +21399,6 @@
{
"dest-uuid": "86b97a39-49c3-431e-bcc8-f4e13dbfcdf5",
"type": "used-by"
- },
- {
- "dest-uuid": "802a874d-7463-4f2a-99e3-6a1f5a919a21",
- "type": "similar"
}
],
"uuid": "221e24cb-910f-5988-9473-578ef350870c",
@@ -22573,7 +21411,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5155",
+ "software_attack_id": "S3275",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -22594,7 +21432,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5076",
+ "software_attack_id": "S3101",
"source": "Tidal Cyber",
"tags": [
"ed2b3f47-3e07-4019-a9bf-ec9d87f28c96"
@@ -22628,10 +21466,6 @@
{
"dest-uuid": "666ab5f0-3ef1-4e74-8a10-65c60a7d1acd",
"type": "used-by"
- },
- {
- "dest-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
- "type": "similar"
}
],
"uuid": "1836485e-a3a6-4fae-a15d-d0990788811a",
@@ -22659,6 +21493,10 @@
"dest-uuid": "fcbf6963-839b-4853-8b80-73ff6831b7d7",
"type": "used-by"
},
+ {
+ "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e",
+ "type": "used-by"
+ },
{
"dest-uuid": "33159d02-a1ce-49ec-a381-60b069db66f7",
"type": "used-by"
@@ -22670,10 +21508,6 @@
{
"dest-uuid": "0b431229-036f-4157-a1da-ff16dfc095f8",
"type": "used-by"
- },
- {
- "dest-uuid": "e33267fe-099f-4af2-8730-63d49f8813b2",
- "type": "similar"
}
],
"uuid": "2e54f40c-ab62-535e-bbab-3f3a835ff55a",
@@ -22696,10 +21530,6 @@
{
"dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac",
"type": "used-by"
- },
- {
- "dest-uuid": "90ac9266-68ce-46f2-b24f-5eb3b2a8ea38",
- "type": "similar"
}
],
"uuid": "69563cbd-7dc1-4396-b576-d5886df11046",
@@ -22712,7 +21542,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5156",
+ "software_attack_id": "S3276",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -22812,7 +21642,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5157",
+ "software_attack_id": "S3277",
"source": "Tidal Cyber",
"tags": [
"270a347d-d2e1-4d46-9b32-37e8d7264301",
@@ -22839,12 +21669,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "60d50676-459a-47dd-92e9-a827a9fe9c58",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "e8afda1f-fa83-4fc3-b6fb-7d5daca7173f",
"value": "RunningRAT"
},
@@ -22855,7 +21680,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5158",
+ "software_attack_id": "S3278",
"source": "Tidal Cyber",
"tags": [
"065db33d-c152-4ba9-8bf9-13616f78ae05",
@@ -22877,7 +21702,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5159",
+ "software_attack_id": "S3279",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -22900,6 +21725,7 @@
"software_attack_id": "S0446",
"source": "MITRE",
"tags": [
+ "74eb9cdd-409f-41d6-bb4f-39af6d1b3232",
"89c5b94b-ecf4-4d53-9b74-3465086d4565",
"3ed3f7a6-b446-4fbc-a433-ff1d63c0e647",
"562e535e-19f5-4d6c-81ed-ce2aec544f09",
@@ -22926,10 +21752,6 @@
{
"dest-uuid": "fcaadc12-7c17-4946-a9dc-976ed610854c",
"type": "used-by"
- },
- {
- "dest-uuid": "a020a61c-423f-4195-8c46-ba1d21abba37",
- "type": "similar"
}
],
"uuid": "8ae86854-4cdc-49eb-895a-d1fa742f7974",
@@ -22954,10 +21776,6 @@
{
"dest-uuid": "407274be-1820-4a84-939e-629313f4de1d",
"type": "used-by"
- },
- {
- "dest-uuid": "7724581b-06ff-4d2b-b77c-80dc8d53070b",
- "type": "similar"
}
],
"uuid": "d66e5d18-e9f5-4091-bdf4-acdac129e2e0",
@@ -22982,15 +21800,39 @@
{
"dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b",
"type": "used-by"
- },
- {
- "dest-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e",
- "type": "similar"
}
],
"uuid": "a316c704-144a-4d14-8e4e-685bb6ae391c",
"value": "Sakula"
},
+ {
+ "description": "This is one of a series of malicious downloaders attributed to Iran-linked espionage actor OilRig, which were found to rely on legitimate cloud service providers for command and control purposes.[[ESET OilRig December 14 2023](/references/f96b74d5-ff75-47c6-a9a2-b2f43db351bc)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S3156",
+ "source": "Tidal Cyber",
+ "tags": [
+ "15f2277a-a17e-4d85-8acd-480bf84f16b4",
+ "84615fe0-c2a5-4e07-8957-78ebc29b4635",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "5276226d-5453-42db-8701-a83b2b061b5b",
+ "value": "SampleCheck5000"
+ },
{
"description": "[SamSam](https://app.tidalcyber.com/software/88831e9f-453e-466f-9510-9acaa1f20368) is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.[[US-CERT SamSam 2018](https://app.tidalcyber.com/references/b9d14fea-2330-4eed-892c-b4e05a35d273)][[Talos SamSam Jan 2018](https://app.tidalcyber.com/references/0965bb64-be96-46b9-b60f-6829c43a661f)][[Sophos SamSam Apr 2018](https://app.tidalcyber.com/references/4da5e9c3-7205-4a6e-b147-be7c971380f0)][[Symantec SamSam Oct 2018](https://app.tidalcyber.com/references/c5022a91-bdf4-4187-9967-dfe6362219ea)]",
"meta": {
@@ -23007,12 +21849,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "4d56e6e9-1a6d-46e3-896c-dfdf3cc96e62",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "88831e9f-453e-466f-9510-9acaa1f20368",
"value": "SamSam"
},
@@ -23032,10 +21869,6 @@
{
"dest-uuid": "0f41da7d-1e47-58fe-ba6e-ee658a985e1b",
"type": "used-by"
- },
- {
- "dest-uuid": "ae91fb8f-5031-4f57-9839-e3be3ed503f0",
- "type": "similar"
}
],
"uuid": "bd75c822-7be6-5e6f-bd2e-0512be6d38d9",
@@ -23057,10 +21890,6 @@
{
"dest-uuid": "b3061284-0335-4dcb-9f8e-a3b0412fd46f",
"type": "used-by"
- },
- {
- "dest-uuid": "0c52f5bc-557d-4083-bd27-66d7cdb794bb",
- "type": "similar"
}
],
"uuid": "9ab0d523-3496-5e64-9ca1-bb756f5e64e0",
@@ -23073,7 +21902,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5160",
+ "software_attack_id": "S3280",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -23087,6 +21916,56 @@
"uuid": "41be663f-ecc9-4ab6-afeb-c52737f84858",
"value": "Sc"
},
+ {
+ "description": "Scarab is a ransomware written in Delphi.[[WeLiveSecurity Scarab August 22 2023](/references/7cbf97fe-1809-4089-b386-a8bfd083df39)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S3181",
+ "source": "Tidal Cyber",
+ "tags": [
+ "5e7433ad-a894-4489-93bc-41e90da90019",
+ "7e7b0c67-bb85-4996-a289-da0e792d7172",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "04b73cf2-33f4-4206-be9e-c80c4c9b54e8",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "da077c2b-9e7a-4f35-b187-af2876496799",
+ "value": "Scarab Ransomware"
+ },
+ {
+ "description": "ScService is a custom tool used by CosmicBeetle, mainly used as an orchestrator for other tools during the group's intrusions.[[WeLiveSecurity Scarab August 22 2023](/references/7cbf97fe-1809-4089-b386-a8bfd083df39)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S3180",
+ "source": "Tidal Cyber",
+ "tags": [
+ "be319849-fb2c-4b5f-8055-0bde562c280b",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [],
+ "uuid": "3d3f0187-d08a-468a-8956-b3502fdeaea5",
+ "value": "ScHackTool"
+ },
{
"description": "[schtasks](https://app.tidalcyber.com/software/2aacbf3a-a359-41d2-9a71-76447f0545b5) is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. [[TechNet Schtasks](https://app.tidalcyber.com/references/17c03e27-222d-41b5-9fa2-34f0939e5371)]",
"meta": {
@@ -23151,15 +22030,39 @@
{
"dest-uuid": "5825a840-5577-4ffc-a08d-3f48d64395cb",
"type": "used-by"
- },
- {
- "dest-uuid": "c9703cd3-141c-43a0-a926-380082be5d04",
- "type": "similar"
}
],
"uuid": "2aacbf3a-a359-41d2-9a71-76447f0545b5",
"value": "schtasks"
},
+ {
+ "description": "ScRansom is a custom ransomware used by the CosmicBeetle group, serving as a successor to the previously used Scarab Ransomware.[[WeLiveSecurity CosmicBeetle September 10 2024](/references/8debba29-4d6d-41d2-8772-f97c7d49056b)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S3178",
+ "source": "Tidal Cyber",
+ "tags": [
+ "5e7433ad-a894-4489-93bc-41e90da90019",
+ "7e7b0c67-bb85-4996-a289-da0e792d7172",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "04b73cf2-33f4-4206-be9e-c80c4c9b54e8",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "34964908-7162-4bcc-ab2a-d0dc1b3b82ef",
+ "value": "ScRansom"
+ },
{
"description": "This object contains information sourced from the [Living Off The Land Binaries, Scripts and Libraries (LOLBAS)](https://github.com/LOLBAS-Project/LOLBAS) project, which is licensed under [GNU General Public License v3.0](https://github.com/LOLBAS-Project/LOLBAS/blob/master/LICENSE).\n\n**Description:** Execute binary through proxy binary to evade defensive counter measures\n\n**Author:** Oddvar Moe\n\n**Paths:**\n* C:\\Windows\\System32\\scriptrunner.exe\n* C:\\Windows\\SysWOW64\\scriptrunner.exe\n\n**Resources:**\n* [https://twitter.com/KyleHanslovan/status/914800377580503040](https://twitter.com/KyleHanslovan/status/914800377580503040)\n* [https://twitter.com/NickTyrer/status/914234924655312896](https://twitter.com/NickTyrer/status/914234924655312896)\n* [https://github.com/MoooKitty/Code-Execution](https://github.com/MoooKitty/Code-Execution)\n\n**Detection:**\n* Sigma: [proc_creation_win_servu_susp_child_process.yml](https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml)\n* IOC: Scriptrunner.exe should not be in use unless App-v is deployed[[Scriptrunner.exe - LOLBAS Project](/references/805d16cc-8bd0-4f80-b0ac-c5b5df51427c)]",
"meta": {
@@ -23167,7 +22070,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5161",
+ "software_attack_id": "S3282",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -23188,7 +22091,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5194",
+ "software_attack_id": "S3315",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -23202,6 +22105,28 @@
"uuid": "101f7867-9c5c-482e-b26e-9fdb8ff9b2c7",
"value": "Scrobj"
},
+ {
+ "description": "ScService is a custom, \"simple\" backdoor used by the CosmicBeetle group.[[WeLiveSecurity Scarab August 22 2023](/references/7cbf97fe-1809-4089-b386-a8bfd083df39)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S3179",
+ "source": "Tidal Cyber",
+ "tags": [
+ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [],
+ "uuid": "f9840d08-eb55-4c19-a1af-964e10dae0d4",
+ "value": "ScService"
+ },
{
"description": "[SDBbot](https://app.tidalcyber.com/software/046bbd0c-bff5-46fc-9028-cbe46a9f8ec5) is a backdoor with installer and loader components that has been used by [TA505](https://app.tidalcyber.com/groups/b3220638-6682-4a4e-ab64-e7dc4202a3f1) since at least 2019.[[Proofpoint TA505 October 2019](https://app.tidalcyber.com/references/711ea2b3-58e2-4b38-aa71-877029c12e64)][[IBM TA505 April 2020](https://app.tidalcyber.com/references/bcef8bf8-5fc2-4921-b920-74ef893b8a27)]",
"meta": {
@@ -23221,10 +22146,6 @@
{
"dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1",
"type": "used-by"
- },
- {
- "dest-uuid": "92b03a94-7147-4952-9d5a-b4d24da7487c",
- "type": "similar"
}
],
"uuid": "046bbd0c-bff5-46fc-9028-cbe46a9f8ec5",
@@ -23261,10 +22182,6 @@
{
"dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331",
"type": "used-by"
- },
- {
- "dest-uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153",
- "type": "similar"
}
],
"uuid": "3d4be65d-231b-44bb-8d12-5038a3d48bae",
@@ -23289,10 +22206,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14",
- "type": "similar"
}
],
"uuid": "ae30d58e-21c5-41a4-9ebb-081dc1f26863",
@@ -23314,10 +22227,6 @@
{
"dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f",
"type": "used-by"
- },
- {
- "dest-uuid": "b45747dc-87ca-4597-a245-7e16a61bc491",
- "type": "similar"
}
],
"uuid": "3527b09b-f3f6-4716-9f90-64ea7d3b9d8a",
@@ -23342,10 +22251,6 @@
{
"dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2",
"type": "used-by"
- },
- {
- "dest-uuid": "0998045d-f96e-4284-95ce-3c8219707486",
- "type": "similar"
}
],
"uuid": "42c8504c-8a18-46d2-a145-35b0cd8ba669",
@@ -23358,7 +22263,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5042",
+ "software_attack_id": "S3044",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -23393,9 +22298,13 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5072",
+ "software_attack_id": "S3097",
"source": "Tidal Cyber",
"tags": [
+ "af5e9be5-b86e-47af-91dd-966a5e34a186",
+ "d8f7e071-fbfd-46f8-b431-e241bb1513ac",
+ "61cdbb28-cbfd-498b-9ab1-1f14337f9524",
+ "e551ae97-d1b4-484e-9267-89f33829ec2c",
"e1af18e3-3224-4e4c-9d0f-533768474508",
"61b7b81d-3f98-4bed-97a9-d6c536b8969b",
"35e694ec-5133-46e3-b7e1-5831867c3b55",
@@ -23435,7 +22344,7 @@
"Linux",
"Windows"
],
- "software_attack_id": "S5329",
+ "software_attack_id": "S3144",
"source": "Tidal Cyber",
"tags": [
"96d58ca1-ab18-4e53-8891-d8ba62a47e5d",
@@ -23478,10 +22387,6 @@
{
"dest-uuid": "b3220638-6682-4a4e-ab64-e7dc4202a3f1",
"type": "used-by"
- },
- {
- "dest-uuid": "aae22730-e571-4d17-b037-65f2a3e26213",
- "type": "similar"
}
],
"uuid": "704ed49d-103c-4b33-b85c-73670cc1d719",
@@ -23503,12 +22408,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "f931a0b9-0361-4b1b-bacf-955062c35746",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "fb47c051-d22b-4a05-94a7-cf979419b60a",
"value": "Seth-Locker"
},
@@ -23519,7 +22419,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5162",
+ "software_attack_id": "S3283",
"source": "Tidal Cyber",
"tags": [
"d75511ab-cbff-46d3-8268-427e3cff134a",
@@ -23541,7 +22441,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5163",
+ "software_attack_id": "S3284",
"source": "Tidal Cyber",
"tags": [
"8929bc83-9ed6-4579-b837-40236b59b383",
@@ -23563,7 +22463,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5195",
+ "software_attack_id": "S3316",
"source": "Tidal Cyber",
"tags": [
"da405033-3571-4f98-9810-53d9df1ac0fb",
@@ -23587,6 +22487,7 @@
"software_attack_id": "S0596",
"source": "MITRE",
"tags": [
+ "a7346d6d-d5c9-497c-b3b3-54fb95dd4d68",
"f8669b82-2194-49a9-8e20-92e7f9ab0a6f"
],
"type": [
@@ -23613,10 +22514,6 @@
{
"dest-uuid": "9f5c5672-5e7e-4440-afc8-3fdf46a1bb6c",
"type": "used-by"
- },
- {
- "dest-uuid": "ec9e00dd-0313-4d5b-8105-c20aa47abffc",
- "type": "similar"
}
],
"uuid": "5190f50d-7e54-410a-9961-79ab751ddbab",
@@ -23637,12 +22534,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "840db1db-e262-4d6f-b6e3-2a64696a41c5",
"value": "Shamoon"
},
@@ -23665,10 +22557,6 @@
{
"dest-uuid": "eecf7289-294f-48dd-a747-7705820f4735",
"type": "used-by"
- },
- {
- "dest-uuid": "99854cc8-f202-4e03-aa0a-4f8a4af93229",
- "type": "similar"
}
],
"uuid": "278da5e8-4d4c-4c45-ad72-8f078872fb4a",
@@ -23681,7 +22569,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5075",
+ "software_attack_id": "S3100",
"source": "Tidal Cyber",
"tags": [
"ed2b3f47-3e07-4019-a9bf-ec9d87f28c96"
@@ -23715,10 +22603,6 @@
{
"dest-uuid": "f31df12e-66ea-5a49-87bc-2bc1756a89fc",
"type": "used-by"
- },
- {
- "dest-uuid": "1fefb062-feda-484a-8f10-0cebf65e20e3",
- "type": "similar"
}
],
"uuid": "4ed1e83b-a208-5518-bed2-d07c1b289da2",
@@ -23731,7 +22615,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5327",
+ "software_attack_id": "S3142",
"source": "Tidal Cyber",
"tags": [
"8bf128ad-288b-41bc-904f-093f4fdde745",
@@ -23760,7 +22644,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5275",
+ "software_attack_id": "S3115",
"source": "Tidal Cyber",
"tags": [
"c5a258ce-9045-48d9-b254-ec2bf6437bb5",
@@ -23801,7 +22685,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5060",
+ "software_attack_id": "S3083",
"source": "Tidal Cyber",
"tags": [
"ed2b3f47-3e07-4019-a9bf-ec9d87f28c96",
@@ -23827,9 +22711,10 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5004",
+ "software_attack_id": "S3013",
"source": "Tidal Cyber",
"tags": [
+ "e551ae97-d1b4-484e-9267-89f33829ec2c",
"e1af18e3-3224-4e4c-9d0f-533768474508",
"cd1b5d44-226e-4405-8985-800492cf2865",
"ed2b3f47-3e07-4019-a9bf-ec9d87f28c96",
@@ -23842,6 +22727,10 @@
]
},
"related": [
+ {
+ "dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e",
+ "type": "used-by"
+ },
{
"dest-uuid": "a2add2a0-2b54-4623-a380-a9ad91f1f2dd",
"type": "used-by"
@@ -23870,10 +22759,6 @@
{
"dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6",
"type": "used-by"
- },
- {
- "dest-uuid": "0ba9281c-93fa-4b29-8e9e-7ef918c7b13a",
- "type": "similar"
}
],
"uuid": "564643fd-7113-490e-9f6a-f0cc3f0e1a4c",
@@ -23898,10 +22783,6 @@
{
"dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6",
"type": "used-by"
- },
- {
- "dest-uuid": "73c4711b-407a-449d-b269-e3b1531fe7a9",
- "type": "similar"
}
],
"uuid": "f655306f-f7b4-4eec-9bd6-ac75142fcb43",
@@ -23914,7 +22795,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5196",
+ "software_attack_id": "S3317",
"source": "Tidal Cyber",
"tags": [
"2c0f0b44-9b09-49a0-8dc5-d9fdcc515825",
@@ -23936,7 +22817,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5197",
+ "software_attack_id": "S3318",
"source": "Tidal Cyber",
"tags": [
"e0b9882e-b9bb-4c16-b3d9-9268866eded0",
@@ -23958,7 +22839,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5198",
+ "software_attack_id": "S3319",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -23988,10 +22869,6 @@
{
"dest-uuid": "8bc69792-c26d-4493-87e3-d8e47605fed8",
"type": "used-by"
- },
- {
- "dest-uuid": "5763217a-05b6-4edd-9bca-057e47b5e403",
- "type": "similar"
}
],
"uuid": "a3287231-351f-472f-96cc-24db2e3829c7",
@@ -24013,10 +22890,6 @@
{
"dest-uuid": "8bc69792-c26d-4493-87e3-d8e47605fed8",
"type": "used-by"
- },
- {
- "dest-uuid": "115f88dd-0618-4389-83cb-98d33ae81848",
- "type": "similar"
}
],
"uuid": "77d9c948-93e3-4e12-9764-4da7570d9275",
@@ -24035,10 +22908,6 @@
{
"dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f",
"type": "used-by"
- },
- {
- "dest-uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a",
- "type": "similar"
}
],
"uuid": "3db0b464-ec5d-4cdd-86c2-62eac9c8acd6",
@@ -24060,10 +22929,6 @@
{
"dest-uuid": "9da726e6-af02-49b8-8ebe-7ea4235513c9",
"type": "used-by"
- },
- {
- "dest-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb",
- "type": "similar"
}
],
"uuid": "49351818-579e-4298-9137-03b3dc699e22",
@@ -24082,10 +22947,6 @@
{
"dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66",
"type": "used-by"
- },
- {
- "dest-uuid": "4189a679-72ed-4a89-a57c-7f689712ecf8",
- "type": "similar"
}
],
"uuid": "5b2d82a6-ed96-485d-bca9-2320590de890",
@@ -24100,6 +22961,7 @@
"software_attack_id": "S0589",
"source": "MITRE",
"tags": [
+ "a95bb8df-9089-4cea-9810-be32b99c3c5d",
"84615fe0-c2a5-4e07-8957-78ebc29b4635"
],
"type": [
@@ -24110,10 +22972,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "979adb5a-dc30-48f0-9e3d-9a26d866928c",
- "type": "similar"
}
],
"uuid": "ea0a1282-f2bf-4ae0-a19c-d7e379c2309b",
@@ -24138,10 +22996,6 @@
{
"dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2",
"type": "used-by"
- },
- {
- "dest-uuid": "df4cd566-ff2f-4d08-976d-8c86e95782de",
- "type": "similar"
}
],
"uuid": "61227a76-d315-4339-803a-e024f96e089e",
@@ -24159,12 +23013,7 @@
"tool"
]
},
- "related": [
- {
- "dest-uuid": "1244e058-fa10-48cb-b484-0bcf671107ae",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "4765999f-c35e-4a9f-8284-9f10a17e6c34",
"value": "SILENTTRINITY"
},
@@ -24184,12 +23033,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "4fbd565b-bf55-4ac7-80b4-b183a7b64b9c",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "8ea75674-cc08-40cf-824c-40eb5cd6097e",
"value": "Siloscape"
},
@@ -24209,10 +23053,6 @@
{
"dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910",
"type": "used-by"
- },
- {
- "dest-uuid": "89f63ae4-f229-4a5c-95ad-6f22ed2b5c49",
- "type": "similar"
}
],
"uuid": "206453a4-a298-4cab-9fdf-f136a4e0c761",
@@ -24230,12 +23070,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "4b68b5ea-2e1b-4225-845b-8632f702b9a0",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "cc91d3d4-bbf5-4a9c-b43a-2ba034db4858",
"value": "Skidmap"
},
@@ -24256,10 +23091,6 @@
{
"dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910",
"type": "used-by"
- },
- {
- "dest-uuid": "d1008b78-960c-4b36-bdc4-39a734e1e4e3",
- "type": "similar"
}
],
"uuid": "c8fed4fc-5721-5db2-b107-b2a9b677244e",
@@ -24276,6 +23107,10 @@
"software_attack_id": "S0633",
"source": "MITRE",
"tags": [
+ "0fa3a7df-9e1e-4540-996e-590715e8314a",
+ "d903e38b-600d-4736-9e3b-cf1a6e436481",
+ "d819ae1a-e385-49fd-88d5-f66660729ecb",
+ "15787198-6c8b-4f79-bf50-258d55072fee",
"e81ba503-60b0-4b64-8f20-ef93e7783796"
],
"type": [
@@ -24283,6 +23118,10 @@
]
},
"related": [
+ {
+ "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5",
+ "type": "used-by"
+ },
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
@@ -24290,10 +23129,6 @@
{
"dest-uuid": "8e059c6b-d278-5454-a234-a8ad69feb66c",
"type": "used-by"
- },
- {
- "dest-uuid": "11f8d7eb-1927-4806-9267-3a11d4d4d6be",
- "type": "similar"
}
],
"uuid": "bbd16b7b-7e35-4a11-86ff-9b19e17bdab3",
@@ -24311,12 +23146,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "feb2d7bb-aacb-48df-ad04-ccf41a30cd90",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "563c6534-497e-4d65-828c-420d5bb2041a",
"value": "SLOTHFULMEDIA"
},
@@ -24336,10 +23166,6 @@
{
"dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66",
"type": "used-by"
- },
- {
- "dest-uuid": "414dc555-c79e-4b24-a2da-9b607f7eaf16",
- "type": "similar"
}
],
"uuid": "7c047a54-93cf-4dfc-ab20-d905791aebb2",
@@ -24361,10 +23187,6 @@
{
"dest-uuid": "f46d6ee9-9d1d-586a-9f2d-6bff8fb92910",
"type": "used-by"
- },
- {
- "dest-uuid": "f8fc98ac-ad6d-44db-b6e2-f0c6eb4eace4",
- "type": "similar"
}
],
"uuid": "37e264a6-5ad3-5a79-bf2c-db725622206e",
@@ -24389,10 +23211,6 @@
{
"dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6",
"type": "used-by"
- },
- {
- "dest-uuid": "ff41b9b6-4c1d-407b-a7e2-835109c8dbc5",
- "type": "similar"
}
],
"uuid": "c58028b9-2e79-4bc9-9b04-d24ea4dd4948",
@@ -24413,12 +23231,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "7e0f8b0f-716e-494d-827e-310bd6ed709e",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "9ae4154d-ee48-4aeb-b76f-6e40dbe18ff3",
"value": "SMOKEDHAM"
},
@@ -24448,10 +23261,6 @@
{
"dest-uuid": "f138c814-48c0-4638-a4d6-edc48e7ac23a",
"type": "used-by"
- },
- {
- "dest-uuid": "0c824410-58ff-49b2-9cf2-1c96b182bdf0",
- "type": "similar"
}
],
"uuid": "2244253f-a4ad-4ea9-a4bf-fa2f4d895853",
@@ -24473,10 +23282,6 @@
{
"dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be",
"type": "used-by"
- },
- {
- "dest-uuid": "4327aff5-f194-440c-b499-4d9730cc1eab",
- "type": "similar"
}
],
"uuid": "f587dc27-92be-5894-a4a8-d6c8bbcf8ede",
@@ -24498,10 +23303,6 @@
{
"dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322",
"type": "used-by"
- },
- {
- "dest-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870",
- "type": "similar"
}
],
"uuid": "d6c24f7c-fe79-4094-8f3c-68c4446ae4c7",
@@ -24526,10 +23327,6 @@
{
"dest-uuid": "0898e7cb-118e-5eeb-b856-04e56ed18182",
"type": "used-by"
- },
- {
- "dest-uuid": "5911d2ca-64f6-49b3-b94f-29b5d185085c",
- "type": "similar"
}
],
"uuid": "ab84f259-9b9a-51d8-a68a-2bcd7512d760",
@@ -24547,12 +23344,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "e494ad79-37ee-4cd0-866b-299c521d8b94",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "c1906bb6-0b5b-4916-8b29-37f7e272f6b3",
"value": "Socksbot"
},
@@ -24575,10 +23367,6 @@
{
"dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322",
"type": "used-by"
- },
- {
- "dest-uuid": "94d6d788-07bb-4dcc-b62f-e02626b00108",
- "type": "similar"
}
],
"uuid": "6ecd970c-427b-4421-a831-69f46047d22a",
@@ -24593,7 +23381,7 @@
"Linux",
"Windows"
],
- "software_attack_id": "S5305",
+ "software_attack_id": "S3071",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -24620,7 +23408,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5008",
+ "software_attack_id": "S3045",
"source": "Tidal Cyber",
"tags": [
"d903e38b-600d-4736-9e3b-cf1a6e436481",
@@ -24682,6 +23470,33 @@
"uuid": "4272447f-8803-4947-b66f-051eecdd3385",
"value": "SoftPerfect Network Scanner"
},
+ {
+ "description": "A backdoor capability associated with Iran-linked espionage group OilRig.[[ESET OilRig September 21 2023](/references/21ee3e95-ac4b-48f7-b948-249e1884bc96)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S3161",
+ "source": "Tidal Cyber",
+ "tags": [
+ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "07a94239-bdde-42e7-ba9c-a1d0c81e0c3b",
+ "value": "Solar"
+ },
{
"description": "[SombRAT](https://app.tidalcyber.com/software/0ec24158-d5d7-4d2e-b5a5-bc862328a317) is a modular backdoor written in C++ that has been used since at least 2019 to download and execute malicious payloads, including [FIVEHANDS](https://app.tidalcyber.com/software/84187393-2fe9-4136-8720-a6893734ee8c) ransomware.[[BlackBerry CostaRicto November 2020](https://app.tidalcyber.com/references/93a23447-641c-4ee2-9fbd-64b2adea8a5f)][[FireEye FiveHands April 2021](https://app.tidalcyber.com/references/832aeb46-b248-43e8-9157-a2f56bcd1806)][[CISA AR21-126A FIVEHANDS May 2021](https://app.tidalcyber.com/references/f98604dd-2881-4024-8e43-6f5f48c6c9fa)]",
"meta": {
@@ -24697,12 +23512,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "425771c5-48b4-4ecd-9f95-74ed3fc9da59",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "0ec24158-d5d7-4d2e-b5a5-bc862328a317",
"value": "SombRAT"
},
@@ -24725,10 +23535,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "e33e4603-afab-402d-b2a1-248d435b5fe0",
- "type": "similar"
}
],
"uuid": "3e959586-14ff-407b-a0d0-4e9580546f3f",
@@ -24750,10 +23556,6 @@
{
"dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145",
"type": "used-by"
- },
- {
- "dest-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2",
- "type": "similar"
}
],
"uuid": "069538a5-3cb8-4eb4-9fbb-83867bb4d826",
@@ -24775,10 +23577,6 @@
{
"dest-uuid": "be45ff95-6c74-4000-bc39-63044673d82f",
"type": "used-by"
- },
- {
- "dest-uuid": "8b880b41-5139-4807-baa9-309690218719",
- "type": "similar"
}
],
"uuid": "0f8d0a73-9cd3-475a-b31b-d457278c921a",
@@ -24803,10 +23601,6 @@
{
"dest-uuid": "679b7b6b-9659-4e56-9ffd-688a6fab01b6",
"type": "used-by"
- },
- {
- "dest-uuid": "03ea629c-517a-41e3-94f8-c7e5368cf8f4",
- "type": "similar"
}
],
"uuid": "93f8c180-6794-4e9c-b716-6b31f42eb72d",
@@ -24825,15 +23619,37 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "a5575606-9b85-4e3d-9cd2-40ef30e3672d",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "b9b67878-4eb1-4a0b-9b36-a798881ed566",
"value": "SpeakUp"
},
+ {
+ "description": "Spearal is a .NET-based backdoor malware linked to the OilRig Iranian espionage group, which uses DNS tunneling for command and control communication.[[Check Point Research September 11 2024](/references/53320d81-4060-4414-b5b8-21d09362bc44)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S3183",
+ "source": "Tidal Cyber",
+ "tags": [
+ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "25c85bfb-3833-4c57-867a-b7d9ff6c5a40",
+ "value": "Spearal"
+ },
{
"description": "SpectralBlur is a malware targeting macOS systems that has backdoor functionality. Researchers have linked the malware to \"TA444/Bluenoroff\" actors.[[Objective_See 1 4 2024](/references/c96535be-4859-4ae3-9ba0-d482f1195863)]",
"meta": {
@@ -24841,7 +23657,7 @@
"platforms": [
"macOS"
],
- "software_attack_id": "S5311",
+ "software_attack_id": "S3124",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -24868,7 +23684,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5055",
+ "software_attack_id": "S3078",
"source": "Tidal Cyber",
"tags": [
"562e535e-19f5-4d6c-81ed-ce2aec544f09",
@@ -24907,10 +23723,6 @@
{
"dest-uuid": "58db02e6-d908-47c2-bc82-ed58ada61331",
"type": "used-by"
- },
- {
- "dest-uuid": "599cd7b5-37b5-4cdd-8174-2811531ce9d0",
- "type": "similar"
}
],
"uuid": "2be9e22d-0af8-46f5-b30e-b3712ccf716d",
@@ -24923,7 +23735,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5009",
+ "software_attack_id": "S3046",
"source": "Tidal Cyber",
"tags": [
"d903e38b-600d-4736-9e3b-cf1a6e436481",
@@ -24986,7 +23798,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5322",
+ "software_attack_id": "S3137",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -25026,10 +23838,6 @@
{
"dest-uuid": "26c0925f-1a3c-4df6-b27a-62b9731299b8",
"type": "used-by"
- },
- {
- "dest-uuid": "33b9e38f-103c-412d-bdcf-904a91fff1e4",
- "type": "similar"
}
],
"uuid": "0fdabff3-d996-493c-af67-f3ac02e4b00b",
@@ -25042,7 +23850,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5235",
+ "software_attack_id": "S3356",
"source": "Tidal Cyber",
"tags": [
"e992169d-832d-44e9-8218-0f4ab0ff72b4",
@@ -25074,10 +23882,6 @@
{
"dest-uuid": "e38bcb42-12c1-4202-a794-ec26cd830caa",
"type": "used-by"
- },
- {
- "dest-uuid": "9a2640c2-9f43-46fe-b13f-bde881e55555",
- "type": "similar"
}
],
"uuid": "96c224a6-6ca4-4ac1-9990-d863ec5a317a",
@@ -25090,7 +23894,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5236",
+ "software_attack_id": "S3357",
"source": "Tidal Cyber",
"tags": [
"da7e88fd-2d71-4928-81ce-e3d455b3d418",
@@ -25121,10 +23925,6 @@
{
"dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff",
"type": "used-by"
- },
- {
- "dest-uuid": "8fc6c9e7-a162-4ca4-a488-f1819e9a7b06",
- "type": "similar"
}
],
"uuid": "612f780a-239a-4bd0-a29f-63beadf3ed22",
@@ -25137,7 +23937,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5237",
+ "software_attack_id": "S3358",
"source": "Tidal Cyber",
"tags": [
"f4867256-402a-4bcb-97d3-e071ee0993c1",
@@ -25159,7 +23959,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5238",
+ "software_attack_id": "S3359",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -25188,12 +23988,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "3c18ad16-9eaf-4649-984e-68551bff0d47",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "46943a69-0b19-4d3a-b2a3-1302e85239a3",
"value": "Squirrelwaffle"
},
@@ -25204,7 +23999,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5164",
+ "software_attack_id": "S3285",
"source": "Tidal Cyber",
"tags": [
"6070668f-1cbd-4878-8066-c636d1d8659c",
@@ -25237,10 +24032,6 @@
{
"dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d",
"type": "used-by"
- },
- {
- "dest-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421",
- "type": "similar"
}
],
"uuid": "3334a124-3e74-4a90-8ed1-55eea3274b19",
@@ -25262,10 +24053,6 @@
{
"dest-uuid": "6632f07f-7c6b-4d12-8544-82edc6a7a577",
"type": "used-by"
- },
- {
- "dest-uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4",
- "type": "similar"
}
],
"uuid": "fc18e220-2200-4d70-a426-0700ba14c4c0",
@@ -25290,10 +24077,6 @@
{
"dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6",
"type": "used-by"
- },
- {
- "dest-uuid": "e355fc84-6f3c-4888-8e0a-d7fa9c378532",
- "type": "similar"
}
],
"uuid": "764c6121-2d15-4a10-ac53-b1c431dc8b47",
@@ -25311,12 +24094,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "ca0fead6-5277-427a-825b-42ff1fbe476e",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "ea561f0b-b891-5735-aa99-97cc8818fbef",
"value": "STEADYPULSE"
},
@@ -25327,7 +24105,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5298",
+ "software_attack_id": "S3060",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -25349,7 +24127,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5296",
+ "software_attack_id": "S3019",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -25388,10 +24166,6 @@
{
"dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac",
"type": "used-by"
- },
- {
- "dest-uuid": "8dbadf80-468c-4a62-b817-4e4d8b606887",
- "type": "similar"
}
],
"uuid": "9eee52a2-5ac1-4561-826c-23ec7fbc7876",
@@ -25404,7 +24178,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5337",
+ "software_attack_id": "S3152",
"source": "Tidal Cyber",
"tags": [
"84615fe0-c2a5-4e07-8957-78ebc29b4635",
@@ -25426,7 +24200,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5165",
+ "software_attack_id": "S3286",
"source": "Tidal Cyber",
"tags": [
"f0e3d6ea-d7ea-4d73-b868-1076fac744a8",
@@ -25457,10 +24231,6 @@
{
"dest-uuid": "43f826a1-e8c8-47b8-9b00-38e1b3e4293b",
"type": "used-by"
- },
- {
- "dest-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86",
- "type": "similar"
}
],
"uuid": "502b490c-2067-40a4-8f73-7245d7910851",
@@ -25485,10 +24255,6 @@
{
"dest-uuid": "a41725c5-eb3a-4772-8d1e-17c3bbade79c",
"type": "used-by"
- },
- {
- "dest-uuid": "fb78294a-7d7a-4d38-8ad0-92e67fddc9f0",
- "type": "similar"
}
],
"uuid": "dd8bb0a3-6cb1-412d-adeb-cbaae98462a9",
@@ -25510,10 +24276,6 @@
{
"dest-uuid": "cc798766-8662-4b55-8536-6d057fbc58f0",
"type": "used-by"
- },
- {
- "dest-uuid": "20945359-3b39-4542-85ef-08ecb4e1c174",
- "type": "similar"
}
],
"uuid": "ed563524-235e-4e06-8c69-3f9d8ddbfd8a",
@@ -25535,12 +24297,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "088f1d6e-0783-47c6-9923-9c79b2af43d4",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "3fdf3833-fca9-4414-8d2e-779dabc4ee31",
"value": "Stuxnet"
},
@@ -25556,12 +24313,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "b19b6c38-d38b-46f2-a535-d0bfc5790368",
"value": "S-Type"
},
@@ -25577,12 +24329,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "9c10cede-c0bb-4c5c-91c0-8baec30abaf6",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "6ff7bf2e-286c-4b1b-92a0-1e5322870c59",
"value": "SUGARDUMP"
},
@@ -25598,12 +24345,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "44e2a842-415b-47f4-8549-83fbdb8a5674",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "004c781a-3d7d-446b-9677-a042c8f6566e",
"value": "SUGARUSH"
},
@@ -25626,10 +24368,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "a8839c95-029f-44cf-8f3d-a3cf2039e927",
- "type": "similar"
}
],
"uuid": "6b04e98e-c541-4958-a8a5-d433e575ce78",
@@ -25655,10 +24393,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "bf48e7f8-752c-4ce8-bf8f-748edacd8fa6",
- "type": "similar"
}
],
"uuid": "66966a12-3db3-4e43-a7e8-6c6836ccd8fe",
@@ -25676,12 +24410,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "b2b0b946-be0a-4a7f-9c32-a2e5211d1cd9",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "f02abaee-237b-4891-bb5d-30ca86dfc2c8",
"value": "SUPERNOVA"
},
@@ -25700,12 +24429,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "7230ded7-3b1a-4d6e-9735-d0ffd47af9f6",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "a8110f81-5ee9-5819-91ce-3a57aa330dcb",
"value": "SVCReady"
},
@@ -25721,12 +24445,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "ae749f9c-cf46-42ce-b0b8-f0be8660e3f3",
"value": "Sykipot"
},
@@ -25746,12 +24465,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "04227b24-7817-4de1-9050-b7b1b57f5866",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "19ae8345-745e-4872-8a29-d56c8800d626",
"value": "SynAck"
},
@@ -25762,7 +24476,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5261",
+ "software_attack_id": "S3382",
"source": "Tidal Cyber",
"tags": [
"9e504206-7a84-40a5-b896-8995d82e3586",
@@ -25784,7 +24498,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5166",
+ "software_attack_id": "S3287",
"source": "Tidal Cyber",
"tags": [
"acda137a-d1c9-4216-9c08-d07c8d899725",
@@ -25814,12 +24528,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "84c1ecc6-e5a2-4e8a-bf4b-651a618e0053",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "69ab291d-5066-4e47-9862-1f5c7bac7200",
"value": "SYNful Knock"
},
@@ -25839,10 +24548,6 @@
{
"dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d",
"type": "used-by"
- },
- {
- "dest-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481",
- "type": "similar"
}
],
"uuid": "2df35a92-2295-417a-af5a-ba5c943ef40d",
@@ -25863,12 +24568,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "edf5aee2-9b1c-4252-8e64-25b12f14c8b3",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "ea556a8d-4959-423f-a2dd-622d0497d484",
"value": "SYSCON"
},
@@ -25879,7 +24579,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5199",
+ "software_attack_id": "S3320",
"source": "Tidal Cyber",
"tags": [
"9105775d-bdcb-45cc-895d-6c7bbb3d30ce",
@@ -25901,7 +24601,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5058",
+ "software_attack_id": "S3081",
"source": "Tidal Cyber",
"tags": [
"e551ae97-d1b4-484e-9267-89f33829ec2c",
@@ -25917,6 +24617,10 @@
"dest-uuid": "1d751794-ce94-4936-bf45-4ab86d0e3b6e",
"type": "used-by"
},
+ {
+ "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f",
+ "type": "used-by"
+ },
{
"dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800",
"type": "used-by"
@@ -25999,10 +24703,6 @@
{
"dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5",
"type": "used-by"
- },
- {
- "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1",
- "type": "similar"
}
],
"uuid": "cecea681-a753-47b5-9d77-c10a5b4403ab",
@@ -26025,10 +24725,6 @@
{
"dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5",
"type": "used-by"
- },
- {
- "dest-uuid": "c009560a-f097-45a3-8f9f-78ec1440a783",
- "type": "similar"
}
],
"uuid": "148d587c-3b1e-4e71-bdfb-8c37005e7e77",
@@ -26046,12 +24742,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "c5647cc4-0d46-4a41-8591-9179737747a2",
"value": "T9000"
},
@@ -26062,7 +24753,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5066",
+ "software_attack_id": "S3091",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -26076,6 +24767,10 @@
]
},
"related": [
+ {
+ "dest-uuid": "dcb260d8-9d53-404f-9ff5-dbee2c6effe6",
+ "type": "used-by"
+ },
{
"dest-uuid": "3d77fb6c-cfb4-5563-b0be-7aa1ad535337",
"type": "used-by"
@@ -26096,12 +24791,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "b143dfa4-e944-43ff-8429-bfffc308c517",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "9334df79-9023-44bb-bc28-16c1f07b836b",
"value": "Taidoor"
},
@@ -26112,7 +24802,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5069",
+ "software_attack_id": "S3094",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -26150,10 +24840,6 @@
{
"dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08",
"type": "used-by"
- },
- {
- "dest-uuid": "7f4bbe05-1674-4087-8a16-8f1ad61b6152",
- "type": "similar"
}
],
"uuid": "1548c94a-fb4d-43d8-9956-ea26f5cc552f",
@@ -26171,12 +24857,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "b51797f7-57da-4210-b8ac-b8632ee75d70",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "b1b7a8d9-6df3-4e89-8622-a6eea3da729b",
"value": "TajMahal"
},
@@ -26187,7 +24868,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5334",
+ "software_attack_id": "S3149",
"source": "Tidal Cyber",
"tags": [
"f8669b82-2194-49a9-8e20-92e7f9ab0a6f",
@@ -26214,9 +24895,10 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5167",
+ "software_attack_id": "S3288",
"source": "Tidal Cyber",
"tags": [
+ "25b4fafc-4691-4008-8baa-35dbbcce752a",
"303a3675-4855-4323-b042-95bb1d907cca",
"509a90c7-9ca9-4b23-bca2-cd38ef6a6207"
],
@@ -26244,10 +24926,6 @@
{
"dest-uuid": "1bcc9382-ccfe-4b04-91f3-ef1250df5e5b",
"type": "used-by"
- },
- {
- "dest-uuid": "988976ff-beeb-4fb5-b07d-ca7437ea66e8",
- "type": "similar"
}
],
"uuid": "7bb9d181-4405-4938-bafb-b13cc98b6cd8",
@@ -26319,10 +24997,6 @@
{
"dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5",
"type": "used-by"
- },
- {
- "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f",
- "type": "similar"
}
],
"uuid": "abae8f19-9497-4a71-82b6-ae6edd26ad98",
@@ -26337,7 +25011,7 @@
"macOS",
"Windows"
],
- "software_attack_id": "S5267",
+ "software_attack_id": "S3108",
"source": "Tidal Cyber",
"tags": [
"96d58ca1-ab18-4e53-8891-d8ba62a47e5d",
@@ -26369,7 +25043,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5044",
+ "software_attack_id": "S3047",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -26389,6 +25063,10 @@
]
},
"related": [
+ {
+ "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5",
+ "type": "used-by"
+ },
{
"dest-uuid": "d0f3353c-fbdd-4bd5-8793-a42e1f319b59",
"type": "used-by"
@@ -26413,10 +25091,6 @@
{
"dest-uuid": "6a8f5eca-8ecc-4bff-9c5f-5380e044ed5b",
"type": "used-by"
- },
- {
- "dest-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a",
- "type": "similar"
}
],
"uuid": "e7116740-fe7c-45e2-b98d-0c594a7dff2f",
@@ -26429,7 +25103,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5239",
+ "software_attack_id": "S3360",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -26450,7 +25124,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5240",
+ "software_attack_id": "S3361",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -26471,7 +25145,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5010",
+ "software_attack_id": "S3048",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -26554,10 +25228,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "32f49626-87f4-4d6c-8f59-a0dca953fe26",
- "type": "similar"
}
],
"uuid": "bae20f59-469c-451c-b4ca-70a9a04a1574",
@@ -26570,7 +25240,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5011",
+ "software_attack_id": "S3051",
"source": "Tidal Cyber",
"tags": [
"1dc8fd1e-0737-405a-98a1-111dd557f1b5",
@@ -26592,7 +25262,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5283",
+ "software_attack_id": "S3122",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -26623,7 +25293,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5241",
+ "software_attack_id": "S3362",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -26656,10 +25326,6 @@
{
"dest-uuid": "4348c510-50fc-4448-ab8d-c8cededd19ff",
"type": "used-by"
- },
- {
- "dest-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47",
- "type": "similar"
}
],
"uuid": "49d0ae81-d51b-4534-b1e0-08371a47ef79",
@@ -26682,12 +25348,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "727afb95-3d0f-4451-b297-362a43909923",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "2ed5f691-68eb-49dd-b730-793dc8a7d134",
"value": "ThiefQuest"
},
@@ -26707,10 +25368,6 @@
{
"dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08",
"type": "used-by"
- },
- {
- "dest-uuid": "16040b1c-ed28-4850-9d8f-bb8b81c42092",
- "type": "similar"
}
],
"uuid": "b31c7b8e-dbdd-4ad5-802e-dcdc72b7462e",
@@ -26723,7 +25380,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5045",
+ "software_attack_id": "S3049",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -26758,7 +25415,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5335",
+ "software_attack_id": "S3150",
"source": "Tidal Cyber",
"tags": [
"f8669b82-2194-49a9-8e20-92e7f9ab0a6f",
@@ -26787,7 +25444,7 @@
"macOS",
"Windows"
],
- "software_attack_id": "S5015",
+ "software_attack_id": "S3054",
"source": "Tidal Cyber",
"tags": [
"e551ae97-d1b4-484e-9267-89f33829ec2c",
@@ -26841,10 +25498,6 @@
{
"dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2",
"type": "used-by"
- },
- {
- "dest-uuid": "2a7c1bb7-cd12-456e-810d-ab3bf8457bab",
- "type": "similar"
}
],
"uuid": "39f0371c-b755-4655-a97e-82a572f2fae4",
@@ -26866,10 +25519,6 @@
{
"dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a",
"type": "used-by"
- },
- {
- "dest-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca",
- "type": "similar"
}
],
"uuid": "0e009cb8-848e-427a-9581-d3a4fd9f6a87",
@@ -26891,10 +25540,6 @@
{
"dest-uuid": "c8cc6ce8-d421-42e6-a6eb-2ea9d2d9ab07",
"type": "used-by"
- },
- {
- "dest-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9",
- "type": "similar"
}
],
"uuid": "277290fe-51f3-4822-bb46-8b69fd1c8ae5",
@@ -26912,12 +25557,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "327b3a25-9e60-4431-b3b6-93b9c64eacbc",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "eff417ad-c775-4a95-9f36-a1b5a675ba82",
"value": "Tomiris"
},
@@ -26970,10 +25610,6 @@
{
"dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5",
"type": "used-by"
- },
- {
- "dest-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68",
- "type": "similar"
}
],
"uuid": "8c70d85b-b06d-423c-8bab-ecff18f332d6",
@@ -26991,12 +25627,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "0715560d-4299-4e84-9e20-6e80ab57e4f2",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "4bce135b-91ba-45ae-88f9-09e01f983a74",
"value": "Torisma"
},
@@ -27007,7 +25638,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5242",
+ "software_attack_id": "S3363",
"source": "Tidal Cyber",
"tags": [
"3c9b26cf-9bda-4feb-ab42-ef7865cc80fd",
@@ -27041,10 +25672,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "bdad6f3b-de88-42fa-9295-d29b5271808e",
- "type": "similar"
}
],
"uuid": "7a6ae9f8-5f8b-4e94-8716-d8ee82027197",
@@ -27077,10 +25704,6 @@
{
"dest-uuid": "6d6ed42c-760c-4964-a81e-1d4df06a8800",
"type": "used-by"
- },
- {
- "dest-uuid": "00806466-754d-44ea-ad6f-0caf59cb8556",
- "type": "similar"
}
],
"uuid": "c2bd4213-fc7b-474f-b5a0-28145b07c51d",
@@ -27102,10 +25725,6 @@
{
"dest-uuid": "472080b0-e3d4-4546-9272-c4359fe856e1",
"type": "used-by"
- },
- {
- "dest-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d",
- "type": "similar"
}
],
"uuid": "b88c4891-40da-4832-ba42-6c6acd455bd1",
@@ -27123,12 +25742,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "c5e9cb46-aced-466c-85ea-7db5572ad9ec",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "f8a4213d-633b-4e3d-8e59-a769e852b93b",
"value": "Trojan.Mebromi"
},
@@ -27139,9 +25753,10 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5000",
+ "software_attack_id": "S3005",
"source": "Tidal Cyber",
"tags": [
+ "4e00b987-cd79-4b6a-9afe-c3b291ee2938",
"1dc8fd1e-0737-405a-98a1-111dd557f1b5",
"15787198-6c8b-4f79-bf50-258d55072fee",
"a98d7a43-f227-478e-81de-e7299639a355",
@@ -27185,10 +25800,6 @@
{
"dest-uuid": "cc798766-8662-4b55-8536-6d057fbc58f0",
"type": "used-by"
- },
- {
- "dest-uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad",
- "type": "similar"
}
],
"uuid": "50844dba-8999-42ba-ba29-511e3faf4bc3",
@@ -27210,10 +25821,6 @@
{
"dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb",
"type": "used-by"
- },
- {
- "dest-uuid": "76ac7989-c5cc-42e2-93e3-d6c476f01ace",
- "type": "similar"
}
],
"uuid": "9872ab5a-c76e-4404-91f9-5b745722443b",
@@ -27228,7 +25835,7 @@
"macOS",
"Windows"
],
- "software_attack_id": "S5268",
+ "software_attack_id": "S3109",
"source": "Tidal Cyber",
"tags": [
"e1be4b53-7524-4e88-bf6d-358cfdf96772",
@@ -27251,7 +25858,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5168",
+ "software_attack_id": "S3289",
"source": "Tidal Cyber",
"tags": [
"fc67aea7-f207-4cf5-8413-e33c76538cf6",
@@ -27273,7 +25880,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5169",
+ "software_attack_id": "S3290",
"source": "Tidal Cyber",
"tags": [
"3c4e3160-4e82-49ce-b6a3-17879dd4b83c",
@@ -27305,10 +25912,6 @@
{
"dest-uuid": "e5b0da2b-12bc-4113-9459-9c51329c9ae0",
"type": "used-by"
- },
- {
- "dest-uuid": "350f12cf-fd3b-4dad-b323-14b943090df4",
- "type": "similar"
}
],
"uuid": "571a45a7-68c9-452c-99bf-1d5b5fdd08b3",
@@ -27322,6 +25925,9 @@
],
"software_attack_id": "S0199",
"source": "MITRE",
+ "tags": [
+ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f"
+ ],
"type": [
"malware"
]
@@ -27330,10 +25936,6 @@
{
"dest-uuid": "99bbbe25-45af-492f-a7ff-7cbc57828bac",
"type": "used-by"
- },
- {
- "dest-uuid": "db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c",
- "type": "similar"
}
],
"uuid": "c7f10715-cf13-4360-8511-aa3f93dd7688",
@@ -27358,10 +25960,6 @@
{
"dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08",
"type": "used-by"
- },
- {
- "dest-uuid": "7ba0fc46-197d-466d-8b9f-f1c64d5d81e5",
- "type": "similar"
}
],
"uuid": "6c93d3c4-cae5-48a9-948d-bc5264230316",
@@ -27373,6 +25971,7 @@
"software_attack_id": "S0116",
"source": "MITRE",
"tags": [
+ "8450b5c7-acf1-41df-afc2-5c20e12436c0",
"7de7d799-f836-4555-97a4-0db776eb6932",
"ed2b3f47-3e07-4019-a9bf-ec9d87f28c96"
],
@@ -27380,12 +25979,7 @@
"tool"
]
},
- "related": [
- {
- "dest-uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "5788edee-d1b7-4406-9122-bee596362236",
"value": "UACMe"
},
@@ -27401,12 +25995,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "518bb5f1-91f4-4ff2-b09d-5a94e1ebe95f",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "5214ae01-ccd5-4e97-8f9c-14eb16e75544",
"value": "UBoatRAT"
},
@@ -27422,12 +26011,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "3d8e547d-9456-4f32-a895-dc86134e282f",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "227c12df-8126-4e79-b9bd-0e4633fa12fa",
"value": "Umbreon"
},
@@ -27438,7 +26022,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5276",
+ "software_attack_id": "S3116",
"source": "Tidal Cyber",
"tags": [
"d819ae1a-e385-49fd-88d5-f66660729ecb",
@@ -27477,10 +26061,6 @@
{
"dest-uuid": "32385eba-7bbf-439e-acf2-83040e97165a",
"type": "used-by"
- },
- {
- "dest-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56",
- "type": "similar"
}
],
"uuid": "846b3762-3949-4501-b781-6dca22db088f",
@@ -27493,7 +26073,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5170",
+ "software_attack_id": "S3291",
"source": "Tidal Cyber",
"tags": [
"40f11d0d-09f2-4bd1-bc79-1430464a52a7",
@@ -27515,7 +26095,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5243",
+ "software_attack_id": "S3364",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -27545,10 +26125,6 @@
{
"dest-uuid": "fb93231d-2ae4-45da-9dea-4c372a11f322",
"type": "used-by"
- },
- {
- "dest-uuid": "fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa",
- "type": "similar"
}
],
"uuid": "a3c211f8-52aa-4bfd-8382-940f2194af28",
@@ -27561,7 +26137,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5200",
+ "software_attack_id": "S3321",
"source": "Tidal Cyber",
"tags": [
"34505028-b7d8-4da4-8dee-9926f3dbd37a",
@@ -27597,10 +26173,6 @@
{
"dest-uuid": "47ae4fb1-fc61-4e8e-9310-66dda706e1a2",
"type": "used-by"
- },
- {
- "dest-uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4",
- "type": "similar"
}
],
"uuid": "89ffc27c-b81f-473a-87d6-907cacdce61c",
@@ -27615,6 +26187,7 @@
"software_attack_id": "S0386",
"source": "MITRE",
"tags": [
+ "88f27876-7be0-413b-8d91-5fa031d469fb",
"15787198-6c8b-4f79-bf50-258d55072fee",
"4d767e87-4cf6-438a-927a-43d2d0beaab7",
"f8669b82-2194-49a9-8e20-92e7f9ab0a6f"
@@ -27639,10 +26212,6 @@
{
"dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2",
"type": "used-by"
- },
- {
- "dest-uuid": "1492d0f8-7e14-4af3-9239-bc3fe10d3407",
- "type": "similar"
}
],
"uuid": "3e501609-87e4-4c47-bd88-5054be0f1037",
@@ -27664,10 +26233,6 @@
{
"dest-uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b",
"type": "used-by"
- },
- {
- "dest-uuid": "75bba379-4ba1-467e-8c60-ec2b269ee984",
- "type": "similar"
}
],
"uuid": "26d93db8-dbc3-44b5-a393-2b219cef4f5b",
@@ -27692,10 +26257,6 @@
{
"dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5",
"type": "used-by"
- },
- {
- "dest-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb",
- "type": "similar"
}
],
"uuid": "50eab018-8d52-46f5-8252-95942c2c0a89",
@@ -27708,7 +26269,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5262",
+ "software_attack_id": "S3383",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -27741,10 +26302,6 @@
{
"dest-uuid": "8951bff3-c444-4374-8a9e-b2115d9125b2",
"type": "used-by"
- },
- {
- "dest-uuid": "ade37ada-14af-4b44-b36c-210eec255d53",
- "type": "similar"
}
],
"uuid": "b149f12f-3cf4-4547-841d-c63b7677547d",
@@ -27769,10 +26326,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "96eca9b9-b37f-42f1-96dc-a2c441403194",
- "type": "similar"
}
],
"uuid": "63940761-8dea-4362-8795-7bc0653ce1d4",
@@ -27794,10 +26347,6 @@
{
"dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca",
"type": "used-by"
- },
- {
- "dest-uuid": "f4d8a2d6-c684-453a-8a14-cf4a94f755c5",
- "type": "similar"
}
],
"uuid": "fe116518-cd0c-4b10-8190-4f57208df4e4",
@@ -27810,7 +26359,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5171",
+ "software_attack_id": "S3292",
"source": "Tidal Cyber",
"tags": [
"bc6f5172-90af-491e-817d-2eaa522f93af",
@@ -27841,15 +26390,39 @@
{
"dest-uuid": "d7c58e7f-f0b0-44c6-b205-5adcfb56f0e6",
"type": "used-by"
- },
- {
- "dest-uuid": "8caa18af-4758-4fd3-9600-e8af579e89ed",
- "type": "similar"
}
],
"uuid": "150b6079-bb10-48a8-b570-fbe8b0e3287c",
"value": "VBShower"
},
+ {
+ "description": "Veaty is a .NET-based backdoor malware linked to the OilRig Iranian espionage group, which uses emails for command and control communication.[[Check Point Research September 11 2024](/references/53320d81-4060-4414-b5b8-21d09362bc44)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S3182",
+ "source": "Tidal Cyber",
+ "tags": [
+ "15f2277a-a17e-4d85-8acd-480bf84f16b4",
+ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "d01abdb1-0378-4654-aa38-1a4a292703e2",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "36c06aee-5574-4094-a579-8ec7c9929040",
+ "value": "Veaty"
+ },
{
"description": "A prominent ransomware family.[[HC3 Analyst Note Venus Ransomware November 2022](/references/bd6e6a59-3a73-48f6-84cd-e7c027c8671f)]",
"meta": {
@@ -27857,9 +26430,10 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5293",
+ "software_attack_id": "S3014",
"source": "Tidal Cyber",
"tags": [
+ "537bb659-7c9b-4354-b1da-03989ce412c8",
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
"562e535e-19f5-4d6c-81ed-ce2aec544f09",
"5e7433ad-a894-4489-93bc-41e90da90019",
@@ -27881,7 +26455,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5172",
+ "software_attack_id": "S3293",
"source": "Tidal Cyber",
"tags": [
"4e91036d-809b-4eae-8a09-86bdc6cd1f0e",
@@ -27908,12 +26482,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "5189f018-fea2-45d7-b0ed-23f9ee0a46f3",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "afa4023f-aa2e-45d6-bb3c-38e61f876eac",
"value": "VERMIN"
},
@@ -27924,9 +26493,10 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5071",
+ "software_attack_id": "S3096",
"source": "Tidal Cyber",
"tags": [
+ "26028765-3b6d-419c-92b5-5fbe345a26d1",
"fdd53e62-5bf1-41f1-8bd6-b970a866c39d",
"d431939f-2dc0-410b-83f7-86c458125444",
"15787198-6c8b-4f79-bf50-258d55072fee",
@@ -27952,7 +26522,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5246",
+ "software_attack_id": "S3367",
"source": "Tidal Cyber",
"tags": [
"5e096dac-47b7-4657-a57b-752ef7da0263",
@@ -27967,6 +26537,30 @@
"uuid": "acfbcd12-25fd-41cd-83ef-c7af7cb59fff",
"value": "VisualUiaVerifyNative"
},
+ {
+ "description": "According to Proofpoint researchers, Voldemort is a custom backdoor malware written in C. It has the ability to collect victim system information and to drop additional payloads.[[Proofpoint August 29 2024](/references/548f23b2-3ab6-4ea0-839f-8f9c8745d91d)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S3163",
+ "source": "Tidal Cyber",
+ "tags": [
+ "fe28cf32-a15c-44cf-892c-faa0360d6109",
+ "82009876-294a-4e06-8cfc-3236a429bda4",
+ "f8669b82-2194-49a9-8e20-92e7f9ab0a6f",
+ "c6e1f516-1a18-4ff9-b563-e6ac8103b104",
+ "2feda37d-5579-4102-a073-aa02e82cb49f"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [],
+ "uuid": "e1dcbb6c-00ef-46f1-9da2-44b43b533256",
+ "value": "Voldemort"
+ },
{
"description": "[Volgmer](https://app.tidalcyber.com/software/7fcfba45-5752-4f0c-8023-db67729ae34e) is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing. [[US-CERT Volgmer Nov 2017](https://app.tidalcyber.com/references/c48c7ac0-8d55-4b62-9606-a9ce420459b6)]",
"meta": {
@@ -27983,10 +26577,6 @@
{
"dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08",
"type": "used-by"
- },
- {
- "dest-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08",
- "type": "similar"
}
],
"uuid": "7fcfba45-5752-4f0c-8023-db67729ae34e",
@@ -27999,7 +26589,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5244",
+ "software_attack_id": "S3365",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -28020,7 +26610,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5247",
+ "software_attack_id": "S3368",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -28041,7 +26631,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5245",
+ "software_attack_id": "S3366",
"source": "Tidal Cyber",
"tags": [
"0bf195a2-c577-4317-973e-a72dde5a06e6",
@@ -28063,7 +26653,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5248",
+ "software_attack_id": "S3369",
"source": "Tidal Cyber",
"tags": [
"71bc284c-bfce-4191-80e0-ef70ff4315bf",
@@ -28085,7 +26675,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5253",
+ "software_attack_id": "S3374",
"source": "Tidal Cyber",
"tags": [
"375cb8ad-2b6a-49b7-8eb3-757aaaf72d8b",
@@ -28107,7 +26697,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5301",
+ "software_attack_id": "S3063",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -28134,7 +26724,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5254",
+ "software_attack_id": "S3375",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -28155,7 +26745,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5173",
+ "software_attack_id": "S3294",
"source": "Tidal Cyber",
"tags": [
"a53c9f4b-6f0d-4afa-b1ac-8e2d91279210",
@@ -28196,10 +26786,6 @@
{
"dest-uuid": "0bc66e95-de93-4de7-b415-4041b7191f08",
"type": "used-by"
- },
- {
- "dest-uuid": "75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661",
- "type": "similar"
}
],
"uuid": "6e7d1bcf-a308-4861-8aa5-0f4c6f126b0a",
@@ -28217,12 +26803,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "a5818d36-e9b0-46da-842d-b727a5e36ea6",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "9a592b49-1701-5e4c-95cf-9b8c98b80527",
"value": "WARPWIRE"
},
@@ -28235,6 +26816,7 @@
"software_attack_id": "S0670",
"source": "MITRE",
"tags": [
+ "b10ffa34-c6ef-4473-b951-9a05dacf68b5",
"15787198-6c8b-4f79-bf50-258d55072fee"
],
"type": [
@@ -28257,10 +26839,6 @@
{
"dest-uuid": "1bfbb1e1-022c-57e9-b70e-711c601640be",
"type": "used-by"
- },
- {
- "dest-uuid": "fde19a18-e502-467f-be14-58c71b4e7f4b",
- "type": "similar"
}
],
"uuid": "cfebe868-15cb-4be5-b7ed-38b52f2a0722",
@@ -28286,10 +26864,6 @@
{
"dest-uuid": "3c7ad595-1940-40fc-b9ca-3e649c1e5d87",
"type": "used-by"
- },
- {
- "dest-uuid": "46cbafbc-8907-42d3-9002-5327c26f8927",
- "type": "similar"
}
],
"uuid": "0ba6ee8d-2b29-4980-8e55-348ea05f00ad",
@@ -28311,10 +26885,6 @@
{
"dest-uuid": "528ab2ea-b8f1-44d8-8831-2a89fefd97cb",
"type": "used-by"
- },
- {
- "dest-uuid": "f3f1fbed-7e29-49cb-8579-4a378f858deb",
- "type": "similar"
}
],
"uuid": "56872a5b-dc01-455c-85d5-06c577abb030",
@@ -28339,10 +26909,6 @@
{
"dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f",
"type": "used-by"
- },
- {
- "dest-uuid": "1d808f62-cf63-4063-9727-ff6132514c22",
- "type": "similar"
}
],
"uuid": "f228af8f-8938-4836-9461-c6ca220ed7c5",
@@ -28367,10 +26933,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "959f3b19-2dc8-48d5-8942-c66813a5101a",
- "type": "similar"
}
],
"uuid": "b936a1b3-5493-4d6c-9b69-29addeace418",
@@ -28396,10 +26958,6 @@
{
"dest-uuid": "4c3e48b9-4426-4271-a7af-c3dfad79f447",
"type": "used-by"
- },
- {
- "dest-uuid": "3a4197ae-ec63-4162-907b-9a073d1157e4",
- "type": "similar"
}
],
"uuid": "20725ec7-ee35-44cf-bed6-91158aa03ce4",
@@ -28452,10 +27010,6 @@
{
"dest-uuid": "0610cd57-2511-467a-97e3-3c810384074f",
"type": "used-by"
- },
- {
- "dest-uuid": "f91162cc-1686-4ff8-8115-bf3f61a4cc7a",
- "type": "similar"
}
],
"uuid": "2bcbcea6-192a-4501-aab1-1edde53875fa",
@@ -28468,7 +27022,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5249",
+ "software_attack_id": "S3370",
"source": "Tidal Cyber",
"tags": [
"be621f15-1788-490f-b8bb-85511a5a8074",
@@ -28492,6 +27046,13 @@
"software_attack_id": "S0689",
"source": "MITRE",
"tags": [
+ "af5e9be5-b86e-47af-91dd-966a5e34a186",
+ "35e694ec-5133-46e3-b7e1-5831867c3b55",
+ "d8f7e071-fbfd-46f8-b431-e241bb1513ac",
+ "61cdbb28-cbfd-498b-9ab1-1f14337f9524",
+ "e551ae97-d1b4-484e-9267-89f33829ec2c",
+ "15787198-6c8b-4f79-bf50-258d55072fee",
+ "768c90a8-21b2-403b-8ddc-28181bca7aca",
"2e621fc5-dea4-4cb9-987e-305845986cd3"
],
"type": [
@@ -28502,10 +27063,6 @@
{
"dest-uuid": "407274be-1820-4a84-939e-629313f4de1d",
"type": "used-by"
- },
- {
- "dest-uuid": "49fee0b0-390e-4bde-97f8-97ed46bd19b7",
- "type": "similar"
}
],
"uuid": "791f0afd-c2c4-4e23-8aee-1d14462667f5",
@@ -28527,10 +27084,6 @@
{
"dest-uuid": "51146bb6-7478-44a3-8f08-19adcdceffca",
"type": "used-by"
- },
- {
- "dest-uuid": "039814a0-88de-46c5-a4fb-b293db21880a",
- "type": "similar"
}
],
"uuid": "7b393608-c141-48af-ae3d-3eff13c3e01c",
@@ -28579,10 +27132,6 @@
{
"dest-uuid": "79be2f31-5626-425e-844c-fd9c99e38fe5",
"type": "used-by"
- },
- {
- "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966",
- "type": "similar"
}
],
"uuid": "7c2c44d7-b307-4e13-b181-52352975a6f5",
@@ -28601,10 +27150,6 @@
{
"dest-uuid": "c0fe9859-e8de-4ce1-bc3c-b489e914a145",
"type": "used-by"
- },
- {
- "dest-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c",
- "type": "similar"
}
],
"uuid": "ed50dcf7-e283-451e-95b1-a8485f8dd214",
@@ -28626,10 +27171,6 @@
{
"dest-uuid": "4e880d01-313a-4926-8470-78c48824aa82",
"type": "used-by"
- },
- {
- "dest-uuid": "0d1f9f5b-11ea-42c3-b5f4-63cce0122541",
- "type": "similar"
}
],
"uuid": "3afe711d-ed58-4c94-a9b6-9c847e1e8a2f",
@@ -28648,10 +27189,6 @@
{
"dest-uuid": "013fdfdc-aa32-4779-8f6e-7920615cbf66",
"type": "used-by"
- },
- {
- "dest-uuid": "49abab73-3c5c-476e-afd5-69b5c732d845",
- "type": "similar"
}
],
"uuid": "5f994df7-55b0-4383-8ebc-506d4987292a",
@@ -28678,10 +27215,6 @@
{
"dest-uuid": "d428f9be-6faf-4d57-b677-4a927fea5f7e",
"type": "used-by"
- },
- {
- "dest-uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d",
- "type": "similar"
}
],
"uuid": "65d5b524-0e84-417d-9884-e2c501abfacd",
@@ -28703,10 +27236,6 @@
{
"dest-uuid": "3a660ef3-9954-4252-8946-f903f3f42d0c",
"type": "used-by"
- },
- {
- "dest-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654",
- "type": "similar"
}
],
"uuid": "3e70078f-407e-4b03-b604-bdc05b372f37",
@@ -28719,7 +27248,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5174",
+ "software_attack_id": "S3295",
"source": "Tidal Cyber",
"tags": [
"61f778ca-b2f1-4877-b0f5-fd5e87b6ddab",
@@ -28750,10 +27279,6 @@
{
"dest-uuid": "a80c00b2-b8b6-4780-99bb-df8fe921947d",
"type": "used-by"
- },
- {
- "dest-uuid": "22addc7b-b39f-483d-979a-1b35147da5de",
- "type": "similar"
}
],
"uuid": "e10423c2-71a7-4878-96ba-343191136c19",
@@ -28779,10 +27304,6 @@
{
"dest-uuid": "646e35d2-75de-4c1d-8ad3-616d3e155c5e",
"type": "used-by"
- },
- {
- "dest-uuid": "8787e86d-8475-4f13-acea-d33eb83b6105",
- "type": "similar"
}
],
"uuid": "e384e711-0796-4cbc-8854-8c3f939faf57",
@@ -28804,10 +27325,6 @@
{
"dest-uuid": "6932662a-53a7-4e43-877f-6e940e2d744b",
"type": "used-by"
- },
- {
- "dest-uuid": "d3afa961-a80c-4043-9509-282cdf69ab21",
- "type": "similar"
}
],
"uuid": "245c216e-41c3-4dec-8b23-bfc7c6a46d6e",
@@ -28820,7 +27337,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5081",
+ "software_attack_id": "S3105",
"source": "Tidal Cyber",
"tags": [
"af5e9be5-b86e-47af-91dd-966a5e34a186",
@@ -28869,7 +27386,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5263",
+ "software_attack_id": "S3384",
"source": "Tidal Cyber",
"tags": [
"2eecd309-e75d-4f7b-8f6f-e11213f48b12",
@@ -28891,7 +27408,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5046",
+ "software_attack_id": "S3050",
"source": "Tidal Cyber",
"tags": [
"27a117ce-bb19-4f79-9bc2-a851b69c5c50",
@@ -28923,6 +27440,10 @@
"dest-uuid": "2cc997b5-5076-4eef-9974-f54387614f46",
"type": "used-by"
},
+ {
+ "dest-uuid": "94794e7b-8b54-4be8-885a-fd1009425ed5",
+ "type": "used-by"
+ },
{
"dest-uuid": "923f478c-7ad1-516f-986d-61f96b9c553e",
"type": "used-by"
@@ -28970,7 +27491,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5250",
+ "software_attack_id": "S3371",
"source": "Tidal Cyber",
"tags": [
"e1af18e3-3224-4e4c-9d0f-533768474508",
@@ -29003,12 +27524,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "a19c49aa-36fe-4c05-b817-23e1c7a7d085",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "627e05c2-c02e-433e-9288-c2d78bce156f",
"value": "Wiper"
},
@@ -29024,12 +27540,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "c93e3079-43fb-4d8d-9e99-db63d07eadc9",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "93b02819-8acc-5d7d-ad11-abb33f9309cc",
"value": "WIREFIRE"
},
@@ -29042,7 +27553,7 @@
"macOS",
"Windows"
],
- "software_attack_id": "S5269",
+ "software_attack_id": "S3110",
"source": "Tidal Cyber",
"tags": [
"dbe18a6a-c8f9-451e-837e-5a7f25dcf913",
@@ -29065,7 +27576,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5175",
+ "software_attack_id": "S3296",
"source": "Tidal Cyber",
"tags": [
"ebf92004-6e43-434c-8380-3671cf3640a2",
@@ -29087,7 +27598,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5176",
+ "software_attack_id": "S3297",
"source": "Tidal Cyber",
"tags": [
"d819ae1a-e385-49fd-88d5-f66660729ecb",
@@ -29156,12 +27667,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "3bc7e862-5610-4c02-9c48-15b2e2dc1ddb",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "1f374a54-c839-5139-b755-555c66a21c12",
"value": "Woody RAT"
},
@@ -29172,7 +27678,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5177",
+ "software_attack_id": "S3298",
"source": "Tidal Cyber",
"tags": [
"b5581207-a45f-4f7f-b637-14444d716ad1",
@@ -29194,7 +27700,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5178",
+ "software_attack_id": "S3299",
"source": "Tidal Cyber",
"tags": [
"b4520b56-73e3-43fd-9f0d-70191132b451",
@@ -29225,7 +27731,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5251",
+ "software_attack_id": "S3372",
"source": "Tidal Cyber",
"tags": [
"96ebb518-7c1f-4011-a3ec-42aa78a95e4f",
@@ -29247,7 +27753,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5179",
+ "software_attack_id": "S3300",
"source": "Tidal Cyber",
"tags": [
"291fab5d-e732-4b19-83e4-ee642b2ae0f0",
@@ -29269,7 +27775,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5184",
+ "software_attack_id": "S3305",
"source": "Tidal Cyber",
"tags": [
"303a3675-4855-4323-b042-95bb1d907cca",
@@ -29290,7 +27796,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5180",
+ "software_attack_id": "S3301",
"source": "Tidal Cyber",
"tags": [
"03f0e493-63ae-47b5-8353-238390a895a8",
@@ -29326,10 +27832,6 @@
{
"dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5",
"type": "used-by"
- },
- {
- "dest-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069",
- "type": "similar"
}
],
"uuid": "6f411b69-6643-4cc7-9cbd-e15d9219e99c",
@@ -29348,12 +27850,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "6a92d80f-cc65-45f6-aa66-3cdea6786b3c",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "ab442140-0761-4227-bd9e-151da5d0a04f",
"value": "Xbash"
},
@@ -29373,10 +27870,6 @@
{
"dest-uuid": "988f5312-834e-48ea-93b7-e6e01ee0938d",
"type": "used-by"
- },
- {
- "dest-uuid": "21583311-6321-4891-8a37-3eb4e57b0fb1",
- "type": "similar"
}
],
"uuid": "11a0dff4-1dc8-4553-8a38-90a07b01bfcd",
@@ -29395,10 +27888,6 @@
{
"dest-uuid": "5307bba1-2674-4fbd-bfd5-1db1ae06fc5f",
"type": "used-by"
- },
- {
- "dest-uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b",
- "type": "similar"
}
],
"uuid": "d943d3d9-3a99-464f-94f0-95aa7963d858",
@@ -29411,7 +27900,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5019",
+ "software_attack_id": "S3058",
"source": "Tidal Cyber",
"tags": [
"758c3085-2f79-40a8-ab95-f8a684737927",
@@ -29455,12 +27944,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "e14085cb-0e8d-4be6-92ba-e3b93ee5978f",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "3672ecfa-20bf-4d69-948d-876be343563f",
"value": "XCSSET"
},
@@ -29471,7 +27955,7 @@
"platforms": [
"macOS"
],
- "software_attack_id": "S5317",
+ "software_attack_id": "S3130",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -29492,9 +27976,10 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5064",
+ "software_attack_id": "S3089",
"source": "Tidal Cyber",
"tags": [
+ "2a54c431-2075-4ed5-a691-fa452c11dd13",
"ed2b3f47-3e07-4019-a9bf-ec9d87f28c96",
"15787198-6c8b-4f79-bf50-258d55072fee",
"291c006e-f77a-4c9c-ae7e-084974c0e1eb",
@@ -29526,7 +28011,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5048",
+ "software_attack_id": "S3072",
"source": "Tidal Cyber",
"tags": [
"15787198-6c8b-4f79-bf50-258d55072fee",
@@ -29556,10 +28041,6 @@
{
"dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5",
"type": "used-by"
- },
- {
- "dest-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab",
- "type": "similar"
}
],
"uuid": "133136f0-7254-4cec-8710-0ab99d5da4e5",
@@ -29572,7 +28053,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5181",
+ "software_attack_id": "S3302",
"source": "Tidal Cyber",
"tags": [
"c37d2f5f-91da-43c6-869e-192bf0e0ae90",
@@ -29594,7 +28075,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5290",
+ "software_attack_id": "S3006",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -29630,10 +28111,6 @@
{
"dest-uuid": "0a245c5e-c1a8-480f-8655-bb2594e3266b",
"type": "used-by"
- },
- {
- "dest-uuid": "cb444a16-3ea5-4a91-88c6-f329adcb8af3",
- "type": "similar"
}
],
"uuid": "0844bc42-5c29-47c3-b1b3-6bfffbf1732a",
@@ -29646,7 +28123,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5323",
+ "software_attack_id": "S3138",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -29681,12 +28158,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "0817aaf2-afea-4c32-9285-4dcd1df5bf14",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "e0962ff7-5524-4683-9b95-0e4ba07dccb2",
"value": "yty"
},
@@ -29709,15 +28181,40 @@
{
"dest-uuid": "5b1a5b9e-4722-41fc-a15d-196a549e3ac5",
"type": "used-by"
- },
- {
- "dest-uuid": "a4f57468-fbd5-49e4-8476-52088220b92d",
- "type": "similar"
}
],
"uuid": "e317b8a6-1722-4017-be33-717a5a93ef1c",
"value": "Zebrocy"
},
+ {
+ "description": "Zeppelin is a ransomware derived from the Vega family of Delphi-based malware. Used from 2019 through at least June 2022, Zeppelin was distributed as ransomware-as-a-service (\"RaaS\").[[U.S. CISA Zeppelin Ransomware August 11 2022](/references/42d98de2-8c9a-4cc4-b5a1-9778c0da3286)]",
+ "meta": {
+ "owner": "TidalCyberIan",
+ "platforms": [
+ "Windows"
+ ],
+ "software_attack_id": "S3185",
+ "source": "Tidal Cyber",
+ "tags": [
+ "e551ae97-d1b4-484e-9267-89f33829ec2c",
+ "15787198-6c8b-4f79-bf50-258d55072fee",
+ "562e535e-19f5-4d6c-81ed-ce2aec544f09",
+ "5e7433ad-a894-4489-93bc-41e90da90019",
+ "7e7b0c67-bb85-4996-a289-da0e792d7172"
+ ],
+ "type": [
+ "malware"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "efd2fca2-45fb-4eaf-82e7-0d20c156f84f",
+ "type": "used-by"
+ }
+ ],
+ "uuid": "e8820bf1-1e70-469c-a93b-770c1f23b058",
+ "value": "Zeppelin Ransomware"
+ },
{
"description": "[Zeroaccess](https://app.tidalcyber.com/software/2f52b513-5293-4833-9c4d-b120e7a84341) is a kernel-mode [Rootkit](https://app.tidalcyber.com/technique/cf2b56f6-3ebd-48ec-b9d9-835397acef89) that attempts to add victims to the ZeroAccess botnet, often for monetary gain. [[Sophos ZeroAccess](https://app.tidalcyber.com/references/41b51767-62f1-45c2-98cb-47c44c975a58)]",
"meta": {
@@ -29727,12 +28224,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "552462b9-ae79-49dd-855c-5973014e157f",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "2f52b513-5293-4833-9c4d-b120e7a84341",
"value": "Zeroaccess"
},
@@ -29755,10 +28247,6 @@
{
"dest-uuid": "e343c1f1-458c-467b-bc4a-c1b97b2127e3",
"type": "used-by"
- },
- {
- "dest-uuid": "4ab44516-ad75-4e43-a280-705dc0420e2f",
- "type": "similar"
}
],
"uuid": "f51df90e-ea1b-4eeb-9aff-ec5abf4a5dfd",
@@ -29779,12 +28267,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "198db886-47af-4f4c-bff5-11b891f85946",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "be8add13-40d7-495e-91eb-258d3a4711bc",
"value": "Zeus Panda"
},
@@ -29795,7 +28278,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5201",
+ "software_attack_id": "S3322",
"source": "Tidal Cyber",
"tags": [
"0d0098b4-e159-4502-973d-714011ba605f",
@@ -29822,12 +28305,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "d9765cbd-4c88-4805-ba98-4c6ccb56b864",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "976a7797-3008-5316-9e28-19c9a05959d0",
"value": "ZIPLINE"
},
@@ -29843,12 +28321,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "1ac8d363-2903-43da-9c1d-2b28179638c8",
"value": "ZLib"
},
@@ -29859,7 +28332,7 @@
"platforms": [
"Windows"
],
- "software_attack_id": "S5312",
+ "software_attack_id": "S3125",
"source": "Tidal Cyber",
"tags": [
"c6e1f516-1a18-4ff9-b563-e6ac8103b104",
@@ -29896,10 +28369,6 @@
{
"dest-uuid": "90f4d3f9-3fe3-4a64-8dc1-172c6d037dca",
"type": "used-by"
- },
- {
- "dest-uuid": "fb28627c-d6ea-4c35-b138-ab5e96ae5445",
- "type": "similar"
}
],
"uuid": "75dd9acb-fcff-4b0b-b45b-f943fb589d78",
@@ -29920,12 +28389,7 @@
"malware"
]
},
- "related": [
- {
- "dest-uuid": "54e8672d-5338-4ad1-954a-a7c986bee530",
- "type": "similar"
- }
- ],
+ "related": [],
"uuid": "49314d4e-dc04-456f-918e-a3bedfc3192a",
"value": "zwShell"
},
@@ -29960,10 +28424,6 @@
{
"dest-uuid": "502223ee-8947-42f8-a532-a3b3da12b7d9",
"type": "used-by"
- },
- {
- "dest-uuid": "cfc75b0d-e579-40ae-ad07-a1ce00d49a6c",
- "type": "similar"
}
],
"uuid": "eea89ff2-036d-4fa6-bbed-f89502c62318",
@@ -29985,10 +28445,6 @@
{
"dest-uuid": "3a02aa1b-851a-43e1-b83b-58037f3c7025",
"type": "used-by"
- },
- {
- "dest-uuid": "97cfbdc6-504d-41e9-a46c-78a9f806ff0d",
- "type": "similar"
}
],
"uuid": "91e1ee26-d6ae-4203-a466-93c9e5019b47",
From 52d06097ebfb84771398c14a1cc02772f2e3bb8f Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Thu, 3 Oct 2024 14:46:19 +0200
Subject: [PATCH 24/42] chg: [threat-actor] version updated
---
clusters/threat-actor.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 498caf6..34844ed 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16920,5 +16920,5 @@
"value": "UNC1860"
}
],
- "version": 315
+ "version": 316
}
From d6ade514bc86e4dca450e936b766a8402ae2f564 Mon Sep 17 00:00:00 2001
From: Mathieu4141
Date: Mon, 7 Oct 2024 03:58:02 -0700
Subject: [PATCH 25/42] [threat-actors] Add SkidSec
---
clusters/threat-actor.json | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 34844ed..dab0b0e 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16918,6 +16918,20 @@
},
"uuid": "80a874d5-0645-4245-aeb6-9b33a8689928",
"value": "UNC1860"
+ },
+ {
+ "description": "SkidSec is a threat group that has engaged in operations targeting exposed printers in South Korea to disseminate North Korean propaganda, utilizing techniques such as printer exploitation and social engineering for evidence collection. The group has also experienced a leadership change following the loss of their leader, Govadmin, while continuing to mobilize their followers for various missions. They have humorously solicited financial support for their activities, framing it as a means to support their cause. Additionally, they have been noted for their potential to leak sensitive information from compromised devices.",
+ "meta": {
+ "refs": [
+ "https://socradar.io/dark-peep-7-shadows-of-betrayal-and-leadership-in-flux/",
+ "https://medium.com/@criminalip/skidsec-hacker-group-announces-plans-to-spread-north-korean-propaganda-through-hacked-printers-in-fdd314178dc4"
+ ],
+ "synonyms": [
+ "SkidSec Leaks"
+ ]
+ },
+ "uuid": "afca4b9c-2bdb-47ef-becc-1d5683d3d2fb",
+ "value": "SkidSec"
}
],
"version": 316
From dfe6e6dfabc46068929494c23c02105ace990cdc Mon Sep 17 00:00:00 2001
From: Mathieu4141
Date: Mon, 7 Oct 2024 03:58:02 -0700
Subject: [PATCH 26/42] [threat-actors] Add Awaken Likho
---
clusters/threat-actor.json | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index dab0b0e..78ed7f8 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16932,6 +16932,20 @@
},
"uuid": "afca4b9c-2bdb-47ef-becc-1d5683d3d2fb",
"value": "SkidSec"
+ },
+ {
+ "description": "Awaken Likho is an APT group that has targeted Russian government agencies and industrial enterprises, employing techniques such as information gathering via search engines and using MeshCentral for remote access. The group has been active since at least December 2021 and has ramped up its activities following the Russo-Ukrainian conflict. Recent reports indicate that they are focusing on espionage against critical infrastructure in the defense and energy sectors. Analysis of their malware reveals a new version that is still in development, suggesting ongoing operational capabilities.",
+ "meta": {
+ "refs": [
+ "https://securelist.com/awaken-likho-apt-new-implant-campaign/114101/",
+ "https://bi.zone/eng/expertise/blog/core-werewolf-protiv-opk-i-kriticheskoy-infrastruktury/"
+ ],
+ "synonyms": [
+ "Core Werewolf"
+ ]
+ },
+ "uuid": "b3a4c34f-0ad6-4083-938a-958deb34b6c7",
+ "value": "Awaken Likho"
}
],
"version": 316
From 182102f73899b7345d623d8d50359c282ffc5e67 Mon Sep 17 00:00:00 2001
From: Mathieu4141
Date: Mon, 7 Oct 2024 03:58:02 -0700
Subject: [PATCH 27/42] [threat-actors] Add CeranaKeeper
---
clusters/threat-actor.json | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 78ed7f8..4e3e522 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16946,6 +16946,17 @@
},
"uuid": "b3a4c34f-0ad6-4083-938a-958deb34b6c7",
"value": "Awaken Likho"
+ },
+ {
+ "description": "CeranaKeeper is a China-aligned APT that has been active since at least early 2022, primarily targeting governmental institutions in Asian countries. The group employs custom backdoors like TONESHELL and OneDoor, leveraging cloud services such as Dropbox and OneDrive for data exfiltration. CeranaKeeper utilizes techniques like side-loading, brute-force attacks, and the deployment of BAT scripts to extend its reach within compromised networks. Their operations are characterized by a relentless pursuit of sensitive data, adapting their toolset and methods to evade detection.",
+ "meta": {
+ "country": "CN",
+ "refs": [
+ "https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/"
+ ]
+ },
+ "uuid": "a798eb63-b0b2-4da5-8a9e-d6e821f775eb",
+ "value": "CeranaKeeper"
}
],
"version": 316
From 2137a86586816edac3a9362b749f63276553231b Mon Sep 17 00:00:00 2001
From: Mathieu4141
Date: Mon, 7 Oct 2024 03:58:02 -0700
Subject: [PATCH 28/42] [threat-actors] Add SongXY
---
clusters/threat-actor.json | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 4e3e522..db5c3d8 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16957,6 +16957,17 @@
},
"uuid": "a798eb63-b0b2-4da5-8a9e-d6e821f775eb",
"value": "CeranaKeeper"
+ },
+ {
+ "description": "SongXY is a Chinese APT group that employs phishing tactics to initiate cyberespionage campaigns. They utilize the Royal Road RTF builder, exploiting the CVE-2018-0798 vulnerability in Microsoft Equation Editor. In one instance, they sent a document containing a link to an attacker-controlled server, which automatically triggered upon opening, allowing them to gather information about the target's system configuration.",
+ "meta": {
+ "refs": [
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/",
+ "http://www.ptsecurity.com/upload/corporate/ww-en/analytics/APT-Attacks-eng.pdf"
+ ]
+ },
+ "uuid": "439a65b0-c4b4-4a09-a9c9-2c70476574ab",
+ "value": "SongXY"
}
],
"version": 316
From 8c9ee3b293adafa1b0ed45afeba5ebc36bd17523 Mon Sep 17 00:00:00 2001
From: Mathieu4141
Date: Mon, 7 Oct 2024 03:58:02 -0700
Subject: [PATCH 29/42] [threat-actors] Add TaskMasters
---
clusters/threat-actor.json | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index db5c3d8..40c3e41 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16968,6 +16968,21 @@
},
"uuid": "439a65b0-c4b4-4a09-a9c9-2c70476574ab",
"value": "SongXY"
+ },
+ {
+ "description": "TaskMasters is a state-sponsored Chinese APT that has been active since at least 2010, primarily targeting industrial, energy, and government sectors in Russia and the CIS. The group has been linked to the Webdav-O Trojan, which employs techniques to bypass network defenses by connecting to legitimate services. Investigations suggest that TaskMasters may have been involved in attacks against Russian federal executive authorities in 2020, potentially alongside another Chinese group, TA428. Additionally, the group has been associated with the BackDoor.RemShell.24 malware, indicating a diverse toolkit in their operations.",
+ "meta": {
+ "country": "CN",
+ "refs": [
+ "https://www.group-ib.com/blog/task/",
+ "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/?utm_source=rss&utm_medium=rss&utm_campaign=apt-group-targeting-governmental-agencies-in-east-asia"
+ ],
+ "synonyms": [
+ "BlueTraveller"
+ ]
+ },
+ "uuid": "f6134b6c-56f1-4eda-be0f-79411d627f19",
+ "value": "TaskMasters"
}
],
"version": 316
From 3ac6bb3080c3ca42f23ea32ead3a262d01738ca4 Mon Sep 17 00:00:00 2001
From: Mathieu4141
Date: Mon, 7 Oct 2024 03:58:03 -0700
Subject: [PATCH 30/42] [threat actors] Update README
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index bea1cde..1e1075d 100644
--- a/README.md
+++ b/README.md
@@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements
[Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
-Category: *actor* - source: *MISP Project* - total: *746* elements
+Category: *actor* - source: *MISP Project* - total: *751* elements
[[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]
From e7ac294850a16f024c7dca9b2c8edda0e7a39c8a Mon Sep 17 00:00:00 2001
From: rectifyq <170057705+rectifyq@users.noreply.github.com>
Date: Wed, 9 Oct 2024 12:57:36 +0000
Subject: [PATCH 31/42] chg: [producer] added Recorded Future, Cyble, Cyfirma,
SentinelOne, Fortinet, Zscaler, Splunk and Huntress.
---
clusters/producer.json | 252 ++++++++++++++++++++++++++++++++++++++++-
1 file changed, 251 insertions(+), 1 deletion(-)
diff --git a/clusters/producer.json b/clusters/producer.json
index 72fa059..6e61eb2 100644
--- a/clusters/producer.json
+++ b/clusters/producer.json
@@ -668,7 +668,257 @@
"description": "Cloudflare, Inc. is an American company that provides content delivery network services, cloud cybersecurity, DDoS mitigation, wide area network services, reverse proxies, Domain Name Service, and ICANN-accredited domain registration services. Cloudflare's headquarters are in San Francisco, California.",
"uuid": "a0a87034-b8ff-4991-9ae1-e650a43292ef",
"value": "Cloudflare"
+ },
+ {
+ "description": "Recorded Future, Inc. is an American privately held cybersecurity company founded in 2009, with headquarters in Somerville, Massachusetts.",
+ "meta": {
+ "company-type": "Cyber Security Vendor",
+ "country": "US",
+ "official-refs": [
+ "https://www.recordedfuture.com/"
+ ],
+ "product-type": [
+ "Digital Risk Protection",
+ "Threat Intelligence",
+ "Exposure Management",
+ "Threat Intelligence Feeds"
+ ],
+ "products": [
+ "Threat Intelligence",
+ "Brand Intelligence",
+ "SecOps Intelligence",
+ "Vulnerability Intelligence",
+ "Third-Party Intelligence",
+ "Geopolitical Intelligence",
+ "Attack Surface Intelligence",
+ "Identity Intelligence",
+ "Payment Fraud Intelligence",
+ "Analyst On Demand"
+ ],
+ "refs": [
+ "https://en.wikipedia.org/wiki/Recorded_Future",
+ "https://www.recordedfuture.com/resources"
+ ],
+ "synonyms": [
+ "Recorded Future, Inc",
+ "Insikt Group"
+ ]
+ },
+ "uuid": "ad7032df-0e9a-4ea9-b35c-c68ff854be80",
+ "value": "Recorded Future"
+ },
+ {
+ "description": "Cyble empowers organizations to take control of their cyber risks with AI-driven, cybersecurity platforms.",
+ "meta": {
+ "company-type": "Cyber Security Vendor",
+ "country": "US",
+ "official-refs": [
+ "https://cyble.com/"
+ ],
+ "product-type": [
+ "Digital Risk Protection",
+ "Threat Intelligence",
+ "Exposure Management"
+ ],
+ "products": [
+ "Cyble Vision",
+ "Cyble Hawk",
+ "AmIBreached",
+ "Odin",
+ "The Cyber Express"
+ ],
+ "refs": [
+ "https://cyble.com/resources/",
+ "https://thecyberexpress.com/"
+ ],
+ "synonyms": "The Cyber Express"
+ },
+ "uuid": "43e3e0a8-a12d-450a-8f2d-94915123549c",
+ "value": "Cyble"
+ },
+ {
+ "description": "CYFIRMA is a threat discovery and cyber-intelligence company with the world’s first platform that can deliver predictive cyber-intelligence",
+ "meta": {
+ "company-type": "Cyber Intelligence Provider",
+ "country": "SG",
+ "official-refs": [
+ "https://www.cyfirma.com/"
+ ],
+ "product-type": [
+ "Threat Intelligence",
+ "Digital Risk Protection",
+ "Mobile App"
+ ],
+ "products": [
+ "DeCYFIR",
+ "DeTCT",
+ "DeFNCE"
+ ],
+ "refs": [
+ "https://www.cyfirma.com/research/",
+ "https://golden.com/wiki/CYFIRMA-K46ZYP8"
+ ]
+ },
+ "uuid": "9d804c53-f307-421c-9f4d-41061c7eee62",
+ "value": "Cyfirma"
+ },
+ {
+ "description": "SentinelOne, Inc. is an American cybersecurity company listed on NYSE based in Mountain View, California.",
+ "meta": {
+ "company-type": "Cyber Security Vendor",
+ "country": "US",
+ "official-refs": [
+ "https://www.sentinelone.com/"
+ ],
+ "product-type": [
+ "Endpoint Protection",
+ "Endpoint Detection Response",
+ "Deception Technology"
+ ],
+ "products": [
+ "Singularity Platform",
+ "Singularity Identity",
+ "Singularity Hologram"
+ ],
+ "refs": "https://www.sentinelone.com/labs/",
+ "synonyms": "Sentinel One"
+ },
+ "uuid": "996c48de-7bb8-414d-b6fe-ec94abb5f461",
+ "value": "SentinelOne"
+ },
+ {
+ "description": "Fortinet, Inc. is a cybersecurity company with headquarters in Sunnyvale, California. The company develops and sells security solutions like firewalls, endpoint security and intrusion detection systems.",
+ "meta": {
+ "company-type": "Cyber Security Vendor",
+ "country": "US",
+ "official-refs": [
+ "https://www.fortinet.com/"
+ ],
+ "product-type": [
+ "Firewall",
+ "Application delivery controller",
+ "SOAR",
+ "Web application firewall / API security",
+ "Network security platform"
+ ],
+ "products": [
+ "FortiADC",
+ "FortiAnalyzer",
+ "FortiAuthenticator",
+ "FortiCASB",
+ "FortiClient",
+ "FortiEDR",
+ "FortiCNP",
+ "FortiDDos",
+ "FortiDeceptor",
+ "FortiExtender",
+ "FortiGate",
+ "FortiIsolator",
+ "FortiMail",
+ "FortiManager",
+ "FortiNAC",
+ "FortiPAM",
+ "FortiSandbox",
+ "FortiSIEM",
+ "FortiSASE",
+ "FortiSOAR",
+ "FortiSwitch",
+ "FortiTester",
+ "FortiToken",
+ "FortiVoice",
+ "FortiWeb"
+ ],
+ "refs": [
+ "https://en.wikipedia.org/wiki/Fortinet",
+ "https://www.fortinet.com/blog/threat-research"
+ ]
+ },
+ "uuid": "bfafdca5-3171-4953-86ab-c74f44822fd3",
+ "value": "Fortinet"
+ },
+ {
+ "description": "Zscaler, Inc. (/ˈziːˌskeɪlər/) is an American cloud security company based in San Jose, California. The company offers cloud-based services to protect enterprise networks and data.",
+ "meta": {
+ "company-type": "Cyber Security Vendor",
+ "country": "US",
+ "official-refs": [
+ "https://www.zscaler.com/"
+ ],
+ "product-type": [
+ "Secure Web Gateway",
+ "SASE",
+ "VPN",
+ "CASB",
+ "DLP"
+ ],
+ "products": [
+ "Zscaler Internet Access",
+ "Zscaler Private Access",
+ "Zscaler Digital Experience",
+ "Zscaler Zero Trust Exchange"
+ ],
+ "refs": [
+ "https://www.zscaler.com/blogs?type=security-research",
+ "https://en.wikipedia.org/wiki/Zscaler"
+ ]
+ },
+ "uuid": "1427d7df-a9b8-4809-afe0-1180cfdd930d",
+ "value": "Zscaler"
+ },
+ {
+ "description": "Splunk Inc. is an American software company based in San Francisco, California, that produces software for searching, monitoring, and analyzing machine-generated data via a web-style interface.",
+ "meta": {
+ "company-type": "Cyber Security Vendor",
+ "country": "US",
+ "product-type": [
+ "SIEM",
+ "Observability",
+ "SOAR",
+ "UEBA"
+ ],
+ "products": [
+ "Splunk Enterprise Security",
+ "Splunk ITSI",
+ "Splunk SOAR",
+ "Splunk Observability Cloud",
+ "Splunk UEBA"
+ ],
+ "refs": [
+ "https://www.splunk.com/",
+ "https://www.splunk.com/en_us/blog/security.html",
+ "https://en.wikipedia.org/wiki/Splunk"
+ ]
+ },
+ "uuid": "7acb73f9-83c8-4a1d-88e5-873bad8659fa",
+ "value": "Splunk"
+ },
+ {
+ "description": "Huntress Labs Incorporated operates as a security software solution provider. The Company provides managed threat detection and response services to uncover, address persistent footholds that prevent defenses. Huntress Labs serves customers in the United States.",
+ "meta": {
+ "company-type": "Cyber Security Vendor",
+ "country": "US",
+ "official-refs": [
+ "https://www.huntress.com/"
+ ],
+ "product-type": [
+ "Managed Security",
+ "Endpoint Detection Response",
+ "Security Awareness Training"
+ ],
+ "products": [
+ "Managed EDR",
+ "MDR for Microsoft 365",
+ "Security Awareness Training",
+ "Managed SIEM"
+ ],
+ "refs": [
+ "https://www.huntress.com/",
+ "https://www.huntress.com/blog"
+ ]
+ },
+ "uuid": "9bfc59a7-ab20-4ef0-8034-871956d4a9cc",
+ "value": "Huntress"
}
],
- "version": 12
+ "version": 13
}
From 4c58ed03b09ed3bcdbc240183e861146e74184c3 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Thu, 10 Oct 2024 06:37:03 +0200
Subject: [PATCH 32/42] fix: [producer] refs are arrays
---
clusters/producer.json | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/clusters/producer.json b/clusters/producer.json
index 6e61eb2..c26e25a 100644
--- a/clusters/producer.json
+++ b/clusters/producer.json
@@ -780,7 +780,9 @@
"Singularity Identity",
"Singularity Hologram"
],
- "refs": "https://www.sentinelone.com/labs/",
+ "refs": [
+ "https://www.sentinelone.com/labs/"
+ ],
"synonyms": "Sentinel One"
},
"uuid": "996c48de-7bb8-414d-b6fe-ec94abb5f461",
@@ -920,5 +922,5 @@
"value": "Huntress"
}
],
- "version": 13
+ "version": 14
}
From e2985c368693d4063fc4a67f3ecee20e35fd8069 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Thu, 10 Oct 2024 06:40:15 +0200
Subject: [PATCH 33/42] fix: [producer] must be an array
---
clusters/producer.json | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/clusters/producer.json b/clusters/producer.json
index c26e25a..e54bbdb 100644
--- a/clusters/producer.json
+++ b/clusters/producer.json
@@ -731,7 +731,9 @@
"https://cyble.com/resources/",
"https://thecyberexpress.com/"
],
- "synonyms": "The Cyber Express"
+ "synonyms": [
+ "The Cyber Express"
+ ]
},
"uuid": "43e3e0a8-a12d-450a-8f2d-94915123549c",
"value": "Cyble"
From a4d1cdc1ce7fe01af3380ba5678e370cff4707ec Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Thu, 10 Oct 2024 09:33:12 +0200
Subject: [PATCH 34/42] chg: [producer] updated
---
clusters/producer.json | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/clusters/producer.json b/clusters/producer.json
index e54bbdb..a6f456b 100644
--- a/clusters/producer.json
+++ b/clusters/producer.json
@@ -785,7 +785,9 @@
"refs": [
"https://www.sentinelone.com/labs/"
],
- "synonyms": "Sentinel One"
+ "synonyms": [
+ "Sentinel One"
+ ]
},
"uuid": "996c48de-7bb8-414d-b6fe-ec94abb5f461",
"value": "SentinelOne"
@@ -924,5 +926,5 @@
"value": "Huntress"
}
],
- "version": 14
+ "version": 15
}
From 0e9544c6c8172efe721486205676b49176ee0b9e Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Thu, 10 Oct 2024 14:59:51 +0200
Subject: [PATCH 35/42] chg: [doc] README updated
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 1e1075d..d48457f 100644
--- a/README.md
+++ b/README.md
@@ -487,7 +487,7 @@ Category: *measure* - source: *MISP Project* - total: *20* elements
[Producer](https://www.misp-galaxy.org/producer) - List of threat intelligence producer from security vendors to CERTs including any producer of intelligence at large.
-Category: *actor* - source: *MISP Project* - total: *38* elements
+Category: *actor* - source: *MISP Project* - total: *46* elements
[[HTML](https://www.misp-galaxy.org/producer)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/producer.json)]
From f50ce73d12ff9fe4ad1c3a549843f91f40704325 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Thu, 10 Oct 2024 20:37:16 +0200
Subject: [PATCH 36/42] chg: [ransomware] updated
---
clusters/ransomware.json | 108 +++++++++++++++++++++++++++++++++++----
1 file changed, 99 insertions(+), 9 deletions(-)
diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index 5980df9..cb71b77 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -16079,7 +16079,13 @@
"description": "Ransomware",
"meta": {
"links": [
- "http://black3gnkizshuynieigw6ejgpblb53mpasftzd6pydqpmq2vn2xf6yd.onion"
+ "http://black3gnkizshuynieigw6ejgpblb53mpasftzd6pydqpmq2vn2xf6yd.onion",
+ "http://4qyjonpyksc52bc3fsgfgedssqgo4a6vlfsjknqnkncbyl4layqkqjid.onion/",
+ "http://eleav2eq3ioyiuevbyvqaz3vruwvpislphszo4cm7n56itbpnupxngyd.onion/",
+ "http://2cyxmof76rxeqze5snxxooqmhzjtcploqswxoxmenfayphumdhrtrzqd.onion/",
+ "http://rqqn25k3hgmfkh7ykjbmakjgidwweomr7cbpy6pfecpxs57r5iwzwtyd.onion/",
+ "http://mu6se7h7qfwuqclr4cc6zy7qevod6gyk37aq5vwnayrtbx3qqycx2fyd.onion/",
+ "http://urey23jtg6z7xx3tiybmc4sgcim7dawiz2abl6crpup2lfobf7yb5wyd.onion/"
],
"refs": [
"https://www.ransomlook.io/group/blackout"
@@ -26757,7 +26763,8 @@
],
"links": [
"http://omegalock5zxwbhswbisc42o2q2i54vdulyvtqqbudqousisjgc7j7yd.onion/",
- "https://0mega.cc/"
+ "https://0mega.cc/",
+ "https://0mega.ws/"
],
"ransomnotes-filenames": [
"DECRYPT-FILES.txt"
@@ -28550,7 +28557,8 @@
"meta": {
"links": [
"http://basemmnnqwxevlymli5bs36o5ynti55xojzvn246spahniugwkff2pad.onion/",
- "http://xb6q2aggycmlcrjtbjendcnnwpmmwbosqaugxsqb4nx6cmod3emy7sad.onion"
+ "http://xb6q2aggycmlcrjtbjendcnnwpmmwbosqaugxsqb4nx6cmod3emy7sad.onion",
+ "http://92.118.36.204/"
],
"refs": [
"https://www.ransomlook.io/group/8base"
@@ -28654,7 +28662,34 @@
{
"meta": {
"links": [
- "http://3ev4metjirohtdpshsqlkrqcmxq6zu3d7obrdhglpy5jpbr7whmlfgqd.onion"
+ "http://3ev4metjirohtdpshsqlkrqcmxq6zu3d7obrdhglpy5jpbr7whmlfgqd.onion",
+ "http://ufvi7hpcawesdklmommeeq4iokhq2km4hay3dwh4rirth5xaomle35id.onion/",
+ "http://t7ogwvu74a6flssns55yv7zw2xvssqbhrdbxqrwbahumyzwklnvqayid.onion/",
+ "http://gmxnejtsg3uiwopmnsooxbi3p2nukwemkvm7bg44tgbbnuuuyofqjfyd.onion/",
+ "http://jtjz6utbmabwcatyomwxaeum7ey7nxs7yooqflxhctnksjqsnammonqd.onion/",
+ "http://2mhkqjcw4auxop7auchz2iijcbj63qccwodtokofbb2ul5oejkkt6xyd.onion/",
+ "http://wka7ma7rzgmzmtn65dhv5zp5p6e3uv5sydnns7xsf6kpf7noukhchhqd.onion/",
+ "http://l3yeoyhnphtymqua5env7qitedmqv5ahe7waxgndwa64z2c2h3cjjhqd.onion/",
+ "http://2j45tydxcvm44jbyr6krhx77rzey3jtif5qdjak2gik4usoljvvhqaid.onion/",
+ "http://cuft7z2xlfogrtx4ddqnjqyerye2qtagksow2fip4xbb5iw7dsgtvhqd.onion/",
+ "http://wyz32kscr2ythqpyjwqfxcaxn5576fdurr7jag44gggnmi4cvhykhvid.onion/",
+ "http://3pb6cefz6hubgyb2ph7ua7yjzjpxwapbbp5zomz7xmvrjhjfykjwu6id.onion/",
+ "http://kn4spxunete4ddz7375i2wpnj4vvkir7wdmcg2pc5yod56lmb54nbayd.onion/",
+ "http://2ikvareyuw2wjnc4vb5yteq7d2tkg6k3gevnixzqtkn3cpvej6ajj4yd.onion/",
+ "http://wflff64dxxqvfhd7poarkvkphmibdjyyhv7h4zqo5m52ggsgncmbrbqd.onion/",
+ "http://frheu6drsqpehmuyrdxdrfu5bzqwxps4zlmnuxlcnxskwxcwqsyhwxyd.onion/",
+ "http://kceqbaoxmx2czutxty3mq35m5mv46dq66hpszrhbhduj7uwhu6ax3qad.onion/",
+ "http://4nsmlpz4qceow7bfrmarxdqaj7chcqobin3mzb27uhscb2yvjs6j4xqd.onion/",
+ "http://nka6xgyyu77ksb5xmmovp4en2hrkg53mfq2osql526oe7nybnlggfgid.onion/",
+ "http://mflnjnwfinorxxsgkyfel3fqanbtbbrl5k5mqqjwmrf7o3jc6a4hy3id.onion/",
+ "http://jtt4lqatjtrj5hxxi33dczkluouf5wivzdmy4v62dnhipk6ixk5mktad.onion/",
+ "http://udugclljnfcx34amtpddkjggmkfqci5xnlfef2hqtxstufulo3pvauid.onion/",
+ "http://vmmefm7ktazj2bwtmy46o3wxhk42tctasyyqv6ymuzlivszteyhkkyad.onion/",
+ "http://cfev2mvlqooohl3af2upkgu3ju4qcgqrrgh6sprfxkgh3qldh2ykxzyd.onion/",
+ "http://2fzahjlleflpcyecd245xe3q6tczjkwzcm4fbhd4q4bsun45y2csyayd.onion/",
+ "http://wpefgvpyuszr4vg444qed734big233itylqclte7usszbdbfyqvb2lqd.onion/",
+ "http://gvzbeu532wwxqze3v3xcxpsbhpvwusnajzahi55dqklbunzgjp5wchad.onion/",
+ "http://ieelfdk3qr6as2u5cx3kfo57pdu6s77lis3lafg5lx5ljqf2izial6ad.onion/"
],
"refs": [
"https://www.ransomlook.io/group/abyss-data"
@@ -28928,7 +28963,20 @@
"links": [
"http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion/blog",
"http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion/login",
- "http://dragonforxxbp3awc7mzs5dkswrua3znqyx5roefmi4smjrsdi22xwqd.onion"
+ "http://dragonforxxbp3awc7mzs5dkswrua3znqyx5roefmi4smjrsdi22xwqd.onion",
+ "http://zsglo7t7osxyk3vcl7zxzup7hs4ir52sntteymmw63zvoxzcqytlw7qd.onion/",
+ "http://6dgi54prfmpuuolutr4hl3akasxbx4o34g5y2bj4blrvzzkjemhxenad.onion/",
+ "http://eogeko3sdn66gb7vjpwpmlmmmzfx7umtwaugpf5l6tb5jveolfydnuad.onion/",
+ "http://ewrxgpvv7wsrqq7itfwg5jr7lkc6zzknndmru5su2ugrowxo3wwy5yad.onion/",
+ "http://3ro23rujyigqrlrwk3e4keh3a3i6ntgrm3f42tbiqtf7vke47c6a6ayd.onion/",
+ "http://jziu7k7uee467r2wt66ndrwymmw7tsmqgcqi7aemcaxraqmaf2hdm3yd.onion/",
+ "http://2yczff6zyiey3gkgl5anwejktdp73abxbzbnvwobmrwkwgf3hudpyvyd.onion/",
+ "http://bpoowhokr3vi32l3t4mjdtdxfrfpigwachopk5ojwmgxihnojhsawuyd.onion/",
+ "http://dbvczza7nhwdb5kdvkzjtkrcvwnrt5viw7mihutueprvajy7rxhwq6id.onion/",
+ "http://xtcwd3xmxpggtizn7kmwwqeizexflkkyqsytg2kauccau6ddsfa4gfyd.onion/",
+ "http://4wcrfql53ljekid3sn66z6swjot725muveddq77utxltaelw64eikfid.onion/",
+ "http://73h3lxn24kuayyfkn4t6ij7e67jklo24vqzqdhpts3ygmim7hu6u6aid.onion/",
+ "http://nwtetzmrqhxieetg5lvth7szzvg35gfrqt23ly46vku56oo7pkueswyd.onion/"
],
"refs": [
"https://www.ransomlook.io/group/dragonforce"
@@ -28945,7 +28993,8 @@
"http://mjmru3yz65o5szsp4rmkmh4adlezcpy5tqjjc4y5z6lozk3nnz2da2ad.onion/",
"http:// http://an2ce4pqpf2ipvba2djurxi5pnxxhu3uo7ackul6eafcundqtly7bhid.onion",
"http://fpwwt67hm3mkt6hdavkfyqi42oo3vkaggvjj4kxdr2ivsbzyka5yr2qd.onion",
- "http://an2ce4pqpf2ipvba2djurxi5pnxxhu3uo7ackul6eafcundqtly7bhid.onion"
+ "http://an2ce4pqpf2ipvba2djurxi5pnxxhu3uo7ackul6eafcundqtly7bhid.onion",
+ "http://xeuvs5poflczn5i5kbynb5rupmidb5zjuza6gaq22uqsdp3jvkjkciqd.onion/"
],
"refs": [
"https://www.ransomlook.io/group/ransomhub"
@@ -29362,7 +29411,9 @@
{
"meta": {
"links": [
- "https://apos.blog"
+ "https://apos.blog",
+ "http://yrz6bayqwhleymbeviter7ejccxm64sv2ppgqgderzgdhutozcbbhpqd.onion/rules",
+ "http://yrz6bayqwhleymbeviter7ejccxm64sv2ppgqgderzgdhutozcbbhpqd.onion/"
],
"refs": [
"https://www.ransomlook.io/group/apos"
@@ -29493,7 +29544,8 @@
{
"meta": {
"links": [
- "http://cicadabv7vicyvgz5khl7v2x5yygcgow7ryy6yppwmxii4eoobdaztqd.onion/"
+ "http://cicadabv7vicyvgz5khl7v2x5yygcgow7ryy6yppwmxii4eoobdaztqd.onion/",
+ "http://cicadacnft7gcgnveb7wjm6pjpjcjcsugogmlrat7u7pcel3iwb7bhyd.onion/"
],
"refs": [
"https://www.ransomlook.io/group/cicada3301"
@@ -29811,7 +29863,45 @@
},
"uuid": "9d7ca9df-c219-59fc-93fb-86f4606942ba",
"value": "nitrogen"
+ },
+ {
+ "meta": {
+ "links": [
+ "http://sarcomawmawlhov7o5mdhz4eszxxlkyaoiyiy2b5iwxnds2dmb4jakad.onion",
+ "http://bi32pq7y3gqq3qacgvamnk2s2elnppvevqp325wtk2wo7vh2zavjcfid.onion/",
+ "http://54yjkjwjqbm74nchm6o6b4l775ws2hgesdopus5jvo3jx6ftj7zn7mid.onion/",
+ "http://ngvvafvhfgwknj63ivqjqdxc7b5fyedo67zshblipo5a2zuair5t4nid.onion/",
+ "http://icmghe66zl4twvbv5g4h532mogcea44hrkxtotrlx6aia5jslnnbnxad.onion/",
+ "http://lyz3i74psw6vkuxdjhkyxzy3226775qpzs6oage4zw6qj66ppdxma2qd.onion/",
+ "http://55lfxollcks2pvxbtg73vrpl3i7x4jnnrxfl6al6viamwngqlu4cxgyd.onion/",
+ "http://modre6n4hqm4seip2thhbjcfkcdcljhec7ekvd5qt7m7fhimpc2446qd.onion/",
+ "http://r3yes535gjsi2puoz2bvssl3ewygcfgwoji6wdk3grj3baexn2hha2id.onion/",
+ "http://pauppf2nuoqxwwqqshaehbkj54debl7bppacfm5h6z6zjoiejifezhad.onion/",
+ "http://iiobxrljnmjwb6l66bfvhin5zxbghbgiv6yamqpb4bezlrxd2vhetgyd.onion/",
+ "http://nf5b6a4b4s623wfxkveibjmwwpqjm536t5tyrbtrw7vsdqepsdoejoad.onion/",
+ "http://rs3icoalw6bdgedspnmt6vp2dzzuyqxtccezmta2g5mlyao64len7dyd.onion/",
+ "http://lpp4aze237qkkursbtesd54ofag6te5i5lzpee5a3buhq4v3uwtxnlqd.onion/",
+ "http://6nwhpuwtf4onxvr7el5ycc4xwefhk4w6q6rbn23oe2ghax2x7nns3iad.onion/"
+ ],
+ "refs": [
+ "https://www.ransomlook.io/group/sarcoma"
+ ]
+ },
+ "uuid": "dfe512ec-19ef-50c4-9ddf-56daf8c9b8d7",
+ "value": "sarcoma"
+ },
+ {
+ "meta": {
+ "links": [
+ "http://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid.onion/"
+ ],
+ "refs": [
+ "https://www.ransomlook.io/group/interlock"
+ ]
+ },
+ "uuid": "6a20c736-d83c-502f-8a9f-379a556fb4ac",
+ "value": "interlock"
}
],
- "version": 135
+ "version": 136
}
From b0384b8889a686fb0ca18b2999b89045172c1d4f Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Thu, 10 Oct 2024 22:12:40 +0200
Subject: [PATCH 37/42] chg: [doc] README updated
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index d48457f..917ab53 100644
--- a/README.md
+++ b/README.md
@@ -495,7 +495,7 @@ Category: *actor* - source: *MISP Project* - total: *46* elements
[Ransomware](https://www.misp-galaxy.org/ransomware) - Ransomware galaxy based on different sources and maintained by the MISP Project.
-Category: *tool* - source: *Various* - total: *1807* elements
+Category: *tool* - source: *Various* - total: *1809* elements
[[HTML](https://www.misp-galaxy.org/ransomware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json)]
From 73847f1cc1bb7a211d95bc401ebb310fa95ab81a Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Thu, 17 Oct 2024 13:44:21 +0200
Subject: [PATCH 38/42] chg: [ransomware] updated to the latest version
---
clusters/ransomware.json | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index cb71b77..8c15a5d 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -29203,7 +29203,8 @@
"meta": {
"links": [
"http://p66slxmtum2ox4jpayco6ai3qfehd5urgrs4oximjzklxcol264driqd.onion/index.html",
- "http://nsalewdnfclsowcal6kn5csm4ryqmfpijznxwictukhrgvz2vbmjjjyd.onion/"
+ "http://nsalewdnfclsowcal6kn5csm4ryqmfpijznxwictukhrgvz2vbmjjjyd.onion/",
+ "https://5kvv27efetbcqgem4tl7jsolvr3jxkrbmn23rcjzl7kvqycxuao3t4ad.onion/"
],
"refs": [
"https://www.ransomlook.io/group/dunghill"
@@ -29372,7 +29373,8 @@
"http://zo5xog4vpvdae473doneepetidh36m5czdq2vyeiq3lvqhuel56p6nid.onion/",
"http://66ohzao6afsv2opk22r2kv6fbnf2fthe7v4ykzzc5vjezvvyf3gocwyd.onion/",
"https://2nn4b6gihz5bttzabjegune3blwktad2zmy77fwutvvrxxodbufo6qid.onion/",
- "http://y6kyfs2unbfcyodzjrxadn4w5vyulhyotdi5dtiqulxbduujehupunqd.onion/"
+ "http://y6kyfs2unbfcyodzjrxadn4w5vyulhyotdi5dtiqulxbduujehupunqd.onion/",
+ "http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion/api/blog/get"
],
"refs": [
"https://www.ransomlook.io/group/embargo"
@@ -29893,7 +29895,8 @@
{
"meta": {
"links": [
- "http://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid.onion/"
+ "http://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid.onion/",
+ "http://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid.onion/leaks.php"
],
"refs": [
"https://www.ransomlook.io/group/interlock"
@@ -29903,5 +29906,5 @@
"value": "interlock"
}
],
- "version": 136
+ "version": 137
}
From 2594c9186404e8b68578a041410013b8c75363b0 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Thu, 17 Oct 2024 13:55:15 +0200
Subject: [PATCH 39/42] chg: [cluster] updated
---
clusters/sigma-rules.json | 3503 ++++++++++++++++++++-----------------
1 file changed, 1863 insertions(+), 1640 deletions(-)
diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json
index db7c7bf..af929ed 100644
--- a/clusters/sigma-rules.json
+++ b/clusters/sigma-rules.json
@@ -23,10 +23,10 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
- "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
- "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
+ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
+ "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/",
+ "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml"
],
"tags": [
@@ -93,8 +93,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/last-byte/PersistenceSniper",
"https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/",
+ "https://github.com/last-byte/PersistenceSniper",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml"
],
"tags": [
@@ -127,8 +127,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465",
"https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738",
+ "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml"
],
"tags": [
@@ -149,10 +149,10 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors",
"https://www.sans.org/cyber-security-summit/archives",
- "https://twitter.com/jamieantisocial/status/1304520651248668673",
+ "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors",
"https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling",
+ "https://twitter.com/jamieantisocial/status/1304520651248668673",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml"
],
"tags": [
@@ -188,9 +188,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml"
],
"tags": [
@@ -223,8 +223,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md",
+ "https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml"
],
"tags": [
@@ -258,10 +258,10 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
- "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
- "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
+ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
+ "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/",
+ "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml"
],
"tags": [
@@ -294,9 +294,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/Hexacorn/status/991447379864932352",
"https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml",
"http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/",
+ "https://twitter.com/Hexacorn/status/991447379864932352",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml"
],
"tags": [
@@ -395,8 +395,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://persistence-info.github.io/Data/aedebug.html",
"https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging",
+ "https://persistence-info.github.io/Data/aedebug.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml"
],
"tags": [
@@ -419,12 +419,12 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.attackiq.com/2023/09/20/emulating-rhysida/",
- "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html",
- "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI",
- "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior",
"https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/",
"https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper",
+ "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html",
+ "https://www.attackiq.com/2023/09/20/emulating-rhysida/",
+ "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior",
+ "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml"
],
"tags": [
@@ -466,11 +466,11 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html",
- "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html",
- "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/",
"https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN",
+ "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/",
+ "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html",
+ "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml"
],
"tags": [
@@ -540,8 +540,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465",
"https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738",
+ "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml"
],
"tags": [
@@ -564,8 +564,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md",
"https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_special_accounts.yml"
],
"tags": [
@@ -716,9 +716,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf",
- "https://github.com/deepinstinct/Lsass-Shtinkering",
"https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps",
+ "https://github.com/deepinstinct/Lsass-Shtinkering",
+ "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml"
],
"tags": [
@@ -786,8 +786,8 @@
"logsource.product": "windows",
"refs": [
"https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html",
- "https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials",
"https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649",
+ "https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml"
],
"tags": [
@@ -820,9 +820,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx",
"https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx",
"https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html",
- "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml"
],
"tags": [
@@ -863,8 +863,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74",
"https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change",
+ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml"
],
"tags": [
@@ -1032,8 +1032,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade",
"https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy",
+ "https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_network_provider.yml"
],
"tags": [
@@ -1100,9 +1100,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml"
],
"tags": [
@@ -1135,8 +1135,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf",
"https://twitter.com/dottor_morte/status/1544652325570191361",
+ "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml"
],
"tags": [
@@ -1202,10 +1202,10 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html",
- "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html",
"https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine",
"https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection",
+ "https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html",
+ "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml"
],
"tags": [
@@ -1305,8 +1305,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://persistence-info.github.io/Data/naturallanguage6.html",
"https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/",
+ "https://persistence-info.github.io/Data/naturallanguage6.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml"
],
"tags": [
@@ -1371,8 +1371,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html",
"https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/",
+ "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml"
],
@@ -1439,8 +1439,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/",
"https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll",
+ "https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml"
],
"tags": [
@@ -1473,8 +1473,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry",
"https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html",
+ "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml"
],
"tags": [
@@ -1507,8 +1507,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)",
"https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/",
+ "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml"
],
"tags": [
@@ -1576,8 +1576,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/",
"https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53",
+ "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml"
],
"tags": [
@@ -1627,9 +1627,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/",
- "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password",
"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a",
+ "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password",
+ "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml"
],
"tags": [
@@ -1662,9 +1662,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/",
- "https://twitter.com/inversecos/status/1494174785621819397",
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/",
+ "https://twitter.com/inversecos/status/1494174785621819397",
+ "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml"
],
"tags": [
@@ -1858,8 +1858,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf",
"https://twitter.com/dottor_morte/status/1544652325570191361",
+ "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml"
],
"tags": [
@@ -1892,8 +1892,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise",
"https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/",
+ "https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise",
"https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml"
],
@@ -1940,10 +1940,10 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://persistence-info.github.io/Data/ifilters.html",
- "https://twitter.com/0gtweet/status/1468548924600459267",
"https://github.com/gtworek/PSBits/tree/master/IFilter",
+ "https://persistence-info.github.io/Data/ifilters.html",
"https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308",
+ "https://twitter.com/0gtweet/status/1468548924600459267",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml"
],
"tags": [
@@ -1966,10 +1966,10 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content",
- "https://twitter.com/JAMESWT_MHT/status/1699042827261391247",
- "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries",
"https://twitter.com/M_haggis/status/1699056847154725107",
+ "https://twitter.com/JAMESWT_MHT/status/1699042827261391247",
+ "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content",
+ "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml"
],
"tags": [
@@ -2058,10 +2058,10 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/nas_bench/status/1626648985824788480",
"https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks",
"https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/",
"https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md",
+ "https://twitter.com/nas_bench/status/1626648985824788480",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml"
],
"tags": [
@@ -2286,17 +2286,17 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39",
- "http://managed670.rssing.com/chan-5590147/all_p1.html",
- "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables",
- "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/",
- "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf",
- "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_",
- "https://twitter.com/_xpn_/status/1268712093928378368",
"https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38",
+ "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf",
+ "https://twitter.com/_xpn_/status/1268712093928378368",
+ "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39",
"https://bunnyinside.com/?term=f71e8cb9c76a",
"https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr",
+ "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_",
"https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code",
+ "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables",
+ "http://managed670.rssing.com/chan-5590147/all_p1.html",
+ "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml"
],
"tags": [
@@ -2394,8 +2394,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store",
"https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml"
],
"tags": [
@@ -2428,8 +2428,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/",
"https://persistence-info.github.io/Data/htmlhelpauthor.html",
+ "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_chm.yml"
],
"tags": [
@@ -2452,8 +2452,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/",
"https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll",
+ "https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml"
],
"tags": [
@@ -2520,8 +2520,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650",
"https://youtu.be/zSihR3lTf7g",
+ "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml"
],
"tags": [
@@ -2611,16 +2611,16 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services",
- "https://blog.sekoia.io/darkgate-internals/",
- "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry",
- "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry",
"http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/",
- "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03",
"https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html",
- "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/",
- "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html",
"https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry",
+ "https://blog.sekoia.io/darkgate-internals/",
+ "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03",
+ "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry",
+ "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html",
+ "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services",
+ "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml"
],
"tags": [
@@ -2788,9 +2788,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml"
],
"tags": [
@@ -2858,13 +2858,14 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
- "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting",
"https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105",
- "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
"https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html",
+ "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
+ "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html",
"https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html",
+ "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting",
+ "https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml"
],
"tags": [
@@ -2897,9 +2898,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task",
"https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task",
+ "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml"
],
"tags": [
@@ -2934,9 +2935,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml"
],
"tags": [
@@ -2992,9 +2993,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
- "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf",
"https://twitter.com/MichalKoczwara/status/1553634816016498688",
+ "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf",
+ "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml"
],
"tags": [
@@ -3017,9 +3018,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://unit42.paloaltonetworks.com/ransomware-families/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd",
"https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A",
+ "https://unit42.paloaltonetworks.com/ransomware-families/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml"
],
"tags": [
@@ -3078,9 +3079,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml"
],
"tags": [
@@ -3113,8 +3114,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html",
"https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/",
+ "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html",
"https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml"
],
@@ -3149,8 +3150,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time",
+ "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml"
],
"tags": [
@@ -3185,9 +3186,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml"
],
"tags": [
@@ -3277,8 +3278,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html",
"https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS",
+ "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html",
"https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode",
"https://github.com/elastic/detection-rules/issues/1371",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml"
@@ -3387,8 +3388,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/",
"https://persistence-info.github.io/Data/hhctrl.html",
+ "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml"
],
"tags": [
@@ -3445,9 +3446,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml"
],
"tags": [
@@ -3553,9 +3554,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/",
- "https://twitter.com/inversecos/status/1494174785621819397",
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/",
+ "https://twitter.com/inversecos/status/1494174785621819397",
+ "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml"
],
"tags": [
@@ -3655,13 +3656,13 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services",
"http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/",
- "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03",
"https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html",
- "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/",
- "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html",
"https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/",
+ "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03",
+ "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html",
+ "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services",
+ "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml"
],
"tags": [
@@ -3695,8 +3696,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/inversecos/status/1494174785621819397",
"Internal Research",
+ "https://twitter.com/inversecos/status/1494174785621819397",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml"
],
"tags": [
@@ -3729,8 +3730,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd",
+ "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml"
],
"tags": [
@@ -3763,8 +3764,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://persistence-info.github.io/Data/mpnotify.html",
"https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek",
+ "https://persistence-info.github.io/Data/mpnotify.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml"
],
"tags": [
@@ -3820,8 +3821,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/_vivami/status/1347925307643355138",
"https://vanmieghem.io/stealth-outlook-persistence/",
+ "https://twitter.com/_vivami/status/1347925307643355138",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml"
],
"tags": [
@@ -3979,10 +3980,10 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware",
- "https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/",
"https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps",
+ "https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware",
"https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1",
+ "https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml"
],
"tags": [
@@ -4039,9 +4040,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml"
],
"tags": [
@@ -4268,8 +4269,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass",
"https://www.exploit-db.com/exploits/47696",
+ "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml"
],
"tags": [
@@ -4536,9 +4537,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us",
"https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70",
"https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change",
+ "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml"
],
"tags": [
@@ -4680,8 +4681,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
"https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105",
+ "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml"
],
"tags": [
@@ -4805,9 +4806,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope",
- "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba",
"https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/",
+ "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba",
+ "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml"
],
"tags": [
@@ -4863,8 +4864,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048",
"https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44",
+ "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml"
],
"tags": [
@@ -5054,8 +5055,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp",
"https://twitter.com/WhichbufferArda/status/1543900539280293889",
+ "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml"
],
"tags": [
@@ -5088,8 +5089,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/",
"https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html",
+ "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml"
],
"tags": [
@@ -5191,8 +5192,8 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/pabraeken/status/998627081360695297",
- "https://twitter.com/VakninHai/status/1517027824984547329",
"https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files",
+ "https://twitter.com/VakninHai/status/1517027824984547329",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml"
],
"tags": [
@@ -5266,8 +5267,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/malmoeb/status/1560536653709598721",
"https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
+ "https://twitter.com/malmoeb/status/1560536653709598721",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml"
],
"tags": [
@@ -5290,11 +5291,11 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md",
- "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html",
- "https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl",
- "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
"https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage",
+ "https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl",
+ "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md",
+ "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml"
],
"tags": [
@@ -5460,8 +5461,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/",
"https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml"
],
"tags": [
@@ -5528,9 +5529,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml"
],
"tags": [
@@ -5598,10 +5599,10 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
- "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://persistence-info.github.io/Data/userinitmprlogonscript.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
+ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
+ "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml"
],
"tags": [
@@ -5635,9 +5636,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
"https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml"
],
"tags": [
@@ -5712,8 +5713,8 @@
"logsource.product": "windows",
"refs": [
"https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials",
- "https://adsecurity.org/?p=1785",
"https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/",
+ "https://adsecurity.org/?p=1785",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml"
],
"tags": [
@@ -5747,9 +5748,9 @@
"logsource.product": "windows",
"refs": [
"https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/",
- "https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
+ "https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml"
],
"tags": [
@@ -6162,8 +6163,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ie.yml"
],
"tags": [
@@ -6328,9 +6329,9 @@
"logsource.category": "registry_delete",
"logsource.product": "windows",
"refs": [
- "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html",
- "http://woshub.com/how-to-clear-rdp-connections-history/",
"https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer",
+ "http://woshub.com/how-to-clear-rdp-connections-history/",
+ "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml"
],
"tags": [
@@ -6374,8 +6375,8 @@
"https://learn.microsoft.com/en-us/windows/win32/shell/launch",
"https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand",
"https://github.com/OTRF/detection-hackathon-apt29/issues/7",
- "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md",
"https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code",
+ "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml"
],
"tags": [
@@ -6408,8 +6409,8 @@
"logsource.category": "registry_delete",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://seclists.org/fulldisclosure/2020/Mar/45",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml"
],
"tags": [
@@ -6509,8 +6510,8 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/",
"http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/",
+ "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml"
],
"tags": [
@@ -6554,8 +6555,8 @@
"logsource.product": "windows",
"refs": [
"https://adepts.of0x.cc/netsh-portproxy-code/",
- "https://www.dfirnotes.net/portproxy_detection/",
"https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html",
+ "https://www.dfirnotes.net/portproxy_detection/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml"
],
"tags": [
@@ -6590,8 +6591,8 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/",
"https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html",
+ "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml"
],
"tags": [
@@ -6624,8 +6625,8 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/inversecos/status/1494174785621819397",
"https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/",
+ "https://twitter.com/inversecos/status/1494174785621819397",
"http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml"
],
@@ -6659,11 +6660,11 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
+ "https://nvd.nist.gov/vuln/detail/cve-2021-1675",
+ "https://nvd.nist.gov/vuln/detail/cve-2021-34527",
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913",
"https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760",
"https://www.lexjansen.com/sesug/1993/SESUG93035.pdf",
- "https://nvd.nist.gov/vuln/detail/cve-2021-34527",
- "https://nvd.nist.gov/vuln/detail/cve-2021-1675",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml"
],
"tags": [
@@ -6698,8 +6699,8 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/",
"https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf",
+ "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/",
"https://persistence-info.github.io/Data/recyclebin.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml"
],
@@ -6733,10 +6734,10 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]",
"https://github.com/hfiref0x/UACME",
- "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass",
"https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/",
+ "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass",
+ "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml"
],
"tags": [
@@ -6878,8 +6879,8 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly",
"https://lolbas-project.github.io/lolbas/Binaries/Wsreset",
+ "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml"
],
"tags": [
@@ -7288,8 +7289,8 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/",
"https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/",
+ "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml"
],
"tags": [
@@ -7496,8 +7497,8 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/",
"https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/",
+ "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml"
],
"tags": [
@@ -7533,8 +7534,8 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "https://blog.xpnsec.com/exploring-mimikatz-part-1/",
"https://twitter.com/SBousseaden/status/1183745981189427200",
+ "https://blog.xpnsec.com/exploring-mimikatz-part-1/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml"
],
"tags": [
@@ -7744,11 +7745,11 @@
"logsource.category": "registry_add",
"logsource.product": "windows",
"refs": [
+ "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/",
+ "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/",
"https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line",
"https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing",
"https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/",
- "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/",
- "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_netwire.yml"
],
"tags": [
@@ -8342,8 +8343,8 @@
"logsource.category": "dns_query",
"logsource.product": "windows",
"refs": [
- "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/",
"Internal Research",
+ "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml"
],
"tags": [
@@ -8376,10 +8377,10 @@
"logsource.category": "dns_query",
"logsource.product": "windows",
"refs": [
- "https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/",
"https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/",
"https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia",
+ "https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_domain_azurewebsites.yml"
],
"tags": [
@@ -8447,8 +8448,8 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/neonprimetime/status/1436376497980428318",
- "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon",
"https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html",
+ "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml"
],
"tags": [
@@ -8515,8 +8516,8 @@
"logsource.category": "dns_query",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup",
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04",
+ "https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml"
],
"tags": [
@@ -8749,9 +8750,9 @@
"logsource.category": "dns_query",
"logsource.product": "windows",
"refs": [
- "https://cydefops.com/vscode-data-exfiltration",
- "https://badoption.eu/blog/2023/01/31/code_c2.html",
"https://ipfyx.fr/post/visual-studio-code-tunnel/",
+ "https://badoption.eu/blog/2023/01/31/code_c2.html",
+ "https://cydefops.com/vscode-data-exfiltration",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml"
],
"tags": [
@@ -8784,8 +8785,8 @@
"logsource.category": "dns_query",
"logsource.product": "windows",
"refs": [
- "https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/",
"https://malware.guide/browser-hijacker/remove-onelaunch-virus/",
+ "https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/",
"https://www.malwarebytes.com/blog/detections/pup-optional-onelaunch-silentcf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml"
],
@@ -8819,8 +8820,8 @@
"logsource.category": "dns_query",
"logsource.product": "windows",
"refs": [
- "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/",
"https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/",
+ "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_regsvr32_dns_query.yml"
],
"tags": [
@@ -8862,14 +8863,14 @@
"logsource.category": "dns_query",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows",
- "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution",
"https://blog.sekoia.io/scattered-spider-laying-new-eggs/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows",
- "https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution",
+ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a",
"https://redcanary.com/blog/misbehaving-rats/",
"https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization",
+ "https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml"
],
"tags": [
@@ -8902,18 +8903,18 @@
"logsource.category": "pipe_created",
"logsource.product": "windows",
"refs": [
- "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/",
- "https://github.com/RiccardoAncarani/LiquidSnake",
- "https://securelist.com/faq-the-projectsauron-apt/75533/",
"https://www.us-cert.gov/ncas/alerts/TA17-117A",
- "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
- "https://thedfirreport.com/2020/06/21/snatch-ransomware/",
- "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/",
"https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a",
+ "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/",
+ "https://securelist.com/faq-the-projectsauron-apt/75533/",
+ "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/",
"https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity",
- "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf",
"https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf",
"https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/",
+ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
+ "https://thedfirreport.com/2020/06/21/snatch-ransomware/",
+ "https://github.com/RiccardoAncarani/LiquidSnake",
+ "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml"
],
"tags": [
@@ -8948,8 +8949,8 @@
"logsource.category": "pipe_created",
"logsource.product": "windows",
"refs": [
- "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575",
"https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752",
+ "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml"
],
"tags": [
@@ -9027,8 +9028,8 @@
"logsource.category": "pipe_created",
"logsource.product": "windows",
"refs": [
- "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml",
"https://github.com/Azure/SimuLand",
+ "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml",
"https://o365blog.com/post/adfs/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_adfs_namedpipe_connection_uncommon_tool.yml"
],
@@ -9062,8 +9063,8 @@
"logsource.category": "pipe_created",
"logsource.product": "windows",
"refs": [
- "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575",
"https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752",
+ "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml"
],
"tags": [
@@ -9174,8 +9175,8 @@
"logsource.category": "pipe_created",
"logsource.product": "windows",
"refs": [
- "https://github.com/hackvens/CoercedPotato",
"https://blog.hackvens.fr/articles/CoercedPotato.html",
+ "https://github.com/hackvens/CoercedPotato",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml"
],
"tags": [
@@ -9311,9 +9312,9 @@
"refs": [
"https://twitter.com/d4rksystem/status/1357010969264873472",
"https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/",
+ "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/",
"https://github.com/SigmaHQ/sigma/issues/253",
"https://redcanary.com/threat-detection-report/threats/cobalt-strike/",
- "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml"
],
"tags": [
@@ -9702,8 +9703,8 @@
"logsource.category": "create_remote_thread",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io",
"Personal research, statistical analysis",
+ "https://lolbas-project.github.io",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml"
],
"tags": [
@@ -9772,8 +9773,8 @@
"logsource.category": "create_remote_thread",
"logsource.product": "windows",
"refs": [
- "https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/",
"https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/",
+ "https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml"
],
"tags": [
@@ -9848,8 +9849,8 @@
"logsource.category": "create_remote_thread",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/SBousseaden/status/1090588499517079552",
"https://github.com/mdsecactivebreach/CACTUSTORCH",
+ "https://twitter.com/SBousseaden/status/1090588499517079552",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml"
],
"tags": [
@@ -10098,8 +10099,8 @@
"logsource.category": "create_remote_thread",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io",
"Personal research, statistical analysis",
+ "https://lolbas-project.github.io",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml"
],
"tags": [
@@ -10457,8 +10458,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/",
"https://twitter.com/SBousseaden/status/1278977301745741825",
+ "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml"
],
"tags": [
@@ -10558,8 +10559,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/",
"https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/",
+ "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml"
],
"tags": [
@@ -10683,8 +10684,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3",
"Internal Research",
+ "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml"
],
"tags": [
@@ -10742,8 +10743,8 @@
"logsource.product": "windows",
"refs": [
"https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/",
- "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html",
"https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html",
+ "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml"
],
"tags": [
@@ -10776,9 +10777,9 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html",
- "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior",
"https://en.wikipedia.org/wiki/IExpress",
+ "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior",
+ "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sed_file_creation.yml"
],
"tags": [
@@ -10960,11 +10961,11 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc",
- "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer",
"https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html",
- "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/",
"https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf",
+ "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc",
+ "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/",
+ "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml"
],
"tags": [
@@ -10997,9 +10998,9 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/",
- "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/",
"https://redcanary.com/blog/intelligence-insights-october-2021/",
+ "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/",
+ "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml"
],
"tags": [
@@ -11112,8 +11113,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government",
"https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs",
+ "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml"
],
"tags": [
@@ -11339,9 +11340,9 @@
"logsource.product": "windows",
"refs": [
"https://github.com/Yaxser/Backstab",
+ "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer",
"https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks",
"https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/",
- "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml"
],
"tags": [
@@ -11475,8 +11476,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/OTRF/detection-hackathon-apt29/issues/12",
"https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md",
+ "https://github.com/OTRF/detection-hackathon-apt29/issues/12",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml"
],
"tags": [
@@ -11544,8 +11545,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "Internal Research",
"https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md",
+ "Internal Research",
"https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml"
],
@@ -11579,8 +11580,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/",
"https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/",
+ "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml"
],
"tags": [
@@ -11603,10 +11604,10 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html",
- "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml",
"https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/",
+ "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml",
"https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008",
+ "https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml"
],
"tags": [
@@ -11786,8 +11787,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3",
"Internal Research",
+ "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml"
],
"tags": [
@@ -12399,10 +12400,10 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/",
"https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions",
- "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3",
+ "https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/",
"http://addbalance.com/word/startup.htm",
+ "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml"
],
"tags": [
@@ -12476,8 +12477,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://cobalt.io/blog/kerberoast-attack-techniques",
"https://pentestlab.blog/2019/10/21/persistence-security-support-provider/",
+ "https://cobalt.io/blog/kerberoast-attack-techniques",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml"
],
"tags": [
@@ -12534,26 +12535,26 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
- "https://github.com/PowerShellMafia/PowerSploit",
- "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
"https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
- "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
"https://github.com/nettitude/Invoke-PowerThIEf",
+ "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
"https://github.com/NetSPI/PowerUpSQL",
- "https://github.com/S3cur3Th1sSh1t/WinPwn",
- "https://github.com/CsEnox/EventViewer-UACBypass",
"https://github.com/besimorhino/powercat",
- "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
- "https://github.com/samratashok/nishang",
- "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
- "https://github.com/DarkCoderSc/PowerRunAsSystem/",
- "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
- "https://github.com/HarmJ0y/DAMP",
- "https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu",
- "https://github.com/Kevin-Robertson/Powermad",
"https://github.com/adrecon/ADRecon",
+ "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
+ "https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu",
+ "https://github.com/S3cur3Th1sSh1t/WinPwn",
+ "https://github.com/samratashok/nishang",
+ "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
+ "https://github.com/Kevin-Robertson/Powermad",
+ "https://github.com/HarmJ0y/DAMP",
"https://github.com/adrecon/AzureADRecon",
+ "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
+ "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
+ "https://github.com/CsEnox/EventViewer-UACBypass",
+ "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
+ "https://github.com/PowerShellMafia/PowerSploit",
+ "https://github.com/DarkCoderSc/PowerRunAsSystem/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml"
],
"tags": [
@@ -12707,11 +12708,13 @@
"logsource.product": "windows",
"refs": [
"https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/",
+ "https://github.com/CCob/MirrorDump",
+ "https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258",
+ "https://github.com/helpsystems/nanodump",
+ "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml",
+ "https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35",
"https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf",
"https://www.google.com/search?q=procdump+lsass",
- "https://github.com/CCob/MirrorDump",
- "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml",
- "https://github.com/helpsystems/nanodump",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml"
],
"tags": [
@@ -12812,10 +12815,10 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore",
"https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/",
"https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore",
+ "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml"
],
"tags": [
@@ -13046,8 +13049,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3",
"Internal Research",
+ "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml"
],
"tags": [
@@ -13104,9 +13107,9 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw",
"https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g",
"https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute",
- "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml"
],
"tags": [
@@ -13197,8 +13200,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/",
"https://persistence-info.github.io/Data/powershellprofile.html",
+ "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml"
],
"tags": [
@@ -13232,10 +13235,10 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/",
"https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79",
"https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76",
"https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form",
+ "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml"
],
"tags": [
@@ -13542,8 +13545,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://badoption.eu/blog/2023/01/31/code_c2.html",
"https://ipfyx.fr/post/visual-studio-code-tunnel/",
+ "https://badoption.eu/blog/2023/01/31/code_c2.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml"
],
"tags": [
@@ -13600,9 +13603,9 @@
"logsource.product": "windows",
"refs": [
"https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence",
+ "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/",
"https://liberty-shell.com/sec/2020/02/25/shim-persistence/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory",
- "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml"
],
"tags": [
@@ -13768,9 +13771,9 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs",
"https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs",
"https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
+ "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml"
],
"tags": [
@@ -13860,11 +13863,11 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/luc4m/status/1073181154126254080",
"https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations",
+ "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/",
"https://twitter.com/malwrhunterteam/status/1235135745611960321",
"https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles",
- "https://twitter.com/luc4m/status/1073181154126254080",
- "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml"
],
"tags": [
@@ -13897,10 +13900,10 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
+ "https://pentestlab.blog/tag/ntds-dit/",
+ "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1",
"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration",
"https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/",
- "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1",
- "https://pentestlab.blog/tag/ntds-dit/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml"
],
"tags": [
@@ -14042,8 +14045,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/",
"https://asec.ahnlab.com/en/58878/",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml"
],
"tags": [
@@ -14066,8 +14069,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/GossiTheDog/HiveNightmare",
"https://github.com/FireFart/hivenightmare/",
+ "https://github.com/GossiTheDog/HiveNightmare",
"https://github.com/WiredPulse/Invoke-HiveNightmare",
"https://twitter.com/cube0x0/status/1418920190759378944",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml"
@@ -14103,9 +14106,9 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/",
- "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/",
"https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53",
+ "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/",
+ "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml"
],
"tags": [
@@ -14214,8 +14217,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf",
"https://github.com/deepinstinct/Lsass-Shtinkering",
+ "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml"
],
"tags": [
@@ -14248,8 +14251,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/",
"https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py",
+ "https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml"
],
"tags": [
@@ -14341,8 +14344,8 @@
"logsource.product": "windows",
"refs": [
"https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/",
- "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html",
"https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html",
+ "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml"
],
"tags": [
@@ -14442,9 +14445,9 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
+ "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/",
"https://github.com/fox-it/LDAPFragger",
"https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961",
- "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml"
],
"tags": [
@@ -14511,8 +14514,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt",
"https://github.com/binderlabs/DirCreate2System",
+ "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml"
],
"tags": [
@@ -14540,8 +14543,8 @@
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3",
"https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation",
"https://twitter.com/pfiatde/status/1681977680688738305",
- "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/",
"https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/",
+ "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml"
],
"tags": [
@@ -14658,11 +14661,11 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/luc4m/status/1073181154126254080",
"https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations",
+ "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/",
"https://twitter.com/malwrhunterteam/status/1235135745611960321",
"https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles",
- "https://twitter.com/luc4m/status/1073181154126254080",
- "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml"
],
"tags": [
@@ -14755,12 +14758,12 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/MaD_c4t/status/1623414582382567424",
- "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/",
"https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/",
- "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/",
- "https://labs.withsecure.com/publications/detecting-onenote-abuse",
"https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/",
+ "https://labs.withsecure.com/publications/detecting-onenote-abuse",
+ "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/",
+ "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/",
+ "https://twitter.com/MaD_c4t/status/1623414582382567424",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml"
],
"tags": [
@@ -15108,12 +15111,12 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://decoded.avast.io/martinchlumecky/png-steganography/",
"https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc",
+ "https://decoded.avast.io/martinchlumecky/png-steganography/",
"https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/",
"https://github.com/Wh04m1001/SysmonEoP",
- "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/",
"https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992",
+ "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml"
],
"tags": [
@@ -15156,8 +15159,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "Internal Research",
"https://labs.withsecure.com/publications/fin7-target-veeam-servers",
+ "Internal Research",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml"
],
"tags": [
@@ -15223,8 +15226,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1",
"https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405",
+ "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1",
"https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml"
],
@@ -15258,11 +15261,11 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
+ "https://github.com/FireFart/hivenightmare",
"https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934",
"https://www.google.com/search?q=%22reg.exe+save%22+sam",
- "https://github.com/search?q=CVE-2021-36934",
"https://github.com/HuskyHacks/ShadowSteal",
- "https://github.com/FireFart/hivenightmare",
+ "https://github.com/search?q=CVE-2021-36934",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml"
],
"tags": [
@@ -15329,8 +15332,8 @@
"logsource.category": "file_access",
"logsource.product": "windows",
"refs": [
- "http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/",
"https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords",
+ "http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_dpapi_master_key_access.yml"
],
"tags": [
@@ -15500,8 +15503,8 @@
"logsource.category": "file_access",
"logsource.product": "windows",
"refs": [
- "https://www.passcape.com/windows_password_recovery_dpapi_credhist",
"https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist",
+ "https://www.passcape.com/windows_password_recovery_dpapi_credhist",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_credhist.yml"
],
"tags": [
@@ -15824,8 +15827,8 @@
"logsource.category": "file_delete",
"logsource.product": "windows",
"refs": [
- "https://github.com/cube0x0/CVE-2021-1675",
"https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/",
+ "https://github.com/cube0x0/CVE-2021-1675",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml"
],
"tags": [
@@ -15962,8 +15965,8 @@
"logsource.category": "file_delete",
"logsource.product": "windows",
"refs": [
- "https://github.com/OTRF/detection-hackathon-apt29/issues/9",
"https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md",
+ "https://github.com/OTRF/detection-hackathon-apt29/issues/9",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml"
],
"tags": [
@@ -16029,9 +16032,9 @@
"logsource.category": "file_executable_detected",
"logsource.product": "windows",
"refs": [
- "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html",
- "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior",
"https://en.wikipedia.org/wiki/IExpress",
+ "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior",
+ "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml"
],
"tags": [
@@ -16189,9 +16192,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE",
"https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files",
"https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps",
+ "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml"
],
"tags": [
@@ -16224,9 +16227,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b",
"https://github.com/hfiref0x/UACME",
"https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf",
+ "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml"
],
"tags": [
@@ -16476,8 +16479,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://redcanary.com/threat-detection-report/threats/qbot/",
"https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/",
+ "https://redcanary.com/threat-detection-report/threats/qbot/",
"https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml"
],
@@ -16511,10 +16514,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.elastic.co/security-labs/operation-bleeding-bear",
+ "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3",
"https://twitter.com/splinter_code/status/1483815103279603714",
"https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/",
- "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3",
- "https://www.elastic.co/security-labs/operation-bleeding-bear",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml"
],
"tags": [
@@ -16566,8 +16569,8 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/bohops/status/1477717351017680899?s=12",
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/",
"https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_acccheckconsole_execution.yml"
],
"tags": [
@@ -16657,9 +16660,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/nao_sec/status/1530196847679401984",
"https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/",
"https://twitter.com/_JohnHammond/status/1531672601067675648",
+ "https://twitter.com/nao_sec/status/1530196847679401984",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml"
],
"tags": [
@@ -16725,9 +16728,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html",
- "https://github.com/GhostPack/Rubeus",
"https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus",
+ "https://github.com/GhostPack/Rubeus",
+ "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml"
],
"tags": [
@@ -16777,12 +16780,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/",
+ "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/",
"https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/",
+ "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar",
"https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic",
"https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior",
- "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/",
- "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar",
- "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml"
],
"tags": [
@@ -16815,12 +16818,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow",
- "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf",
- "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/",
- "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/",
"https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4",
"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow",
+ "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/",
+ "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf",
+ "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/",
"https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml"
],
@@ -16898,8 +16901,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/",
+ "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml"
],
"tags": [
@@ -16933,9 +16936,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://ss64.com/bash/rar.html",
"https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md",
+ "https://ss64.com/bash/rar.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml"
],
"tags": [
@@ -17227,10 +17230,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/",
- "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html",
- "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior",
"https://en.wikipedia.org/wiki/IExpress",
+ "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior",
+ "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html",
+ "https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml"
],
"tags": [
@@ -17296,10 +17299,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/",
"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/",
- "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7",
"https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/",
+ "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml"
],
"tags": [
@@ -17414,9 +17417,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
- "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
"https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf",
+ "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
+ "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml"
],
"tags": [
@@ -17486,8 +17489,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html",
"https://mobile.twitter.com/0gtweet/status/1564131230941122561",
+ "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml"
],
"tags": [
@@ -17520,9 +17523,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://badoption.eu/blog/2023/01/31/code_c2.html",
- "https://code.visualstudio.com/docs/remote/tunnels",
"https://ipfyx.fr/post/visual-studio-code-tunnel/",
+ "https://code.visualstudio.com/docs/remote/tunnels",
+ "https://badoption.eu/blog/2023/01/31/code_c2.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml"
],
"tags": [
@@ -17555,8 +17558,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.pingcastle.com/documentation/scanner/",
"https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/",
+ "https://www.pingcastle.com/documentation/scanner/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml"
],
"tags": [
@@ -17632,8 +17635,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/BloodHoundAD/SharpHound",
"https://github.com/BloodHoundAD/BloodHound",
+ "https://github.com/BloodHoundAD/SharpHound",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml"
],
"tags": [
@@ -17757,9 +17760,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf",
"https://lolbas-project.github.io/lolbas/Binaries/Psr/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md",
+ "https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml"
],
"tags": [
@@ -17981,13 +17984,13 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1",
- "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/",
"https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1",
"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration",
+ "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/",
"https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1",
- "https://pentestlab.blog/tag/ntds-dit/",
"https://github.com/zcgonvh/NTDSDumpEx",
+ "https://pentestlab.blog/tag/ntds-dit/",
+ "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml"
],
"tags": [
@@ -18053,8 +18056,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md",
+ "https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml"
],
"tags": [
@@ -18087,8 +18090,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://securelist.com/network-tunneling-with-qemu/111803/",
"https://www.qemu.org/docs/master/system/invocation.html#hxtool-5",
+ "https://securelist.com/network-tunneling-with-qemu/111803/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_qemu_suspicious_execution.yml"
],
"tags": [
@@ -18129,8 +18132,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2",
"https://twitter.com/Alh4zr3d/status/1580925761996828672",
+ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml"
],
"tags": [
@@ -18165,8 +18168,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/",
"https://dtm.uk/wuauclt/",
+ "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml"
],
"tags": [
@@ -18361,8 +18364,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml"
],
"tags": [
@@ -18463,8 +18466,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/",
"https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/",
+ "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml"
],
"tags": [
@@ -18499,8 +18502,8 @@
"logsource.product": "windows",
"refs": [
"https://adepts.of0x.cc/netsh-portproxy-code/",
- "https://www.dfirnotes.net/portproxy_detection/",
"https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html",
+ "https://www.dfirnotes.net/portproxy_detection/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml"
],
"tags": [
@@ -18609,10 +18612,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178",
+ "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165",
"https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64",
"https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191",
- "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165",
- "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml"
],
"tags": [
@@ -18676,9 +18679,9 @@
"value": "Terminal Service Process Spawn"
},
{
- "description": "Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.",
+ "description": "Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.\n",
"meta": {
- "author": "pH-T (Nextron Systems)",
+ "author": "pH-T (Nextron Systems), Sittikorn Sangrattanapitak",
"creation_date": "2023-04-17",
"falsepositive": [
"Unlikely"
@@ -18689,6 +18692,7 @@
"logsource.product": "windows",
"refs": [
"https://github.com/ly4k/Certipy",
+ "https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml"
],
"tags": [
@@ -18722,10 +18726,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html",
+ "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine",
"https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf",
- "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution",
- "https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml"
],
"tags": [
@@ -18792,8 +18796,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/cloudflare/cloudflared",
"https://blog.reconinfosec.com/emergence-of-akira-ransomware-group",
+ "https://github.com/cloudflare/cloudflared",
"https://developers.cloudflare.com/cloudflare-one/connections/connect-apps",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml"
],
@@ -19301,8 +19305,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2022/09/26/bumblebee-round-two/",
"https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/",
+ "https://thedfirreport.com/2022/09/26/bumblebee-round-two/",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml"
],
@@ -19361,11 +19365,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/Hexacorn/status/885570278637678592",
- "https://twitter.com/Hexacorn/status/885553465417756673",
"https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques",
- "https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/",
+ "https://twitter.com/Hexacorn/status/885553465417756673",
"https://twitter.com/vysecurity/status/885545634958385153",
+ "https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/",
+ "https://twitter.com/Hexacorn/status/885570278637678592",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml"
],
"tags": [
@@ -19454,8 +19458,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/OTRF/detection-hackathon-apt29/issues/6",
"https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md",
+ "https://github.com/OTRF/detection-hackathon-apt29/issues/6",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml"
],
"tags": [
@@ -19488,8 +19492,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.echotrail.io/insights/search/wusa.exe/",
"https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html",
+ "https://www.echotrail.io/insights/search/wusa.exe/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml"
],
"tags": [
@@ -19662,8 +19666,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "Internal Research",
"https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
+ "Internal Research",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml"
],
"tags": [
@@ -19754,8 +19758,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/decoder-it/LocalPotato",
"https://www.localpotato.com/localpotato_html/LocalPotato.html",
+ "https://github.com/decoder-it/LocalPotato",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml"
],
"tags": [
@@ -20140,8 +20144,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/",
"https://pentestlab.blog/tag/svchost/",
+ "https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml"
],
"tags": [
@@ -20174,8 +20178,8 @@
"logsource.product": "windows",
"refs": [
"https://www.mandiant.com/resources/blog/lnk-between-browsers",
- "https://emkc.org/s/RJjuLa",
"https://redcanary.com/blog/chromeloader/",
+ "https://emkc.org/s/RJjuLa",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml"
],
"tags": [
@@ -20208,8 +20212,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings",
"https://www.sans.org/blog/red-team-tactics-hiding-windows-services/",
+ "https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml"
],
"tags": [
@@ -20308,9 +20312,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Bash/",
"https://linux.die.net/man/1/bash",
"Internal Research",
+ "https://lolbas-project.github.io/lolbas/Binaries/Bash/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml"
],
"tags": [
@@ -20411,9 +20415,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/",
- "https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2",
"https://github.com/swagkarna/Defeat-Defender-V1.2.0",
+ "https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2",
+ "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml"
],
"tags": [
@@ -20513,9 +20517,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/gN3mes1s/status/1222095963789111296",
"https://twitter.com/gN3mes1s/status/1222095371175911424",
"https://twitter.com/gN3mes1s/status/1222088214581825540",
+ "https://twitter.com/gN3mes1s/status/1222095963789111296",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml"
],
"tags": [
@@ -20571,10 +20575,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/",
+ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/",
- "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac",
- "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsi_fsharp_code_execution.yml"
],
"tags": [
@@ -20607,8 +20611,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/",
"https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows",
+ "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml"
],
"tags": [
@@ -20658,8 +20662,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/",
"https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/",
+ "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml"
],
"tags": [
@@ -20734,10 +20738,10 @@
"logsource.product": "windows",
"refs": [
"https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png",
- "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/",
"https://twitter.com/aceresponder/status/1636116096506818562",
- "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/",
"https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/",
+ "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/",
+ "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml"
],
"tags": [
@@ -20771,9 +20775,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://github.com/netero1010/TrustedPath-UACBypass-BOF",
"https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e",
"https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
- "https://github.com/netero1010/TrustedPath-UACBypass-BOF",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml"
],
"tags": [
@@ -20839,8 +20843,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/_xpn_/status/1491557187168178176",
"https://www.youtube.com/watch?v=Ie831jF0bb0",
+ "https://twitter.com/_xpn_/status/1491557187168178176",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml"
],
"tags": [
@@ -20882,9 +20886,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://thedfirreport.com/2023/03/06/2022-year-in-review/",
"https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product",
"https://www.yeahhub.com/list-installed-programs-version-path-windows/",
- "https://thedfirreport.com/2023/03/06/2022-year-in-review/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml"
],
"tags": [
@@ -20918,8 +20922,8 @@
"logsource.product": "windows",
"refs": [
"https://forensicitguy.github.io/agenttesla-vba-certutil-download/",
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
"https://lolbas-project.github.io/lolbas/Binaries/Certutil/",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
"https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/",
"https://twitter.com/egre55/status/1087685529016193025",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml"
@@ -20954,8 +20958,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks",
"Internal Research",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_change.yml"
],
"tags": [
@@ -20988,10 +20992,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/",
- "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery",
+ "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup",
+ "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml"
],
"tags": [
@@ -21024,9 +21028,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html",
- "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/",
"https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16",
+ "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/",
+ "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml"
],
"tags": [
@@ -21130,9 +21134,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html",
- "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/",
"https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120",
+ "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/",
+ "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml"
],
"tags": [
@@ -21261,6 +21265,39 @@
"uuid": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b",
"value": "Security Privileges Enumeration Via Whoami.EXE"
},
+ {
+ "description": "Detects possible search for JWT tokens via CLI by looking for the string \"eyJ0eX\" or \"eyJhbG\".\nThis string is used as an anchor to look for the start of the JWT token used by microsoft office and similar apps.\n",
+ "meta": {
+ "author": "Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2022-10-25",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "proc_creation_win_susp_jwt_token_search.yml",
+ "level": "medium",
+ "logsource.category": "process_creation",
+ "logsource.product": "windows",
+ "refs": [
+ "https://mrd0x.com/stealing-tokens-from-office-applications/",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_jwt_token_search.yml"
+ ],
+ "tags": [
+ "attack.credential-access",
+ "attack.t1528"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "6d3a3952-6530-44a3-8554-cf17c116c615",
+ "value": "Potentially Suspicious JWT Token Search Via CLI"
+ },
{
"description": "Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.",
"meta": {
@@ -21275,8 +21312,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml"
],
"tags": [
@@ -21310,10 +21347,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2022/09/26/bumblebee-round-two/",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments",
- "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708",
"https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments",
+ "https://thedfirreport.com/2022/09/26/bumblebee-round-two/",
+ "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml"
],
"tags": [
@@ -21337,8 +21374,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html",
"https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70",
+ "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml"
],
"tags": [
@@ -21460,8 +21497,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
"https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd",
+ "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"
],
"tags": [
@@ -21621,8 +21658,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/an0n_r0/status/1474698356635193346?s=12",
"https://twitter.com/mrd0x/status/1475085452784844803?s=12",
+ "https://twitter.com/an0n_r0/status/1474698356635193346?s=12",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml"
],
"tags": [
@@ -21663,10 +21700,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control",
- "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/",
"https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
"https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16",
+ "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/",
+ "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml"
],
"tags": [
@@ -21755,8 +21792,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md",
"https://github.com/dsnezhkov/TruffleSnout",
+ "https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md",
"https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml"
],
@@ -21824,9 +21861,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode",
"https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html",
"https://www.mandiant.com/resources/telegram-malware-iranian-espionage",
+ "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode",
"https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml"
],
@@ -21860,8 +21897,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1",
+ "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml"
],
"tags": [
@@ -22110,11 +22147,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://man.openbsd.org/ssh_config#LocalCommand",
- "https://gtfobins.github.io/gtfobins/ssh/",
- "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files",
- "https://man.openbsd.org/ssh_config#ProxyCommand",
"https://lolbas-project.github.io/lolbas/Binaries/Ssh/",
+ "https://gtfobins.github.io/gtfobins/ssh/",
+ "https://man.openbsd.org/ssh_config#LocalCommand",
+ "https://man.openbsd.org/ssh_config#ProxyCommand",
+ "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssh_proxy_execution.yml"
],
"tags": [
@@ -22147,10 +22184,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
- "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
- "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
"https://isc.sans.edu/diary/22264",
+ "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
+ "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
+ "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml"
],
"tags": [
@@ -22194,8 +22231,8 @@
"logsource.product": "windows",
"refs": [
"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/",
- "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
"https://www.intrinsec.com/apt27-analysis/",
+ "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml"
],
"tags": [
@@ -22435,8 +22472,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
"https://twitter.com/MichalKoczwara/status/1553634816016498688",
+ "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml"
],
@@ -22615,8 +22652,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/",
"https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/",
+ "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml"
],
"tags": [
@@ -22750,8 +22787,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml",
"https://twitter.com/pabraeken/status/993298228840992768",
+ "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml"
],
"tags": [
@@ -22794,9 +22831,9 @@
"logsource.product": "windows",
"refs": [
"https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms",
+ "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit",
"https://redcanary.com/blog/msix-installers/",
"https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf",
- "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csvde_export.yml"
],
"tags": [
@@ -22830,9 +22867,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html",
- "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/",
"https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/",
+ "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/",
+ "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml"
],
"tags": [
@@ -22966,8 +23003,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
"https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv",
+ "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml"
],
"tags": [
@@ -23013,10 +23050,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior",
- "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior",
- "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior",
"https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior",
+ "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior",
+ "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior",
+ "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml"
],
"tags": [
@@ -23223,9 +23260,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets",
- "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/",
"https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/",
+ "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml"
],
"tags": [
@@ -23292,13 +23329,13 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Msedge/",
- "https://taggart-tech.com/quasar-electron/",
- "https://lolbas-project.github.io/lolbas/Binaries/Teams/",
- "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/",
- "https://github.com/mttaggart/quasar",
- "https://positive.security/blog/ms-officecmd-rce",
"https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf",
+ "https://lolbas-project.github.io/lolbas/Binaries/Msedge/",
+ "https://lolbas-project.github.io/lolbas/Binaries/Teams/",
+ "https://github.com/mttaggart/quasar",
+ "https://taggart-tech.com/quasar-electron/",
+ "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/",
+ "https://positive.security/blog/ms-officecmd-rce",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml"
],
"tags": [
@@ -23354,8 +23391,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)",
+ "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/",
"https://twitter.com/frack113/status/1555830623633375232",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml"
],
@@ -23456,8 +23493,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup",
"https://twitter.com/Oddvarmoe/status/1641712700605513729",
+ "https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml"
],
"tags": [
@@ -23480,11 +23517,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/",
"https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
- "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955",
"https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg",
+ "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955",
+ "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml"
],
"tags": [
@@ -23517,13 +23554,13 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.huntress.com/blog/attacking-mssql-servers-pt-ii",
+ "https://asec.ahnlab.com/en/78944/",
"https://www.huntress.com/blog/attacking-mssql-servers",
"https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/",
- "https://asec.ahnlab.com/en/61000/",
"https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/",
- "https://asec.ahnlab.com/en/78944/",
+ "https://www.huntress.com/blog/attacking-mssql-servers-pt-ii",
"https://docs.microsoft.com/en-us/sql/tools/bcp-utility",
+ "https://asec.ahnlab.com/en/61000/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcp_export_data.yml"
],
"tags": [
@@ -23556,9 +23593,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html",
- "https://www.echotrail.io/insights/search/wermgr.exe",
"https://github.com/binderlabs/DirCreate2System",
+ "https://www.echotrail.io/insights/search/wermgr.exe",
+ "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml"
],
"tags": [
@@ -23904,9 +23941,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create",
+ "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml"
],
"tags": [
@@ -23972,10 +24009,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091",
- "https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/",
- "https://bazaar.abuse.ch/sample/64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3/",
"https://tria.ge/240521-ynezpagf56/behavioral1",
+ "https://bazaar.abuse.ch/sample/64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3/",
+ "https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/",
+ "https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml"
],
"tags": [
@@ -24043,11 +24080,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html",
"https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
"https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/",
- "https://twitter.com/cglyer/status/1355171195654709249",
"https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
- "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html",
+ "https://twitter.com/cglyer/status/1355171195654709249",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml"
],
"tags": [
@@ -24080,8 +24117,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit",
+ "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_secedit_execution.yml"
],
"tags": [
@@ -24222,9 +24259,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/",
"http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/",
"http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_download.yml"
],
"tags": [
@@ -24258,8 +24295,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/",
"https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
+ "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/",
"https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml"
],
@@ -24327,8 +24364,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/",
"https://lolbas-project.github.io/lolbas/Binaries/Regasm/",
+ "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/",
"https://www.fortiguard.com/threat-signal-report/4718?s=09",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml"
],
@@ -24505,8 +24542,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html",
"https://blog.talosintelligence.com/modernloader-delivers-multiple-stealers-cryptominers-and-rats/",
+ "https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml"
],
"tags": [
@@ -24539,8 +24576,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html",
"https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core",
+ "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml"
],
"tags": [
@@ -24573,12 +24610,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699",
- "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1",
- "https://github.com/vletoux/pingcastle",
"https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680",
- "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8",
+ "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699",
+ "https://github.com/vletoux/pingcastle",
"https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/",
+ "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8",
+ "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1",
"https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml"
],
@@ -24612,9 +24649,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41",
"https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature",
"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a",
+ "https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml"
],
"tags": [
@@ -24648,8 +24685,8 @@
"logsource.product": "windows",
"refs": [
"https://www.mandiant.com/resources/blog/lnk-between-browsers",
- "https://emkc.org/s/RJjuLa",
"https://redcanary.com/blog/chromeloader/",
+ "https://emkc.org/s/RJjuLa",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml"
],
"tags": [
@@ -24682,11 +24719,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py",
- "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py",
- "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py",
- "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html",
"https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py",
+ "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html",
+ "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py",
+ "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py",
+ "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml"
],
"tags": [
@@ -24763,11 +24800,11 @@
"logsource.product": "windows",
"refs": [
"https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/",
- "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf",
- "https://github.com/Hackndo/lsassy",
"https://github.com/CCob/MirrorDump",
- "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml",
"https://github.com/helpsystems/nanodump",
+ "https://github.com/Hackndo/lsassy",
+ "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml",
+ "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml"
],
"tags": [
@@ -24800,8 +24837,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/Oddvarmoe/status/985518877076541440",
"https://lolbas-project.github.io/lolbas/Binaries/Print/",
+ "https://twitter.com/Oddvarmoe/status/985518877076541440",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml"
],
"tags": [
@@ -24883,9 +24920,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.revshells.com/",
"https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
"https://www.php.net/manual/en/features.commandline.php",
- "https://www.revshells.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml"
],
"tags": [
@@ -24943,8 +24980,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html",
"https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax",
+ "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml"
],
"tags": [
@@ -24977,8 +25014,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/",
"https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/",
+ "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml"
],
"tags": [
@@ -25045,8 +25082,8 @@
"logsource.product": "windows",
"refs": [
"https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/",
- "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/",
"https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s",
+ "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml"
],
"tags": [
@@ -25190,9 +25227,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465",
"https://twitter.com/Max_Mal_/status/1633863678909874176",
"Internal Research",
- "https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465",
"https://twitter.com/_JohnHammond/status/1588155401752788994",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml"
],
@@ -25349,9 +25386,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/",
"https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/",
"https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md",
- "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml"
],
"tags": [
@@ -25384,9 +25421,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall",
- "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/",
"https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/",
+ "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml"
],
"tags": [
@@ -25455,8 +25492,8 @@
"refs": [
"https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/",
"https://github.com/defaultnamehere/cookie_crimes/",
- "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password",
"https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/",
+ "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml"
],
"tags": [
@@ -25555,9 +25592,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini",
- "https://lolbas-project.github.io/lolbas/Binaries/Regini/",
"https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f",
+ "https://lolbas-project.github.io/lolbas/Binaries/Regini/",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_execution.yml"
],
"tags": [
@@ -25659,8 +25696,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt",
- "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
"https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv",
+ "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml"
],
"tags": [
@@ -25922,8 +25959,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/",
"https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml"
],
"tags": [
@@ -26007,8 +26044,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/ShadowChasing1/status/1552595370961944576",
"https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior",
+ "https://twitter.com/ShadowChasing1/status/1552595370961944576",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml"
],
"tags": [
@@ -26142,9 +26179,9 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/SBousseaden/status/1211636381086339073",
- "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html",
- "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
"https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view",
+ "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
+ "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml"
],
"tags": [
@@ -26195,8 +26232,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/",
"https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/",
+ "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml"
],
"tags": [
@@ -26229,12 +26266,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html",
"https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/",
"https://redcanary.com/blog/raspberry-robin/",
- "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html",
+ "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16",
"https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
"https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176",
- "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml"
],
"tags": [
@@ -26300,8 +26337,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html",
"https://www.gpg4win.de/documentation.html",
+ "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html",
"https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml"
],
@@ -26325,8 +26362,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism",
+ "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dism_remove.yml"
],
"tags": [
@@ -26359,10 +26396,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/",
- "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery",
+ "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup",
+ "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml"
],
"tags": [
@@ -26395,8 +26432,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/",
"https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps",
+ "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml"
],
"tags": [
@@ -26463,8 +26500,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/nettitude/SharpWSUS",
- "https://labs.nettitude.com/blog/introducing-sharpwsus/",
"https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1",
+ "https://labs.nettitude.com/blog/introducing-sharpwsus/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.yml"
],
"tags": [
@@ -26531,8 +26568,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/",
"http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/",
+ "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_atbroker_uncommon_ats_execution.yml"
],
"tags": [
@@ -26758,8 +26795,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/hexacorn/status/1448037865435320323",
"https://twitter.com/Gal_B1t/status/1062971006078345217",
+ "https://twitter.com/hexacorn/status/1448037865435320323",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml"
],
"tags": [
@@ -26792,8 +26829,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md",
"https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml"
],
"tags": [
@@ -26902,8 +26939,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
+ "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml"
],
"tags": [
@@ -26936,8 +26973,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom",
"https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon",
+ "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml"
],
"tags": [
@@ -27063,10 +27100,10 @@
"logsource.product": "windows",
"refs": [
"https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841",
- "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team",
- "https://github.com/S3cur3Th1sSh1t/WinPwn",
- "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/",
"https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md",
+ "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/",
+ "https://github.com/S3cur3Th1sSh1t/WinPwn",
+ "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml"
],
"tags": [
@@ -27160,8 +27197,8 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/Cyb3rWard0g/status/1453123054243024897",
- "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/",
"https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment",
+ "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/",
"https://github.com/antonioCoco/RogueWinRM",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml"
],
@@ -27195,8 +27232,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/nao_sec/status/1530196847679401984",
"https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/",
+ "https://twitter.com/nao_sec/status/1530196847679401984",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml"
],
"tags": [
@@ -27270,8 +27307,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/carlospolop/PEASS-ng",
"https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation",
+ "https://github.com/carlospolop/PEASS-ng",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml"
],
"tags": [
@@ -27343,8 +27380,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html",
"https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options",
+ "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml"
],
"tags": [
@@ -27433,8 +27470,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Msedge/",
"https://twitter.com/mrd0x/status/1478116126005641220",
+ "https://lolbas-project.github.io/lolbas/Binaries/Msedge/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml"
],
"tags": [
@@ -27576,12 +27613,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md",
- "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx",
- "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/",
- "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/",
- "https://thedfirreport.com/2020/05/08/adfind-recon/",
"https://www.joeware.net/freetools/tools/adfind/",
+ "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md",
+ "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/",
+ "https://thedfirreport.com/2020/05/08/adfind-recon/",
+ "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx",
+ "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml"
],
"tags": [
@@ -27780,10 +27817,10 @@
"logsource.product": "windows",
"refs": [
"https://github.com/cloudflare/cloudflared",
- "https://www.intrinsec.com/akira_ransomware/",
- "https://github.com/cloudflare/cloudflared/releases",
"https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/",
+ "https://www.intrinsec.com/akira_ransomware/",
"https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/",
+ "https://github.com/cloudflare/cloudflared/releases",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml"
],
"tags": [
@@ -27816,9 +27853,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/",
"https://twitter.com/nas_bench/status/1534915321856917506",
"https://twitter.com/nas_bench/status/1534916659676422152",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml"
],
"tags": [
@@ -27894,8 +27931,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html",
"https://www.gpg4win.de/documentation.html",
+ "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html",
"https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml"
],
@@ -28021,8 +28058,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade",
"https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy",
+ "https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml"
],
"tags": [
@@ -28055,8 +28092,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/azure/dns/dns-zones-records",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd",
+ "https://learn.microsoft.com/en-us/azure/dns/dns-zones-records",
"https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml"
],
@@ -28341,8 +28378,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/",
"https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/",
+ "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml"
],
"tags": [
@@ -28375,8 +28412,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/_felamos/status/1179811992841797632",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/",
+ "https://twitter.com/_felamos/status/1179811992841797632",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml"
],
"tags": [
@@ -28442,8 +28479,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://anydesk.com/en/changelog/windows",
"https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/",
+ "https://anydesk.com/en/changelog/windows",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml"
],
"tags": [
@@ -28467,9 +28504,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://reaqta.com/2017/11/short-journey-darkvnc/",
- "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html",
"https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing",
+ "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html",
+ "https://reaqta.com/2017/11/short-journey-darkvnc/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml"
],
"tags": [
@@ -28527,8 +28564,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/0xthirteen/SharpMove/",
"https://pentestlab.blog/tag/sharpmove/",
+ "https://github.com/0xthirteen/SharpMove/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml"
],
"tags": [
@@ -28561,12 +28598,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.attackiq.com/2023/09/20/emulating-rhysida/",
- "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html",
- "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI",
- "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior",
"https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/",
"https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper",
+ "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html",
+ "https://www.attackiq.com/2023/09/20/emulating-rhysida/",
+ "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior",
+ "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml"
],
"tags": [
@@ -28609,9 +28646,9 @@
"logsource.product": "windows",
"refs": [
"https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad",
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/",
"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac",
"https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml"
],
"tags": [
@@ -28701,8 +28738,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/",
"https://github.com/sensepost/impersonate",
+ "https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml"
],
"tags": [
@@ -28870,12 +28907,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow",
- "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf",
- "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/",
- "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/",
"https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4",
"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow",
+ "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/",
+ "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf",
+ "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/",
"https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml"
],
@@ -28909,8 +28946,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/",
"https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf",
+ "https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml"
],
"tags": [
@@ -29010,8 +29047,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat",
"https://hashcat.net/wiki/doku.php?id=hashcat",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml"
],
"tags": [
@@ -29110,8 +29147,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/mrd0x/status/1460815932402679809",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/",
+ "https://twitter.com/mrd0x/status/1460815932402679809",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml"
],
"tags": [
@@ -29145,8 +29182,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md",
"https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe",
+ "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml"
],
"tags": [
@@ -29180,8 +29217,8 @@
"logsource.product": "windows",
"refs": [
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)",
- "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone",
"https://ss64.com/nt/dsacls.html",
+ "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml"
],
"tags": [
@@ -29214,8 +29251,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://pentestlab.blog/2020/07/06/indirect-command-execution/",
"https://lolbas-project.github.io/lolbas/Binaries/Pcalua/",
+ "https://pentestlab.blog/2020/07/06/indirect-command-execution/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml"
],
"tags": [
@@ -29248,8 +29285,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/",
"https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/",
+ "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml"
],
"tags": [
@@ -29283,8 +29320,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList",
"https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos",
+ "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList",
"https://twitter.com/EricaZelic/status/1614075109827874817",
"https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml"
@@ -29335,9 +29372,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2",
- "https://lolbas-project.github.io/lolbas/Binaries/Certoc/",
"https://twitter.com/sblmsrsn/status/1445758411803480072?s=20",
+ "https://lolbas-project.github.io/lolbas/Binaries/Certoc/",
+ "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml"
],
"tags": [
@@ -29370,8 +29407,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/package-manager/winget/source",
"https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget",
+ "https://learn.microsoft.com/en-us/windows/package-manager/winget/source",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml"
],
"tags": [
@@ -29439,14 +29476,14 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md",
"https://twitter.com/Hexacorn/status/776122138063409152",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md",
"https://twitter.com/gN3mes1s/status/941315826107510784",
"https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md",
"https://github.com/SigmaHQ/sigma/issues/3742",
+ "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e",
"https://reaqta.com/2017/12/mavinject-microsoft-injector/",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml"
],
"tags": [
@@ -29564,8 +29601,8 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/SBousseaden/status/1464566846594691073?s=20",
- "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
"https://twitter.com/Hexacorn/status/1420053502554951689",
+ "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml"
],
"tags": [
@@ -29643,8 +29680,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml"
],
"tags": [
@@ -29677,10 +29714,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses",
"https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md",
"https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/",
"https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt",
+ "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml"
],
"tags": [
@@ -29778,9 +29815,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/",
"https://www.nirsoft.net/utils/nircmd.html",
"https://www.nirsoft.net/utils/nircmd2.html#using",
+ "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml"
],
"tags": [
@@ -29838,8 +29875,8 @@
"logsource.product": "windows",
"refs": [
"https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/",
- "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf",
"https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/",
+ "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml"
],
"tags": [
@@ -29872,8 +29909,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2022/09/26/bumblebee-round-two/",
"https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/",
+ "https://thedfirreport.com/2022/09/26/bumblebee-round-two/",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml"
],
@@ -29976,8 +30013,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08",
"https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf",
+ "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08",
"https://redcanary.com/blog/child-processes/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml"
],
@@ -30011,9 +30048,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/",
"https://twitter.com/RedDrip7/status/1506480588827467785",
"https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf",
+ "https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml"
],
"tags": [
@@ -30046,9 +30083,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/",
"https://twitter.com/pabraeken/status/999090532839313408",
"https://twitter.com/pabraeken/status/995837734379032576",
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml"
],
"tags": [
@@ -30158,8 +30195,8 @@
"logsource.product": "windows",
"refs": [
"https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp",
- "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml",
"https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/",
+ "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml"
],
"tags": [
@@ -30260,17 +30297,17 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml",
- "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html",
- "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set",
+ "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/",
"https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml",
- "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml",
+ "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html",
"https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html",
"https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/",
"https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A",
+ "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml",
"https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100",
- "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/",
"https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e",
+ "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set",
+ "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml"
],
"tags": [
@@ -30370,8 +30407,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download",
+ "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml"
],
"tags": [
@@ -30447,8 +30484,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/",
"https://www.echotrail.io/insights/search/msbuild.exe",
+ "https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml"
],
"tags": [
@@ -30527,8 +30564,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa",
"https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml"
],
"tags": [
@@ -30585,8 +30622,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/",
"https://www.cobaltstrike.com/help-windows-executable",
+ "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/",
"https://redcanary.com/threat-detection-report/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml"
],
@@ -30620,10 +30657,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml",
- "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/",
"https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/",
+ "https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml",
"https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
+ "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml"
],
"tags": [
@@ -30666,8 +30703,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic",
"https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml"
],
"tags": [
@@ -30937,9 +30974,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/tccontre18/status/1480950986650832903",
- "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/",
"https://twitter.com/mrd0x/status/1461041276514623491",
+ "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/",
+ "https://twitter.com/tccontre18/status/1480950986650832903",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml"
],
"tags": [
@@ -30972,13 +31009,13 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.softperfect.com/products/networkscanner/",
- "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/",
"https://www.protect.airbus.com/blog/uncovering-cyber-intruders-netscan/",
+ "https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/",
+ "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue",
"https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf",
"https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/",
- "https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/",
+ "https://www.softperfect.com/products/networkscanner/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netscan.yml"
],
"tags": [
@@ -31120,9 +31157,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
- "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
"https://isc.sans.edu/diary/22264",
+ "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
+ "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml"
],
"tags": [
@@ -31275,8 +31312,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml"
],
"tags": [
@@ -31485,10 +31522,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/",
"https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml",
- "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/",
"https://twitter.com/ForensicITGuy/status/1334734244120309760",
+ "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/",
+ "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml"
],
"tags": [
@@ -31573,9 +31610,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Scripts/Winrm/",
"https://twitter.com/bohops/status/994405551751815170",
"https://redcanary.com/blog/lateral-movement-winrm-wmi/",
+ "https://lolbas-project.github.io/lolbas/Scripts/Winrm/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml"
],
"tags": [
@@ -31608,8 +31645,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf",
"https://github.com/deepinstinct/Lsass-Shtinkering",
+ "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml"
],
"tags": [
@@ -31642,10 +31679,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7",
- "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/",
- "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/",
"https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support",
+ "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/",
+ "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7",
+ "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml"
],
"tags": [
@@ -31710,8 +31747,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html",
"https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md",
+ "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml"
],
"tags": [
@@ -31745,8 +31782,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://adsecurity.org/?p=2288",
"https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100",
+ "https://adsecurity.org/?p=2288",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml"
],
"tags": [
@@ -31886,8 +31923,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/",
"https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml"
],
"tags": [
@@ -31937,8 +31974,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a",
"https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a",
"https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml"
],
@@ -32058,8 +32095,8 @@
"logsource.product": "windows",
"refs": [
"https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/",
- "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4",
"https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0",
+ "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml"
],
"tags": [
@@ -32093,9 +32130,9 @@
"logsource.product": "windows",
"refs": [
"https://youtu.be/5mqid-7zp8k?t=2481",
- "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1",
"https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/",
"https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html",
+ "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml"
],
"tags": [
@@ -32220,10 +32257,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
- "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
- "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
"https://isc.sans.edu/diary/22264",
+ "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
+ "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
+ "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml"
],
"tags": [
@@ -32266,8 +32303,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/cglyer/status/1182389676876980224",
"https://twitter.com/cglyer/status/1182391019633029120",
+ "https://twitter.com/cglyer/status/1182389676876980224",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml"
],
"tags": [
@@ -32323,12 +32360,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://isc.sans.edu/diary/22264",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a",
"https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
- "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
"https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/",
+ "https://isc.sans.edu/diary/22264",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
+ "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml"
],
"tags": [
@@ -32371,8 +32408,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/",
"https://lolbas-project.github.io/lolbas/Binaries/Regasm/",
+ "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/",
"https://www.fortiguard.com/threat-signal-report/4718?s=09",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml"
],
@@ -32406,8 +32443,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/DissectMalware/status/998797808907046913",
"https://www.phpied.com/make-your-javascript-a-windows-exe/",
+ "https://twitter.com/DissectMalware/status/998797808907046913",
"https://lolbas-project.github.io/lolbas/Binaries/Jsc/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_jsc_execution.yml"
],
@@ -32661,9 +32698,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication",
- "https://github.com/grayhatkiller/SharpExShell",
"https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922",
+ "https://github.com/grayhatkiller/SharpExShell",
+ "https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml"
],
"tags": [
@@ -32696,9 +32733,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2",
- "https://lolbas-project.github.io/lolbas/Binaries/Certoc/",
"https://twitter.com/sblmsrsn/status/1445758411803480072?s=20",
+ "https://lolbas-project.github.io/lolbas/Binaries/Certoc/",
+ "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml"
],
"tags": [
@@ -32931,10 +32968,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/CyberRaiju/status/1273597319322058752",
+ "https://twitter.com/bohops/status/1276357235954909188?s=12",
"https://twitter.com/nas_bench/status/1535322450858233858",
"https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/",
- "https://twitter.com/bohops/status/1276357235954909188?s=12",
+ "https://twitter.com/CyberRaiju/status/1273597319322058752",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml"
],
"tags": [
@@ -32968,8 +33005,8 @@
"logsource.product": "windows",
"refs": [
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage",
- "https://unit42.paloaltonetworks.com/chromeloader-malware/",
"https://lolbas-project.github.io/lolbas/Binaries/Tar/",
+ "https://unit42.paloaltonetworks.com/chromeloader-malware/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tar_extraction.yml"
],
"tags": [
@@ -33011,10 +33048,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/",
- "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
- "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708",
"https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv",
+ "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
+ "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/",
+ "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml"
],
"tags": [
@@ -33106,8 +33143,8 @@
"logsource.product": "windows",
"refs": [
"https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/",
- "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/",
"https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s",
+ "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml"
],
"tags": [
@@ -33141,14 +33178,14 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md",
"https://twitter.com/Hexacorn/status/776122138063409152",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md",
"https://twitter.com/gN3mes1s/status/941315826107510784",
"https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md",
"https://github.com/SigmaHQ/sigma/issues/3742",
+ "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e",
"https://reaqta.com/2017/12/mavinject-microsoft-injector/",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml"
],
"tags": [
@@ -33213,9 +33250,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/hfiref0x/UACME",
"https://lolbas-project.github.io/lolbas/Binaries/Wsreset/",
"https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf",
+ "https://github.com/hfiref0x/UACME",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml"
],
"tags": [
@@ -33329,9 +33366,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.scythe.io/library/threat-emulation-qakbot",
"https://thedfirreport.com/2021/12/13/diavol-ransomware/",
"https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/",
+ "https://www.scythe.io/library/threat-emulation-qakbot",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml"
],
"tags": [
@@ -33388,8 +33425,8 @@
"logsource.product": "windows",
"refs": [
"https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png",
- "https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf",
"https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/",
+ "https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml"
],
"tags": [
@@ -33424,9 +33461,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac",
"https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
"https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16",
+ "https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml"
],
"tags": [
@@ -33529,8 +33566,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/sensepost/ruler",
- "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49",
"https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html",
+ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml"
],
"tags": [
@@ -33729,10 +33766,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/lefterispan/status/1286259016436514816",
"https://twitter.com/jseerden/status/1247985304667066373/photo/1",
- "https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/",
+ "https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension",
+ "https://twitter.com/lefterispan/status/1286259016436514816",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml"
],
"tags": [
@@ -33765,8 +33802,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://github.com/3proxy/3proxy",
+ "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml"
],
"tags": [
@@ -33833,10 +33870,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/",
- "https://twitter.com/mrd0x/status/1511489821247684615",
"https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f",
"https://twitter.com/mrd0x/status/1511415432888131586",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/",
+ "https://twitter.com/mrd0x/status/1511489821247684615",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml"
],
"tags": [
@@ -33948,10 +33985,10 @@
"logsource.product": "windows",
"refs": [
"https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/",
- "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/",
- "https://twitter.com/nao_sec/status/1530196847679401984",
- "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e",
"https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/",
+ "https://twitter.com/nao_sec/status/1530196847679401984",
+ "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/",
+ "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml"
],
"tags": [
@@ -33992,8 +34029,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml",
"https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-",
+ "https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml"
],
"tags": [
@@ -34036,8 +34073,8 @@
"logsource.product": "windows",
"refs": [
"https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html",
- "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/",
"https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/",
+ "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml"
],
"tags": [
@@ -34093,9 +34130,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.exploit-db.com/exploits/37525",
"https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer",
"https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection",
- "https://www.exploit-db.com/exploits/37525",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml"
],
"tags": [
@@ -34195,11 +34232,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/",
- "https://github.com/AlessandroZ/LaZagne/tree/master",
"https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf",
- "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/",
"https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/",
+ "https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/",
+ "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/",
+ "https://github.com/AlessandroZ/LaZagne/tree/master",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml"
],
"tags": [
@@ -34256,8 +34293,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/",
+ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml"
],
"tags": [
@@ -34390,8 +34427,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md",
+ "https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml"
],
"tags": [
@@ -34424,8 +34461,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules",
"https://ss64.com/nt/netsh.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml"
],
"tags": [
@@ -34458,10 +34495,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack",
- "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware",
+ "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf",
+ "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml"
],
"tags": [
@@ -34494,10 +34531,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/",
"https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/",
"https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/",
"https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/",
- "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user.yml"
],
"tags": [
@@ -34563,8 +34600,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md",
"https://ss64.com/nt/mklink.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml"
],
"tags": [
@@ -34643,9 +34680,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.mandiant.com/resources/telegram-malware-iranian-espionage",
"https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz",
"https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local",
- "https://www.mandiant.com/resources/telegram-malware-iranian-espionage",
"https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml"
],
@@ -34789,12 +34826,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell",
"https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup",
+ "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell",
"https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml"
],
"tags": [
@@ -34869,8 +34906,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://securityxploded.com/",
"https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/",
+ "https://securityxploded.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml"
],
"tags": [
@@ -34903,10 +34940,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/defaultnamehere/cookie_crimes/",
- "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/",
"https://github.com/wunderwuzzi23/firefox-cookiemonster",
+ "https://github.com/defaultnamehere/cookie_crimes/",
"https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf",
+ "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml"
],
"tags": [
@@ -35142,9 +35179,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.revshells.com/",
- "https://nmap.org/ncat/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md",
+ "https://nmap.org/ncat/",
+ "https://www.revshells.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netcat.yml"
],
"tags": [
@@ -35403,9 +35440,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/gN3mes1s/status/1222095963789111296",
"https://twitter.com/gN3mes1s/status/1222095371175911424",
"https://twitter.com/gN3mes1s/status/1222088214581825540",
+ "https://twitter.com/gN3mes1s/status/1222095963789111296",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml"
],
"tags": [
@@ -35462,11 +35499,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://en.wikipedia.org/wiki/Hangul_(word_processor)",
"https://twitter.com/cyberwar_15/status/1187287262054076416",
"https://blog.alyac.co.kr/1901",
"https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1",
"https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/",
- "https://en.wikipedia.org/wiki/Hangul_(word_processor)",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml"
],
"tags": [
@@ -35517,11 +35554,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/",
+ "https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive",
"https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/",
"https://www.pureid.io/dumping-abusing-windows-credentials-part-1/",
- "https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive",
"https://twitter.com/0gtweet/status/1299071304805560321?s=21",
+ "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml"
],
"tags": [
@@ -35621,9 +35658,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)",
"https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html",
- "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_export.yml"
],
"tags": [
@@ -35679,8 +35716,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml"
],
"tags": [
@@ -35713,8 +35750,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt",
"https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt",
+ "http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt",
"https://twitter.com/n1nj4sec/status/1421190238081277959",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml"
],
@@ -35739,8 +35776,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna",
"https://twitter.com/vysecurity/status/977198418354491392",
+ "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml"
],
"tags": [
@@ -35781,9 +35818,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html",
"https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
"https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16",
+ "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml"
],
"tags": [
@@ -35839,8 +35876,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens",
"https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/",
+ "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml"
],
"tags": [
@@ -35965,8 +36002,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/",
"https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys",
+ "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml"
],
"tags": [
@@ -35999,8 +36036,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/",
"https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
+ "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/",
"https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml"
],
@@ -36034,12 +36071,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/",
- "https://twitter.com/eral4m/status/1479080793003671557",
- "https://twitter.com/nas_bench/status/1433344116071583746",
- "https://twitter.com/Hexacorn/status/885258886428725250",
- "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52",
"https://twitter.com/eral4m/status/1479106975967240209",
+ "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/",
+ "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52",
+ "https://twitter.com/Hexacorn/status/885258886428725250",
+ "https://twitter.com/nas_bench/status/1433344116071583746",
+ "https://twitter.com/eral4m/status/1479080793003671557",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"
],
"tags": [
@@ -36138,9 +36175,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html",
"https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors",
"https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf",
- "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml"
],
"tags": [
@@ -36230,8 +36267,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/package-manager/winget/source",
"https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget",
+ "https://learn.microsoft.com/en-us/windows/package-manager/winget/source",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml"
],
"tags": [
@@ -36267,11 +36304,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html",
- "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil",
"https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md",
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil",
+ "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/",
+ "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml"
],
"tags": [
@@ -36403,8 +36440,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east",
"https://github.com/quarkslab/quarkspwdump",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml"
],
"tags": [
@@ -36479,9 +36516,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f",
"https://lolbas-project.github.io/lolbas/Binaries/Findstr/",
"https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/",
- "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml"
],
"tags": [
@@ -36682,8 +36719,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/",
"https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/",
+ "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml"
],
"tags": [
@@ -36922,8 +36959,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/ber_m1ng/status/1397948048135778309",
"https://www.cobaltstrike.com/help-opsec",
+ "https://twitter.com/ber_m1ng/status/1397948048135778309",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml"
],
"tags": [
@@ -37022,11 +37059,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/Alh4zr3d/status/1580925761996828672",
- "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/",
"https://twitter.com/0gtweet/status/1628720819537936386",
- "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/",
+ "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/",
"https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html",
+ "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/",
+ "https://twitter.com/Alh4zr3d/status/1580925761996828672",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml"
],
"tags": [
@@ -37061,9 +37098,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
- "https://docs.python.org/3/using/cmdline.html#cmdoption-c",
"https://www.revshells.com/",
+ "https://docs.python.org/3/using/cmdline.html#cmdoption-c",
+ "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml"
],
"tags": [
@@ -37219,9 +37256,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/cloudflare/cloudflared",
- "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/",
"https://www.intrinsec.com/akira_ransomware/",
+ "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/",
+ "https://github.com/cloudflare/cloudflared",
"https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml"
],
@@ -37337,9 +37374,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html",
"https://lab52.io/blog/winter-vivern-all-summer/",
"https://hatching.io/blog/powershell-analysis/",
- "https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml"
],
"tags": [
@@ -37439,10 +37476,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/",
- "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/",
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/",
"https://twitter.com/Z3Jpa29z/status/1317545798981324801",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/",
+ "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csi_execution.yml"
],
"tags": [
@@ -37526,9 +37563,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1",
"https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py",
"https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/",
- "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml"
],
"tags": [
@@ -37594,9 +37631,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js",
"https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/",
"https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/",
+ "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml"
],
"tags": [
@@ -37645,9 +37682,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html",
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/",
"https://twitter.com/nas_bench/status/1534957360032120833",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/",
+ "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cdb_arbitrary_command_execution.yml"
],
"tags": [
@@ -37763,8 +37800,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
"https://github.com/Kevin-Robertson/Inveigh",
+ "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml"
],
"tags": [
@@ -37933,8 +37970,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md",
+ "https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml"
],
"tags": [
@@ -38053,9 +38090,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/",
- "https://twitter.com/mattifestation/status/1196390321783025666",
"https://twitter.com/oulusoyum/status/1191329746069655553",
+ "https://twitter.com/mattifestation/status/1196390321783025666",
+ "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml"
],
"tags": [
@@ -38276,8 +38313,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/package-manager/winget/source",
"https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget",
+ "https://learn.microsoft.com/en-us/windows/package-manager/winget/source",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml"
],
"tags": [
@@ -38311,8 +38348,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/0gtweet/status/1457676633809330184",
"https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/",
+ "https://twitter.com/0gtweet/status/1457676633809330184",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sigverif_uncommon_child_process.yml"
],
"tags": [
@@ -38411,10 +38448,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://nodejs.org/api/cli.html",
- "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
- "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return",
"https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/",
+ "https://nodejs.org/api/cli.html",
+ "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return",
+ "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml"
],
"tags": [
@@ -38448,8 +38485,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt",
- "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
"https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv",
+ "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml"
],
"tags": [
@@ -38472,9 +38509,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan",
- "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/",
"https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/",
+ "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/",
+ "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml"
],
"tags": [
@@ -38508,9 +38545,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://badoption.eu/blog/2023/01/31/code_c2.html",
- "https://code.visualstudio.com/docs/remote/tunnels",
"https://ipfyx.fr/post/visual-studio-code-tunnel/",
+ "https://code.visualstudio.com/docs/remote/tunnels",
+ "https://badoption.eu/blog/2023/01/31/code_c2.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml"
],
"tags": [
@@ -38543,8 +38580,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.youtube.com/watch?v=ro2QuZTIMBM",
"https://learn.microsoft.com/en-us/sysinternals/downloads/psexec",
+ "https://www.youtube.com/watch?v=ro2QuZTIMBM",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml"
],
"tags": [
@@ -38600,24 +38637,24 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://github.com/calebstewart/CVE-2021-1675",
"https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
"https://adsecurity.org/?p=2921",
- "https://github.com/HarmJ0y/DAMP",
- "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
- "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html",
- "https://github.com/besimorhino/powercat",
- "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
"https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
- "https://github.com/calebstewart/CVE-2021-1675",
- "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
- "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
- "https://github.com/samratashok/nishang",
- "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1",
+ "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
"https://github.com/Kevin-Robertson/Powermad",
- "https://github.com/adrecon/ADRecon",
+ "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
+ "https://github.com/HarmJ0y/DAMP",
"https://github.com/adrecon/AzureADRecon",
"https://github.com/DarkCoderSc/PowerRunAsSystem/",
- "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
+ "https://github.com/besimorhino/powercat",
+ "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
+ "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1",
+ "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html",
+ "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
+ "https://github.com/adrecon/ADRecon",
+ "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
+ "https://github.com/samratashok/nishang",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"
],
"tags": [
@@ -38800,8 +38837,8 @@
"logsource.product": "windows",
"refs": [
"https://lolbas-project.github.io/lolbas/Binaries/Xwizard/",
- "https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html",
"https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/",
+ "https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml"
],
"tags": [
@@ -38868,8 +38905,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/",
"https://twitter.com/SBousseaden/status/1278977301745741825",
+ "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml"
],
"tags": [
@@ -39189,10 +39226,10 @@
"logsource.product": "windows",
"refs": [
"https://github.com/cloudflare/cloudflared",
- "https://www.intrinsec.com/akira_ransomware/",
- "https://github.com/cloudflare/cloudflared/releases",
"https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/",
+ "https://www.intrinsec.com/akira_ransomware/",
"https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/",
+ "https://github.com/cloudflare/cloudflared/releases",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml"
],
"tags": [
@@ -39375,9 +39412,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/",
"https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019",
"https://twitter.com/pabraeken/status/990758590020452353",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml"
],
"tags": [
@@ -39467,10 +39504,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/lefterispan/status/1286259016436514816",
"https://twitter.com/jseerden/status/1247985304667066373/photo/1",
- "https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/",
+ "https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension",
+ "https://twitter.com/lefterispan/status/1286259016436514816",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml"
],
"tags": [
@@ -39605,10 +39642,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior",
- "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior",
- "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior",
"https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior",
+ "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior",
+ "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior",
+ "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml"
],
"tags": [
@@ -39642,8 +39679,8 @@
"logsource.product": "windows",
"refs": [
"https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/",
- "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/",
"https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s",
+ "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_output.yml"
],
"tags": [
@@ -39734,12 +39771,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes",
"https://www.localpotato.com/",
- "https://github.com/ohpe/juicy-potato",
- "https://pentestlab.blog/2017/04/13/hot-potato/",
"https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/",
+ "https://github.com/ohpe/juicy-potato",
+ "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes",
"https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire",
+ "https://pentestlab.blog/2017/04/13/hot-potato/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml"
],
"tags": [
@@ -39840,12 +39877,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc",
- "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer",
- "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html",
"https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner",
- "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/",
+ "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html",
"https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf",
+ "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc",
+ "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/",
+ "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml"
],
"tags": [
@@ -39886,9 +39923,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html",
- "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/",
"https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120",
+ "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/",
+ "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml"
],
"tags": [
@@ -40057,8 +40094,8 @@
"logsource.product": "windows",
"refs": [
"https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/",
- "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar",
"https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0",
+ "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml"
],
"tags": [
@@ -40196,13 +40233,13 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.softwaretestinghelp.com/how-to-use-ngrok/",
"https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection",
"https://ngrok.com/docs",
- "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/",
- "https://twitter.com/xorJosh/status/1598646907802451969",
- "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html",
+ "https://www.softwaretestinghelp.com/how-to-use-ngrok/",
"https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp",
+ "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/",
+ "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html",
+ "https://twitter.com/xorJosh/status/1598646907802451969",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml"
],
"tags": [
@@ -40338,9 +40375,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/",
"https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md",
"https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx",
- "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml"
],
"tags": [
@@ -40410,8 +40447,8 @@
"logsource.product": "windows",
"refs": [
"https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/",
- "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings",
"https://twitter.com/0gtweet/status/1628720819537936386",
+ "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml"
],
"tags": [
@@ -40521,8 +40558,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military",
"https://learn.microsoft.com/en-us/windows/win32/shell/csidl",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military",
"https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml"
],
@@ -40622,8 +40659,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2020/10/08/ryuks-return/",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
+ "https://thedfirreport.com/2020/10/08/ryuks-return/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml"
],
"tags": [
@@ -40794,11 +40831,11 @@
"logsource.product": "windows",
"refs": [
"https://forensicitguy.github.io/agenttesla-vba-certutil-download/",
- "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/",
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
"https://lolbas-project.github.io/lolbas/Binaries/Certutil/",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
"https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/",
"https://twitter.com/egre55/status/1087685529016193025",
+ "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml"
],
"tags": [
@@ -40833,8 +40870,8 @@
"refs": [
"https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/",
"https://twitter.com/hFireF0X/status/897640081053364225",
- "https://github.com/hfiref0x/UACME",
"https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf",
+ "https://github.com/hfiref0x/UACME",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml"
],
"tags": [
@@ -40879,8 +40916,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government",
"https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs",
+ "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml"
],
"tags": [
@@ -40957,15 +40994,15 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.talosintelligence.com/2017/05/wannacry.html",
"https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100",
"https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware",
- "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/",
- "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/",
- "https://redcanary.com/blog/intelligence-insights-october-2021/",
- "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
"https://github.com/Neo23x0/Raccine#the-process",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware",
+ "https://blog.talosintelligence.com/2017/05/wannacry.html",
+ "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/",
+ "https://redcanary.com/blog/intelligence-insights-october-2021/",
+ "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/",
+ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml"
],
"tags": [
@@ -41040,9 +41077,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://badoption.eu/blog/2023/01/31/code_c2.html",
- "https://code.visualstudio.com/docs/remote/tunnels",
"https://ipfyx.fr/post/visual-studio-code-tunnel/",
+ "https://code.visualstudio.com/docs/remote/tunnels",
+ "https://badoption.eu/blog/2023/01/31/code_c2.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml"
],
"tags": [
@@ -41227,9 +41264,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5",
"https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/",
"https://lolbas-project.github.io/lolbas/Binaries/Verclsid/",
+ "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml"
],
"tags": [
@@ -41263,9 +41300,9 @@
"logsource.product": "windows",
"refs": [
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4",
- "https://adsecurity.org/?p=2604",
- "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4",
"https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/",
+ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4",
+ "https://adsecurity.org/?p=2604",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml"
],
"tags": [
@@ -41298,9 +41335,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/",
- "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)",
"https://twitter.com/jonasLyk/status/1555914501802921984",
+ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)",
+ "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml"
],
"tags": [
@@ -41497,8 +41534,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/0gtweet/status/1474899714290208777?s=12",
"https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace",
+ "https://twitter.com/0gtweet/status/1474899714290208777?s=12",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml"
],
"tags": [
@@ -41531,12 +41568,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/JohnLaTwC/status/835149808817991680",
- "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil",
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
"https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/",
"https://lolbas-project.github.io/lolbas/Binaries/Certutil/",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
"https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/",
+ "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil",
+ "https://twitter.com/JohnLaTwC/status/835149808817991680",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_decode.yml"
],
"tags": [
@@ -41571,8 +41608,8 @@
"refs": [
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md",
"https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult",
"https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml"
],
"tags": [
@@ -41664,10 +41701,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content",
- "https://twitter.com/JAMESWT_MHT/status/1699042827261391247",
- "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries",
"https://twitter.com/M_haggis/status/1699056847154725107",
+ "https://twitter.com/JAMESWT_MHT/status/1699042827261391247",
+ "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content",
+ "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml"
],
"tags": [
@@ -41691,8 +41728,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.echotrail.io/insights/search/mshta.exe",
"https://en.wikipedia.org/wiki/HTML_Application",
+ "https://www.echotrail.io/insights/search/mshta.exe",
"https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml"
],
@@ -41726,9 +41763,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/fireeye/DueDLLigence",
"https://lolbas-project.github.io/lolbas/Binaries/Rasautou/",
"https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html",
+ "https://github.com/fireeye/DueDLLigence",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml"
],
"tags": [
@@ -41846,9 +41883,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing",
- "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files",
"https://pentestlab.blog/2020/02/24/parent-pid-spoofing/",
+ "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files",
+ "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing",
"https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml"
],
@@ -41915,16 +41952,16 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39",
- "http://managed670.rssing.com/chan-5590147/all_p1.html",
- "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables",
- "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf",
- "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_",
- "https://twitter.com/_xpn_/status/1268712093928378368",
"https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38",
+ "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf",
+ "https://twitter.com/_xpn_/status/1268712093928378368",
+ "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39",
"https://bunnyinside.com/?term=f71e8cb9c76a",
"https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr",
+ "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_",
"https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code",
+ "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables",
+ "http://managed670.rssing.com/chan-5590147/all_p1.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml"
],
"tags": [
@@ -41980,11 +42017,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356",
"https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997",
- "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script",
- "https://twitter.com/mattifestation/status/1326228491302563846",
"http://blog.sevagas.com/?Hacking-around-HTA-files",
+ "https://twitter.com/mattifestation/status/1326228491302563846",
+ "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356",
+ "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml"
],
"tags": [
@@ -42035,15 +42072,15 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3",
- "https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf",
- "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1",
- "http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/",
- "https://www.group-ib.com/blog/apt41-world-tour-2021/",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil",
"http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a",
+ "http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/",
"https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/",
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil",
+ "https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf",
+ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1",
+ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3",
+ "https://www.group-ib.com/blog/apt41-world-tour-2021/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml"
],
"tags": [
@@ -42246,10 +42283,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/",
- "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html",
- "https://twitter.com/Alh4zr3d/status/1580925761996828672",
"https://www.sans.org/blog/red-team-tactics-hiding-windows-services/",
+ "https://twitter.com/Alh4zr3d/status/1580925761996828672",
+ "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html",
+ "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml"
],
"tags": [
@@ -42308,9 +42345,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/",
"http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/",
"http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml"
],
"tags": [
@@ -42344,10 +42381,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
- "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
- "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
"https://isc.sans.edu/diary/22264",
+ "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
+ "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
+ "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml"
],
"tags": [
@@ -42456,13 +42493,13 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool",
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32",
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32",
"https://www.cobaltstrike.com/help-opsec",
+ "https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool",
+ "https://twitter.com/CyberRaiju/status/1251492025678983169",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32",
"https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/",
"https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool",
- "https://twitter.com/CyberRaiju/status/1251492025678983169",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml"
],
"tags": [
@@ -42551,9 +42588,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control",
"https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29",
"https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/",
+ "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml"
],
"tags": [
@@ -42656,8 +42693,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/",
"https://twitter.com/pabraeken/status/991335019833708544",
+ "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml"
],
"tags": [
@@ -42733,9 +42770,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html",
- "https://www.echotrail.io/insights/search/wermgr.exe",
"https://github.com/binderlabs/DirCreate2System",
+ "https://www.echotrail.io/insights/search/wermgr.exe",
+ "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml"
],
"tags": [
@@ -42758,8 +42795,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
"https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv",
+ "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml"
],
"tags": [
@@ -42857,8 +42894,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://redcanary.com/blog/gootloader/",
"https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/",
+ "https://redcanary.com/blog/gootloader/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml"
],
"tags": [
@@ -42899,8 +42936,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution",
"https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml"
],
"tags": [
@@ -42957,8 +42994,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/",
"https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/",
+ "https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml"
],
"tags": [
@@ -43083,8 +43120,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/",
"https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/",
+ "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml"
],
"tags": [
@@ -43120,8 +43157,8 @@
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3",
"https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation",
"https://twitter.com/pfiatde/status/1681977680688738305",
- "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/",
"https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/",
+ "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml"
],
"tags": [
@@ -43221,8 +43258,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/mrd0x/status/1478234484881436672?s=12",
"https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html",
+ "https://twitter.com/mrd0x/status/1478234484881436672?s=12",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml"
],
"tags": [
@@ -43356,9 +43393,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html",
- "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/",
"https://www.activecyber.us/activelabs/windows-uac-bypass",
+ "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/",
+ "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html",
"https://twitter.com/ReaQta/status/1222548288731217921",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml"
],
@@ -43426,9 +43463,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://redcanary.com/blog/raspberry-robin/",
"https://github.com/SigmaHQ/sigma/issues/1009",
"https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/",
+ "https://redcanary.com/blog/raspberry-robin/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml"
],
"tags": [
@@ -43618,8 +43655,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall",
"https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml"
],
"tags": [
@@ -43718,8 +43755,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://o365blog.com/aadinternals/",
"https://github.com/Gerenios/AADInternals",
+ "https://o365blog.com/aadinternals/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml"
],
"tags": [
@@ -43804,8 +43841,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples",
+ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml"
],
"tags": [
@@ -43946,8 +43983,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1",
+ "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml"
],
"tags": [
@@ -43970,9 +44007,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/",
"https://www.nirsoft.net/utils/nircmd.html",
"https://www.nirsoft.net/utils/nircmd2.html#using",
+ "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml"
],
"tags": [
@@ -44139,8 +44176,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/",
"https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/",
+ "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml"
],
"tags": [
@@ -44164,8 +44201,8 @@
"logsource.product": "windows",
"refs": [
"https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/",
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/",
"https://twitter.com/pabraeken/status/993298228840992768",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml"
],
"tags": [
@@ -44274,8 +44311,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20",
"https://support.anydesk.com/Automatic_Deployment",
+ "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml"
],
"tags": [
@@ -44341,9 +44378,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/",
"https://kb.acronis.com/content/60892",
"https://learn.microsoft.com/en-us/sysinternals/downloads/livekd",
+ "https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml"
],
"tags": [
@@ -44408,8 +44445,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://redcanary.com/threat-detection-report/threats/qbot/",
"https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/",
+ "https://redcanary.com/threat-detection-report/threats/qbot/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml"
],
"tags": [
@@ -44477,9 +44514,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html",
"https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
"https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16",
+ "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml"
],
"tags": [
@@ -44512,8 +44549,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/0gtweet/status/1477925112561209344",
"https://twitter.com/wdormann/status/1478011052130459653?s=20",
+ "https://twitter.com/0gtweet/status/1477925112561209344",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml"
],
"tags": [
@@ -44537,8 +44574,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md",
- "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/",
"https://twitter.com/_st0pp3r_/status/1583914515996897281",
+ "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml"
],
"tags": [
@@ -44705,8 +44742,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml"
],
"tags": [
@@ -44739,8 +44776,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml"
],
"tags": [
@@ -44773,11 +44810,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md",
- "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html",
- "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets",
+ "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md",
+ "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation",
+ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml"
],
"tags": [
@@ -44827,10 +44864,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/",
"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/",
- "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7",
"https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/",
+ "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml"
],
"tags": [
@@ -45013,12 +45050,12 @@
"logsource.product": "windows",
"refs": [
"https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/",
- "https://twitter.com/SBousseaden/status/1167417096374050817",
+ "https://twitter.com/shantanukhande/status/1229348874298388484",
"https://twitter.com/Hexacorn/status/1224848930795552769",
- "https://twitter.com/Wietze/status/1542107456507203586",
+ "https://twitter.com/SBousseaden/status/1167417096374050817",
"https://twitter.com/pythonresponder/status/1385064506049630211?s=21",
"https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py",
- "https://twitter.com/shantanukhande/status/1229348874298388484",
+ "https://twitter.com/Wietze/status/1542107456507203586",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml"
],
"tags": [
@@ -45061,9 +45098,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394",
"https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html",
"http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html",
- "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml"
],
"tags": [
@@ -45096,8 +45133,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/OTRF/detection-hackathon-apt29/issues/6",
"https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md",
+ "https://github.com/OTRF/detection-hackathon-apt29/issues/6",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml"
],
"tags": [
@@ -45166,8 +45203,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md",
"https://ss64.com/nt/for.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md",
"https://ss64.com/ps/foreach-object.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml"
],
@@ -45210,9 +45247,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/tccontre18/status/1480950986650832903",
- "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/",
"https://twitter.com/mrd0x/status/1461041276514623491",
+ "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/",
+ "https://twitter.com/tccontre18/status/1480950986650832903",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml"
],
"tags": [
@@ -45245,8 +45282,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery",
+ "https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_restore_file.yml"
],
"tags": [
@@ -45279,8 +45316,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md",
+ "https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yml"
],
"tags": [
@@ -45499,8 +45536,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://h.43z.one/ipconverter/",
"https://twitter.com/Yasser_Elsnbary/status/1553804135354564608",
+ "https://h.43z.one/ipconverter/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml"
],
"tags": [
@@ -45556,8 +45593,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/JohnLaTwC/status/1082851155481288706",
"https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03",
+ "https://twitter.com/JohnLaTwC/status/1082851155481288706",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml"
],
"tags": [
@@ -45662,11 +45699,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services",
- "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe",
- "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6",
- "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services",
"https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/",
+ "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services",
+ "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6",
+ "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe",
+ "https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml"
],
"tags": [
@@ -45810,8 +45847,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/",
"https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/",
+ "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml"
],
"tags": [
@@ -45844,11 +45881,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/",
- "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone",
"https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a",
"https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware",
+ "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a",
+ "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml"
],
"tags": [
@@ -45881,10 +45918,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html",
- "https://twitter.com/mattifestation/status/986280382042595328",
- "https://lolbas-project.github.io/lolbas/Binaries/Wmic/",
"https://atomicredteam.io/defense-evasion/T1220/",
+ "https://twitter.com/mattifestation/status/986280382042595328",
+ "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html",
+ "https://lolbas-project.github.io/lolbas/Binaries/Wmic/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml"
],
"tags": [
@@ -46107,12 +46144,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699",
- "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1",
- "https://github.com/vletoux/pingcastle",
"https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680",
- "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8",
+ "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699",
+ "https://github.com/vletoux/pingcastle",
"https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/",
+ "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8",
+ "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1",
"https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml"
],
@@ -46146,8 +46183,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html",
"https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100",
+ "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml"
],
"tags": [
@@ -46222,8 +46259,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/cglyer/status/1183756892952248325",
"https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers",
+ "https://twitter.com/cglyer/status/1183756892952248325",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml"
],
"tags": [
@@ -46290,8 +46327,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/",
"https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/",
+ "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml"
],
"tags": [
@@ -46324,8 +46361,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/skelsec/pypykatz",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz",
+ "https://github.com/skelsec/pypykatz",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pypykatz.yml"
],
"tags": [
@@ -46434,8 +46471,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows",
"https://nmap.org/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml"
],
"tags": [
@@ -46469,10 +46506,10 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/bohops/status/980659399495741441",
- "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712",
- "https://twitter.com/JohnLaTwC/status/1223292479270600706",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md",
"https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/",
+ "https://twitter.com/JohnLaTwC/status/1223292479270600706",
+ "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml"
],
"tags": [
@@ -46505,8 +46542,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/",
"https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/",
+ "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml"
],
"tags": [
@@ -46640,9 +46677,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini",
- "https://lolbas-project.github.io/lolbas/Binaries/Regini/",
"https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f",
+ "https://lolbas-project.github.io/lolbas/Binaries/Regini/",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml"
],
"tags": [
@@ -46675,8 +46712,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100",
"https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100",
+ "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml"
],
"tags": [
@@ -46817,11 +46854,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/_JohnHammond/status/1708910264261980634",
"https://forensicitguy.github.io/agenttesla-vba-certutil-download/",
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
"https://lolbas-project.github.io/lolbas/Binaries/Certutil/",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
"https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/",
+ "https://twitter.com/_JohnHammond/status/1708910264261980634",
"https://twitter.com/egre55/status/1087685529016193025",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml"
],
@@ -46897,9 +46934,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html",
"https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/",
"https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks",
+ "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html",
"https://twitter.com/christophetd/status/1164506034720952320",
"https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml"
@@ -47034,8 +47071,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system",
"https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps",
+ "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system",
"https://learn.microsoft.com/en-us/windows/wsl/install-on-server",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml"
],
@@ -47059,9 +47096,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
- "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
"https://isc.sans.edu/diary/22264",
+ "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
+ "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml"
],
"tags": [
@@ -47146,9 +47183,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/",
- "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)",
"https://twitter.com/jonasLyk/status/1555914501802921984",
+ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)",
+ "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml"
],
"tags": [
@@ -47230,8 +47267,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/",
"https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnx_execute_csharp_code.yml"
],
"tags": [
@@ -47514,8 +47551,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/",
"https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html",
+ "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml"
],
"tags": [
@@ -47582,12 +47619,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf",
"https://lolbas-project.github.io/lolbas/Binaries/Msedge/",
"https://lolbas-project.github.io/lolbas/Binaries/Teams/",
+ "https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc",
"https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/",
"https://positive.security/blog/ms-officecmd-rce",
- "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf",
- "https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml"
],
"tags": [
@@ -47652,8 +47689,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government",
"https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs",
+ "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml"
],
"tags": [
@@ -47695,8 +47732,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/hackvens/CoercedPotato",
"https://blog.hackvens.fr/articles/CoercedPotato.html",
+ "https://github.com/hackvens/CoercedPotato",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml"
],
"tags": [
@@ -47730,8 +47767,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/",
"https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter",
+ "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml"
],
"tags": [
@@ -47898,11 +47935,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/",
- "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt",
- "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464",
"https://twitter.com/max_mal_/status/1542461200797163522",
+ "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464",
+ "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/",
"https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file",
+ "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml"
],
"tags": [
@@ -48029,8 +48066,8 @@
"logsource.product": "windows",
"refs": [
"https://boinc.berkeley.edu/",
- "https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details",
"https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software",
+ "https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_boinc.yml"
],
"tags": [
@@ -48106,8 +48143,8 @@
"logsource.product": "windows",
"refs": [
"https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html",
- "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/",
"https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/",
+ "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml"
],
"tags": [
@@ -48199,8 +48236,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml"
],
"tags": [
@@ -48296,9 +48333,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md",
"https://securelist.com/locked-out/68960/",
"https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a",
+ "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml"
],
"tags": [
@@ -48364,10 +48401,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password",
"https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt",
"https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry",
"https://isc.sans.edu/diary/More+Data+Exfiltration/25698",
+ "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml"
],
"tags": [
@@ -48480,8 +48517,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.youtube.com/watch?v=ro2QuZTIMBM",
"https://learn.microsoft.com/en-us/sysinternals/downloads/psexec",
+ "https://www.youtube.com/watch?v=ro2QuZTIMBM",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml"
],
"tags": [
@@ -48538,8 +48575,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/eral4m/status/1451112385041911809",
"https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html",
+ "https://twitter.com/eral4m/status/1451112385041911809",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml"
],
"tags": [
@@ -48662,8 +48699,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)",
+ "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/",
"https://twitter.com/frack113/status/1555830623633375232",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml"
],
@@ -48720,9 +48757,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/mrd0x/status/1511415432888131586",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/",
"https://twitter.com/mrd0x/status/1511489821247684615",
- "https://twitter.com/mrd0x/status/1511415432888131586",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml"
],
"tags": [
@@ -48940,9 +48977,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://lolbas-project.github.io/lolbas/Binaries/Setres/",
"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)",
"https://twitter.com/0gtweet/status/1583356502340870144",
- "https://lolbas-project.github.io/lolbas/Binaries/Setres/",
"https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_setres_uncommon_child_process.yml"
],
@@ -48984,10 +49021,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html",
+ "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/",
"https://twitter.com/gbti_sa/status/1249653895900602375?lang=en",
"https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml",
- "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/",
+ "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml"
],
"tags": [
@@ -49020,14 +49057,14 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/",
- "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/",
- "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters",
- "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html",
"https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/",
- "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/",
+ "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters",
+ "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)",
+ "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/",
+ "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/",
"https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest",
+ "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml"
],
"tags": [
@@ -49282,11 +49319,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn",
- "https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt",
"https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html",
- "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md",
+ "https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml"
],
"tags": [
@@ -49328,10 +49365,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://bidouillesecurity.com/disable-windows-defender-in-powershell/",
"https://vms.drweb.fr/virus/?i=24144899",
- "https://twitter.com/JohnLaTwC/status/1415295021041979392",
+ "https://bidouillesecurity.com/disable-windows-defender-in-powershell/",
"https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1",
+ "https://twitter.com/JohnLaTwC/status/1415295021041979392",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml"
],
"tags": [
@@ -49364,8 +49401,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://attack.mitre.org/software/S0404/",
"https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/",
+ "https://attack.mitre.org/software/S0404/",
"https://twitter.com/vxunderground/status/1423336151860002816",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_params.yml"
],
@@ -49449,8 +49486,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md",
"https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml"
],
"tags": [
@@ -49504,8 +49541,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set",
"https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2",
+ "https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml"
],
"tags": [
@@ -49547,8 +49584,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://processhacker.sourceforge.io/",
"https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/",
+ "https://processhacker.sourceforge.io/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml"
],
"tags": [
@@ -49600,8 +49637,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior",
"https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware",
+ "https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml"
],
"tags": [
@@ -49636,8 +49673,8 @@
"refs": [
"https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab",
"https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0",
- "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd",
"https://twitter.com/nas_bench/status/1537896324837781506",
+ "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml"
],
"tags": [
@@ -49670,8 +49707,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://asec.ahnlab.com/en/38156/",
"https://github.com/fatedier/frp",
+ "https://asec.ahnlab.com/en/38156/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_frp.yml"
],
"tags": [
@@ -49704,9 +49741,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt",
"https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt",
"Internal Research",
+ "https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml"
],
"tags": [
@@ -49828,8 +49865,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml"
],
"tags": [
@@ -49964,8 +50001,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/",
"https://twitter.com/harr0ey/status/989617817849876488",
+ "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml"
],
"tags": [
@@ -49998,9 +50035,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44",
- "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048",
"https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html",
+ "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048",
+ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml"
],
"tags": [
@@ -50159,9 +50196,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/fr0s7_/status/1712780207105404948",
- "https://h.43z.one/ipconverter/",
"https://twitter.com/Yasser_Elsnbary/status/1553804135354564608",
+ "https://h.43z.one/ipconverter/",
+ "https://twitter.com/fr0s7_/status/1712780207105404948",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml"
],
"tags": [
@@ -50184,10 +50221,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/",
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/",
"https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml"
],
"tags": [
@@ -50397,8 +50434,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf",
"https://www.poweradmin.com/paexec/",
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml"
],
"tags": [
@@ -50466,8 +50503,8 @@
"logsource.product": "windows",
"refs": [
"https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell",
- "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/",
"https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps",
+ "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"
],
"tags": [
@@ -50542,8 +50579,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blackpointcyber.com/resources/blog/breaking-through-the-screen/",
"https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8",
+ "https://blackpointcyber.com/resources/blog/breaking-through-the-screen/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml"
],
"tags": [
@@ -50576,8 +50613,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1",
"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/",
+ "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1",
"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml"
],
@@ -50611,8 +50648,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://pentestlab.blog/2020/07/06/indirect-command-execution/",
"https://lolbas-project.github.io/lolbas/Binaries/Forfiles/",
+ "https://pentestlab.blog/2020/07/06/indirect-command-execution/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml"
],
"tags": [
@@ -50711,9 +50748,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/",
- "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password",
"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a",
+ "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password",
+ "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml"
],
"tags": [
@@ -50733,39 +50770,6 @@
"uuid": "98dedfdd-8333-49d4-9f23-d7018cccae53",
"value": "Enable LM Hash Storage - ProcCreation"
},
- {
- "description": "Detects possible search for office tokens via CLI by looking for the string \"eyJ0eX\". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.",
- "meta": {
- "author": "Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2022-10-25",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_susp_office_token_search.yml",
- "level": "medium",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://mrd0x.com/stealing-tokens-from-office-applications/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml"
- ],
- "tags": [
- "attack.credential-access",
- "attack.t1528"
- ]
- },
- "related": [
- {
- "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "6d3a3952-6530-44a3-8554-cf17c116c615",
- "value": "Suspicious Office Token Search Via CLI"
- },
{
"description": "Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly.\nMeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.\n",
"meta": {
@@ -50779,9 +50783,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173",
"https://github.com/Ylianst/MeshAgent",
"https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55",
- "https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_exec.yml"
],
"tags": [
@@ -50891,9 +50895,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/electron/rcedit",
- "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915",
"https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe",
+ "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915",
+ "https://github.com/electron/rcedit",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml"
],
"tags": [
@@ -50984,13 +50988,13 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects",
- "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md",
- "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx",
- "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/",
- "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/",
- "https://thedfirreport.com/2020/05/08/adfind-recon/",
"https://www.joeware.net/freetools/tools/adfind/",
+ "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md",
+ "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/",
+ "https://thedfirreport.com/2020/05/08/adfind-recon/",
+ "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx",
+ "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml"
],
"tags": [
@@ -51048,8 +51052,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf",
"https://sourceforge.net/projects/mouselock/",
+ "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml"
],
"tags": [
@@ -51083,9 +51087,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)",
"https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html",
"https://twitter.com/0gtweet/status/1564968845726580736",
+ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml"
],
"tags": [
@@ -51202,12 +51206,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell",
"https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup",
+ "https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell",
"https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wbadmin_delete_backups.yml"
],
"tags": [
@@ -51282,8 +51286,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md",
"https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml"
],
"tags": [
@@ -51317,8 +51321,8 @@
"logsource.product": "windows",
"refs": [
"https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/",
- "https://github.com/jpillora/chisel/",
"https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/",
+ "https://github.com/jpillora/chisel/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_chisel.yml"
],
"tags": [
@@ -51385,8 +51389,8 @@
"logsource.product": "windows",
"refs": [
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/",
- "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/",
"https://twitter.com/_felamos/status/1204705548668555264",
+ "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml"
],
"tags": [
@@ -51419,9 +51423,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f",
"https://lolbas-project.github.io/lolbas/Binaries/Findstr/",
"https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/",
- "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_download.yml"
],
"tags": [
@@ -51478,10 +51482,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20",
- "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf",
"https://lolbas-project.github.io/lolbas/Libraries/Setupapi/",
"https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf",
+ "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20",
+ "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml"
],
"tags": [
@@ -51547,9 +51551,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md",
- "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html",
"https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37",
+ "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml"
],
"tags": [
@@ -51582,8 +51586,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/nas_bench/status/1535431474429808642",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/",
+ "https://twitter.com/nas_bench/status/1535431474429808642",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml"
],
"tags": [
@@ -51735,8 +51739,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html",
"https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37",
+ "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml"
],
@@ -51871,8 +51875,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/",
"https://twitter.com/1ZRR4H/status/1534259727059787783",
+ "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml"
],
"tags": [
@@ -51905,9 +51909,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/",
- "https://web.archive.org/web/20231210115125/http://www.xuetr.com/",
"https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/",
+ "https://web.archive.org/web/20231210115125/http://www.xuetr.com/",
+ "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml"
],
"tags": [
@@ -52006,8 +52010,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/",
"https://www.autohotkey.com/download/",
+ "https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml"
],
"tags": [
@@ -52490,9 +52494,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/",
- "https://twitter.com/vysecurity/status/974806438316072960",
"https://twitter.com/vysecurity/status/873181705024266241",
+ "https://twitter.com/vysecurity/status/974806438316072960",
+ "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml"
],
@@ -52661,8 +52665,8 @@
"logsource.product": "windows",
"refs": [
"https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/",
- "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings",
"https://www.sans.org/blog/red-team-tactics-hiding-windows-services/",
+ "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml"
],
"tags": [
@@ -52695,8 +52699,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains",
"https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md",
+ "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_w32tm.yml"
],
"tags": [
@@ -52837,9 +52841,9 @@
"logsource.product": "windows",
"refs": [
"https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW",
+ "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat",
"https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat",
"https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43",
- "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml"
],
"tags": [
@@ -52872,9 +52876,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/",
- "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
"https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv",
+ "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
+ "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml"
],
"tags": [
@@ -53135,8 +53139,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml",
"https://twitter.com/pabraeken/status/993497996179492864",
+ "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml"
],
"tags": [
@@ -53170,8 +53174,8 @@
"logsource.product": "windows",
"refs": [
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage",
- "https://unit42.paloaltonetworks.com/chromeloader-malware/",
"https://lolbas-project.github.io/lolbas/Binaries/Tar/",
+ "https://unit42.paloaltonetworks.com/chromeloader-malware/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tar_compression.yml"
],
"tags": [
@@ -53383,9 +53387,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview",
"https://github.com/tevora-threat/SharpView/",
"https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml"
],
"tags": [
@@ -53595,8 +53599,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/Oddvarmoe/status/1270633613449723905",
"https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/",
+ "https://twitter.com/Oddvarmoe/status/1270633613449723905",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_path_traversal.yml"
],
"tags": [
@@ -53629,9 +53633,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://badoption.eu/blog/2023/01/31/code_c2.html",
- "https://code.visualstudio.com/docs/remote/tunnels",
"https://ipfyx.fr/post/visual-studio-code-tunnel/",
+ "https://code.visualstudio.com/docs/remote/tunnels",
+ "https://badoption.eu/blog/2023/01/31/code_c2.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml"
],
"tags": [
@@ -53665,8 +53669,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/",
"https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04",
+ "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml"
],
"tags": [
@@ -53733,8 +53737,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d",
"https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/",
+ "https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_plink_port_forwarding.yml"
],
"tags": [
@@ -53776,8 +53780,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hostname_execution.yml"
],
"tags": [
@@ -53811,9 +53815,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/",
"https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/",
"https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/",
+ "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml"
],
"tags": [
@@ -53980,8 +53984,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/mrd0x/status/1478234484881436672?s=12",
"https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html",
+ "https://twitter.com/mrd0x/status/1478234484881436672?s=12",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml"
],
"tags": [
@@ -54014,10 +54018,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode",
"https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior",
- "https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html",
"https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode",
+ "https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml"
],
"tags": [
@@ -54050,9 +54054,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/countuponsec/status/910969424215232518",
"https://twitter.com/countuponsec/status/910977826853068800",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/",
+ "https://twitter.com/countuponsec/status/910969424215232518",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml"
],
"tags": [
@@ -54085,10 +54089,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.elastic.co/security-labs/operation-bleeding-bear",
+ "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3",
"https://twitter.com/splinter_code/status/1483815103279603714",
"https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/",
- "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3",
- "https://www.elastic.co/security-labs/operation-bleeding-bear",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml"
],
"tags": [
@@ -54157,8 +54161,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/",
"https://pentestlab.blog/tag/svchost/",
+ "https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml"
],
"tags": [
@@ -54263,8 +54267,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/",
"https://twitter.com/0gtweet/status/1206692239839289344",
+ "https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml"
],
"tags": [
@@ -54396,8 +54400,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/S3cur3Th1sSh1t/SharpImpersonation",
"https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/",
+ "https://github.com/S3cur3Th1sSh1t/SharpImpersonation",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml"
],
"tags": [
@@ -54439,9 +54443,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md",
"https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx",
"https://www.joeware.net/freetools/tools/adfind/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml"
],
"tags": [
@@ -54533,12 +54537,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow",
- "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf",
- "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/",
- "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/",
"https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4",
"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow",
+ "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/",
+ "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf",
+ "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/",
"https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml"
],
@@ -54574,11 +54578,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf",
- "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe",
"https://twitter.com/gN3mes1s/status/1206874118282448897",
- "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/",
"https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/",
+ "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf",
+ "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml"
],
"tags": [
@@ -54748,8 +54752,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/0gtweet/status/1359039665232306183?s=21",
"https://ss64.com/nt/logman.html",
+ "https://twitter.com/0gtweet/status/1359039665232306183?s=21",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml"
],
"tags": [
@@ -54881,8 +54885,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment",
"https://pentestlab.blog/2017/03/31/insecure-registry-permissions/",
+ "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml"
],
"tags": [
@@ -54915,9 +54919,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/",
- "https://twitter.com/SwiftOnSecurity/status/1455897435063074824",
"https://github.com/LOLBAS-Project/LOLBAS/pull/151",
+ "https://twitter.com/SwiftOnSecurity/status/1455897435063074824",
+ "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdl32_arbitrary_file_download.yml"
],
"tags": [
@@ -54993,8 +54997,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/cyb3rops/status/1562072617552678912",
"https://ss64.com/nt/cmd.html",
+ "https://twitter.com/cyb3rops/status/1562072617552678912",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml"
],
"tags": [
@@ -55027,8 +55031,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml",
"https://twitter.com/Moriarty_Meng/status/984380793383370752",
+ "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml"
],
"tags": [
@@ -55163,8 +55167,8 @@
"logsource.product": "windows",
"refs": [
"https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/",
- "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf",
"https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/",
+ "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml"
],
"tags": [
@@ -55364,9 +55368,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html",
- "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/",
"https://guides.lib.umich.edu/c.php?g=282942&p=1885348",
+ "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/",
+ "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml"
],
"tags": [
@@ -55399,10 +55403,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://zero2auto.com/2020/05/19/netwalker-re/",
- "https://redcanary.com/blog/yellow-cockatoo/",
- "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65",
"https://mez0.cc/posts/cobaltstrike-powershell-exec/",
+ "https://redcanary.com/blog/yellow-cockatoo/",
+ "https://zero2auto.com/2020/05/19/netwalker-re/",
+ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml"
],
"tags": [
@@ -55529,9 +55533,9 @@
"logsource.category": "wmi_event",
"logsource.product": "windows",
"refs": [
+ "https://github.com/RiccardoAncarani/LiquidSnake",
"https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/",
"https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19",
- "https://github.com/RiccardoAncarani/LiquidSnake",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml"
],
"tags": [
@@ -55564,8 +55568,8 @@
"logsource.category": "process_tampering",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/SecurePeacock/status/1486054048390332423?s=20",
"https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/",
+ "https://twitter.com/SecurePeacock/status/1486054048390332423?s=20",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml"
],
"tags": [
@@ -55632,8 +55636,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/",
"https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/",
+ "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml"
],
"tags": [
@@ -55675,9 +55679,9 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://cydefops.com/vscode-data-exfiltration",
- "https://badoption.eu/blog/2023/01/31/code_c2.html",
"https://ipfyx.fr/post/visual-studio-code-tunnel/",
+ "https://badoption.eu/blog/2023/01/31/code_c2.html",
+ "https://cydefops.com/vscode-data-exfiltration",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_vscode_tunnel_connection.yml"
],
"tags": [
@@ -55890,8 +55894,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://www.ietf.org/rfc/rfc2821.txt",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp",
+ "https://www.ietf.org/rfc/rfc2821.txt",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml"
],
"tags": [
@@ -55967,10 +55971,10 @@
"logsource.product": "windows",
"refs": [
"https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf",
- "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/",
- "https://github.com/looCiprian/GC2-sheet",
"https://youtu.be/n2dFlSaBBKo",
"https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/",
+ "https://github.com/looCiprian/GC2-sheet",
+ "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_google_api_non_browser_access.yml"
],
"tags": [
@@ -56037,8 +56041,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download",
+ "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_imewdbld.yml"
],
"tags": [
@@ -56104,9 +56108,9 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
+ "https://github.com/rapid7/metasploit-framework/issues/11337",
"https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2",
"https://portmap.io/",
- "https://github.com/rapid7/metasploit-framework/issues/11337",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_portmap.yml"
],
"tags": [
@@ -56217,8 +56221,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python",
"https://pypi.org/project/scapy/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml"
],
"tags": [
@@ -56251,9 +56255,9 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/",
- "Internal Research",
"https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/",
+ "Internal Research",
+ "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_cloudflared_communication.yml"
],
"tags": [
@@ -56454,11 +56458,11 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a",
"https://twitter.com/M_haggis/status/900741347035889665",
"https://twitter.com/M_haggis/status/1032799638213066752",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a",
"https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml"
],
"tags": [
@@ -56524,8 +56528,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet",
"https://web.archive.org/web/20200219102749/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf",
+ "https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notepad.yml"
],
"tags": [
@@ -56595,10 +56599,10 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/",
- "https://tria.ge/240301-rk34sagf5x/behavioral2",
- "https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html",
"https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d",
+ "https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/",
+ "https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html",
+ "https://tria.ge/240301-rk34sagf5x/behavioral2",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml"
],
"tags": [
@@ -56654,10 +56658,10 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://ngrok.com/blog-post/new-ngrok-domains",
- "https://ngrok.com/",
"https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/",
+ "https://ngrok.com/",
"https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf",
+ "https://ngrok.com/blog-post/new-ngrok-domains",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_ngrok.yml"
],
"tags": [
@@ -56690,8 +56694,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md",
"https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c",
+ "https://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_adws_unusual_connection.yml"
],
"tags": [
@@ -56724,9 +56728,9 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://www.poolwatch.io/coin/monero",
- "https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files",
"https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt",
+ "https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files",
+ "https://www.poolwatch.io/coin/monero",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_crypto_mining_pools.yml"
],
"tags": [
@@ -56835,10 +56839,10 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/",
"https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/",
"https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia",
+ "https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml"
],
"tags": [
@@ -56879,8 +56883,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb",
"https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east",
+ "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_dropbox_api.yml"
],
"tags": [
@@ -57177,8 +57181,8 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/forensicitguy/status/1513538712986079238",
- "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/",
"https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/",
+ "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml"
],
"tags": [
@@ -57212,9 +57216,9 @@
"logsource.product": "windows",
"refs": [
"https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a",
- "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/",
- "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html",
"https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md",
+ "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html",
+ "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml"
],
"tags": [
@@ -57349,12 +57353,12 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/",
- "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al",
- "https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/",
- "https://twitter.com/kleiton0x7e/status/1600567316810551296",
"https://github.com/kleiton0x00/RedditC2",
"https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html",
+ "https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/",
+ "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al",
+ "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/",
+ "https://twitter.com/kleiton0x7e/status/1600567316810551296",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml"
],
"tags": [
@@ -57617,8 +57621,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/malmoeb/status/1535142803075960832",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md",
+ "https://twitter.com/malmoeb/status/1535142803075960832",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml"
],
"tags": [
@@ -57652,10 +57656,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/malmoeb/status/1535142803075960832",
- "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md",
+ "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
+ "https://twitter.com/malmoeb/status/1535142803075960832",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml"
],
"tags": [
@@ -57757,10 +57761,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
- "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
- "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
"https://isc.sans.edu/diary/22264",
+ "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
+ "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
+ "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml"
],
"tags": [
@@ -57794,9 +57798,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker",
"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker",
"https://nxlog.co/documentation/nxlog-user-guide/applocker.html",
+ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml"
],
"tags": [
@@ -58028,9 +58032,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/",
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule",
"https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170",
+ "https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml"
],
"tags": [
@@ -58447,9 +58451,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/_dirkjan/status/1309214379003588608",
- "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1",
"https://dirkjanm.io/a-different-way-of-abusing-zerologon/",
+ "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1",
+ "https://twitter.com/_dirkjan/status/1309214379003588608",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml"
],
"tags": [
@@ -58648,9 +58652,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://threathunterplaybook.com/library/windows/active_directory_replication.html",
"https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html",
"https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html",
- "https://threathunterplaybook.com/library/windows/active_directory_replication.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml"
],
"tags": [
@@ -58683,8 +58687,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml",
"https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file",
+ "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml"
],
"tags": [
@@ -58913,8 +58917,8 @@
"logsource.product": "windows",
"refs": [
"https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html",
- "https://www.x86matthew.com/view_post?id=create_svc_rpc",
"https://twitter.com/SBousseaden/status/1490608838701166596",
+ "https://www.x86matthew.com/view_post?id=create_svc_rpc",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml"
],
"tags": [
@@ -59201,10 +59205,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800",
+ "https://www.cisecurity.org/controls/cis-controls-list/",
"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
- "https://www.cisecurity.org/controls/cis-controls-list/",
+ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml"
],
"tags": [
@@ -59227,10 +59231,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf",
- "https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all",
"http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662",
+ "https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all",
+ "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml"
],
"tags": [
@@ -59574,9 +59578,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/topotam/PetitPotam",
- "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml",
"https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/",
+ "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml",
+ "https://github.com/topotam/PetitPotam",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml"
],
"tags": [
@@ -59676,8 +59680,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://adsecurity.org/?p=3513",
"https://www.trustedsec.com/blog/art_of_kerberoast/",
+ "https://adsecurity.org/?p=3513",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_kerberoasting_activity.yml"
],
"tags": [
@@ -59710,16 +59714,16 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39",
- "http://managed670.rssing.com/chan-5590147/all_p1.html",
- "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables",
- "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf",
- "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_",
- "https://twitter.com/_xpn_/status/1268712093928378368",
"https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38",
+ "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf",
+ "https://twitter.com/_xpn_/status/1268712093928378368",
+ "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39",
"https://bunnyinside.com/?term=f71e8cb9c76a",
"https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr",
+ "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_",
"https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code",
+ "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables",
+ "http://managed670.rssing.com/chan-5590147/all_p1.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml"
],
"tags": [
@@ -59802,9 +59806,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://www.secureworks.com/blog/ransomware-as-a-distraction",
"https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html",
"https://twitter.com/menasec1/status/1106899890377052160",
- "https://www.secureworks.com/blog/ransomware-as-a-distraction",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml"
],
"tags": [
@@ -59879,9 +59883,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://blog.harmj0y.net/redteaming/another-word-on-delegation/",
"https://adsecurity.org/?p=3466",
"https://msdn.microsoft.com/en-us/library/cc220234.aspx",
- "https://blog.harmj0y.net/redteaming/another-word-on-delegation/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml"
],
"tags": [
@@ -60022,9 +60026,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/",
- "https://www.sans.org/webcasts/119395",
"https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/",
+ "https://www.sans.org/webcasts/119395",
+ "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml"
],
"tags": [
@@ -60075,9 +60079,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/gentilkiwi/status/1003236624925413376",
"https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2",
"https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48",
- "https://twitter.com/gentilkiwi/status/1003236624925413376",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml"
],
"tags": [
@@ -60110,10 +60114,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages",
- "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore",
- "https://twitter.com/MsftSecIntel/status/1257324139515269121",
"https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image",
+ "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore",
+ "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages",
+ "https://twitter.com/MsftSecIntel/status/1257324139515269121",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml"
],
"tags": [
@@ -60289,8 +60293,8 @@
"logsource.product": "windows",
"refs": [
"https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm",
- "https://www.jpcert.or.jp/english/pub/sr/ir_research.html",
"https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete",
+ "https://www.jpcert.or.jp/english/pub/sr/ir_research.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml"
],
"tags": [
@@ -60350,8 +60354,8 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/SBousseaden/status/1581300963650187264?",
- "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/",
"https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html",
+ "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml"
],
"tags": [
@@ -60418,8 +60422,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://adsecurity.org/?p=2053",
"https://blog.harmj0y.net/redteaming/another-word-on-delegation/",
+ "https://adsecurity.org/?p=2053",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml"
],
"tags": [
@@ -60452,8 +60456,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens",
"https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/",
+ "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml"
],
"tags": [
@@ -60487,8 +60491,8 @@
"logsource.product": "windows",
"refs": [
"Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)",
- "Live environment caused by malware",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616",
+ "Live environment caused by malware",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml"
],
"tags": [
@@ -60554,10 +60558,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/deepinstinct/NoFilter",
- "https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation",
"https://x.com/_st0pp3r_/status/1742203752361128162?s=20",
+ "https://github.com/deepinstinct/NoFilter",
"https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp",
+ "https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hktl_nofilter.yml"
],
"tags": [
@@ -60715,9 +60719,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100",
"https://twitter.com/deviouspolack/status/832535435960209408",
"https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml",
- "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_audit_log_cleared.yml"
],
"tags": [
@@ -60751,9 +60755,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/SecurityJosh/status/1283027365770276866",
"https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8",
"https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html",
- "https://twitter.com/SecurityJosh/status/1283027365770276866",
"https://twitter.com/Flangvik/status/1283054508084473861",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml"
],
@@ -60862,9 +60866,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://threathunterplaybook.com/library/windows/active_directory_replication.html",
"https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html",
"https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html",
- "https://threathunterplaybook.com/library/windows/active_directory_replication.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml"
],
"tags": [
@@ -61287,9 +61291,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/",
"https://github.com/fox-it/LDAPFragger",
"https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961",
- "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml"
],
"tags": [
@@ -61663,10 +61667,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2",
- "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662",
"https://twitter.com/gentilkiwi/status/1003236624925413376",
+ "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r",
+ "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml"
],
"tags": [
@@ -62103,8 +62107,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699",
+ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml"
],
"tags": [
@@ -62171,8 +62175,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038",
+ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml"
],
"tags": [
@@ -62247,9 +62251,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py",
- "https://twitter.com/malmoeb/status/1511760068743766026",
"https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py",
+ "https://twitter.com/malmoeb/status/1511760068743766026",
+ "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml"
],
"tags": [
@@ -62285,8 +62289,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/topotam/PetitPotam",
"https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml",
+ "https://github.com/topotam/PetitPotam",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_network_share.yml"
],
"tags": [
@@ -62386,11 +62390,11 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427",
- "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624",
- "https://github.com/sensepost/ruler/issues/47",
- "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776",
"https://github.com/sensepost/ruler",
+ "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427",
+ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776",
+ "https://github.com/sensepost/ruler/issues/47",
+ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml"
],
"tags": [
@@ -62564,8 +62568,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html",
"https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
+ "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml"
],
"tags": [
@@ -62599,8 +62603,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732",
+ "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml"
],
"tags": [
@@ -63159,9 +63163,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/",
"https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis",
"https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events",
- "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml"
],
"tags": [
@@ -63194,11 +63198,11 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634",
- "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
"https://www.cisecurity.org/controls/cis-controls-list/",
+ "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730",
+ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml"
],
"tags": [
@@ -63282,8 +63286,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38",
"https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g",
+ "https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml"
],
"tags": [
@@ -63351,11 +63355,11 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729",
- "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633",
- "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
+ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633",
"https://www.cisecurity.org/controls/cis-controls-list/",
+ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729",
+ "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml"
],
"tags": [
@@ -63388,10 +63392,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.cisecurity.org/controls/cis-controls-list/",
- "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
+ "https://www.cisecurity.org/controls/cis-controls-list/",
"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632",
+ "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml"
],
@@ -63425,9 +63429,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/netero1010/EDRSilencer",
"https://github.com/amjcyber/EDRNoiseMaker",
"https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983",
+ "https://github.com/netero1010/EDRSilencer",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml"
],
"tags": [
@@ -63460,9 +63464,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
"Internal Research",
"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations",
- "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml"
],
"tags": [
@@ -63485,9 +63489,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
"Internal Research",
"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations",
- "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml"
],
"tags": [
@@ -63510,9 +63514,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
"Internal Research",
"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations",
- "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml"
],
"tags": [
@@ -63535,9 +63539,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
"Internal Research",
"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations",
- "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml"
],
"tags": [
@@ -63560,9 +63564,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
"Internal Research",
"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations",
- "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml"
],
"tags": [
@@ -63585,9 +63589,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
"Internal Research",
"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations",
- "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml"
],
"tags": [
@@ -63610,9 +63614,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
"Internal Research",
"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations",
- "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml"
],
"tags": [
@@ -63645,9 +63649,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
"Internal Research",
"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations",
- "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml"
],
"tags": [
@@ -63670,10 +63674,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log",
+ "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
"https://twitter.com/SBousseaden/status/1483810148602814466",
"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations",
- "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
+ "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml"
],
"tags": [
@@ -63696,9 +63700,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log",
"https://twitter.com/wdormann/status/1590434950335320065",
"https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations",
+ "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml"
],
"tags": [
@@ -64397,9 +64401,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
+ "https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml"
],
"tags": [
@@ -64432,8 +64436,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/duff22b/status/1280166329660497920",
"https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands",
+ "https://twitter.com/duff22b/status/1280166329660497920",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_asr_psexec_wmi.yml"
],
"tags": [
@@ -64542,9 +64546,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012",
- "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml"
],
"tags": [
@@ -64635,8 +64639,8 @@
"logsource.product": "windows",
"refs": [
"https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml"
],
"tags": [
@@ -64735,9 +64739,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/",
"https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
- "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml"
],
"tags": [
@@ -64907,10 +64911,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01",
"https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed",
- "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31",
+ "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01",
"https://www.nextron-systems.com/?s=antivirus",
+ "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/Other/win_av_relevant_match.yml"
],
"tags": [
@@ -64985,9 +64989,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf",
- "https://github.com/deepinstinct/Lsass-Shtinkering",
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55",
+ "https://github.com/deepinstinct/Lsass-Shtinkering",
+ "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml"
],
"tags": [
@@ -65062,8 +65066,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)",
"https://twitter.com/mgreen27/status/1558223256704122882",
+ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yml"
],
"tags": [
@@ -65096,8 +65100,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)",
"https://twitter.com/mgreen27/status/1558223256704122882",
+ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml"
],
"tags": [
@@ -65120,11 +65124,11 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/VM_vivisector/status/1217190929330655232",
+ "https://twitter.com/DidierStevens/status/1217533958096924676",
"https://nullsec.us/windows-event-log-audit-cve/",
"https://twitter.com/FlemmingRiis/status/1217147415482060800",
- "https://twitter.com/VM_vivisector/status/1217190929330655232",
"https://www.youtube.com/watch?v=ebmW42YYveI",
- "https://twitter.com/DidierStevens/status/1217533958096924676",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml"
],
"tags": [
@@ -65274,8 +65278,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16",
"https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16",
+ "https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16",
"https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml"
],
@@ -65323,8 +65327,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html",
"https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/",
+ "https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml"
],
"tags": [
@@ -65357,8 +65361,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html",
"https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/",
+ "https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml"
],
"tags": [
@@ -65555,8 +65559,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/SigmaHQ/sigma/pull/4467",
"https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling",
+ "https://github.com/SigmaHQ/sigma/pull/4467",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml"
],
"tags": [
@@ -65589,8 +65593,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/SigmaHQ/sigma/pull/4467",
"https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling",
+ "https://github.com/SigmaHQ/sigma/pull/4467",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml"
],
"tags": [
@@ -65621,12 +65625,12 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726",
- "https://ipurple.team/2024/07/15/sharphound-detection/",
+ "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1",
"https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c",
"https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs",
- "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1",
"https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427",
+ "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726",
+ "https://ipurple.team/2024/07/15/sharphound-detection/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml"
],
"tags": [
@@ -65742,8 +65746,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)",
"https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/",
+ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml"
],
"tags": [
@@ -65898,8 +65902,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382",
"https://www.secura.com/blog/zero-logon",
+ "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml"
],
"tags": [
@@ -66646,9 +66650,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/",
- "https://www.sans.org/webcasts/119395",
"https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/",
+ "https://www.sans.org/webcasts/119395",
+ "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml"
],
"tags": [
@@ -67596,8 +67600,8 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/wdormann/status/1347958161609809921",
- "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/",
"https://twitter.com/jonasLyk/status/1347900440000811010",
+ "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml"
],
"tags": [
@@ -67663,8 +67667,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/Ekultek/BlueKeep",
"https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708",
+ "https://github.com/Ekultek/BlueKeep",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml"
],
"tags": [
@@ -67698,9 +67702,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx",
"https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx",
"https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html",
- "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml"
],
"tags": [
@@ -67733,9 +67737,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx",
"https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx",
"https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html",
- "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml"
],
"tags": [
@@ -67916,8 +67920,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/deviouspolack/status/832535435960209408",
"https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100",
+ "https://twitter.com/deviouspolack/status/832535435960209408",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml"
],
"tags": [
@@ -67952,8 +67956,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/deviouspolack/status/832535435960209408",
"https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100",
+ "https://twitter.com/deviouspolack/status/832535435960209408",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml"
],
"tags": [
@@ -67988,8 +67992,8 @@
"logsource.product": "windows",
"refs": [
"https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83",
- "https://twitter.com/gentilkiwi/status/861641945944391680",
"https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx",
+ "https://twitter.com/gentilkiwi/status/861641945944391680",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml"
],
"tags": [
@@ -68055,8 +68059,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "Internal Research",
"https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
+ "Internal Research",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml"
],
"tags": [
@@ -68104,11 +68108,11 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
"https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse",
"https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx",
- "https://winaero.com/enable-openssh-server-windows-10/",
"https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH",
+ "https://winaero.com/enable-openssh-server-windows-10/",
+ "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml"
],
"tags": [
@@ -68128,6 +68132,182 @@
"uuid": "3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781",
"value": "OpenSSH Server Listening On Socket"
},
+ {
+ "description": "Detects the addition of a new module to an IIS server.",
+ "meta": {
+ "author": "frack113",
+ "creation_date": "2024-10-06",
+ "falsepositive": [
+ "Legitimate administrator activity"
+ ],
+ "filename": "win_iis_module_added.yml",
+ "level": "medium",
+ "logsource.category": "No established category",
+ "logsource.product": "windows",
+ "refs": [
+ "https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview",
+ "https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/",
+ "https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis",
+ "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/iis-configuration/win_iis_module_added.yml"
+ ],
+ "tags": [
+ "attack.defense-evasion",
+ "attack.persistence",
+ "attack.t1562.002",
+ "attack.t1505.004"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ },
+ {
+ "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "dd857d3e-0c6e-457b-9b48-e82ae7f86bd7",
+ "value": "New Module Module Added To IIS Server"
+ },
+ {
+ "description": "Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.",
+ "meta": {
+ "author": "frack113, Nasreddine Bencherchali",
+ "creation_date": "2024-10-06",
+ "falsepositive": [
+ "Legitimate administrator activity"
+ ],
+ "filename": "win_iis_logging_etw_disabled.yml",
+ "level": "medium",
+ "logsource.category": "No established category",
+ "logsource.product": "windows",
+ "refs": [
+ "https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/",
+ "https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis",
+ "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/iis-configuration/win_iis_logging_etw_disabled.yml"
+ ],
+ "tags": [
+ "attack.defense-evasion",
+ "attack.t1562.002",
+ "attack.t1505.004"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ },
+ {
+ "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "a5b40a90-baf5-4bf7-a6f7-373494881d22",
+ "value": "ETW Logging/Processing Option Disabled On IIS Server"
+ },
+ {
+ "description": "Detects the removal of a previously installed IIS module.",
+ "meta": {
+ "author": "Nasreddine Bencherchali",
+ "creation_date": "2024-10-06",
+ "falsepositive": [
+ "Legitimate administrator activity"
+ ],
+ "filename": "win_iis_module_removed.yml",
+ "level": "low",
+ "logsource.category": "No established category",
+ "logsource.product": "windows",
+ "refs": [
+ "https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview",
+ "https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/",
+ "https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis",
+ "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/iis-configuration/win_iis_module_removed.yml"
+ ],
+ "tags": [
+ "attack.defense-evasion",
+ "attack.persistence",
+ "attack.t1562.002",
+ "attack.t1505.004"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ },
+ {
+ "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "9e1a1fdf-ee58-40ce-8e15-b66ca5a80e1f",
+ "value": "Previously Installed IIS Module Was Removed"
+ },
+ {
+ "description": "Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.",
+ "meta": {
+ "author": "frack113",
+ "creation_date": "2024-10-06",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "win_iis_logging_http_disabled.yml",
+ "level": "high",
+ "logsource.category": "No established category",
+ "logsource.product": "windows",
+ "refs": [
+ "https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging",
+ "https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis",
+ "https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/iis-configuration/win_iis_logging_http_disabled.yml"
+ ],
+ "tags": [
+ "attack.defense-evasion",
+ "attack.t1562.002",
+ "attack.t1505.004"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ },
+ {
+ "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "e8ebd53a-30c2-45bd-81bb-74befba07bdb",
+ "value": "HTTP Logging Disabled On IIS Server"
+ },
{
"description": "Detect standard users login that are part of high privileged groups such as the Administrator group",
"meta": {
@@ -68141,8 +68321,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection",
"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers",
+ "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection",
"https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml"
],
@@ -68412,8 +68592,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv",
"https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting",
+ "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml"
],
"tags": [
@@ -68437,8 +68617,8 @@
"logsource.product": "windows",
"refs": [
"https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
- "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/",
"https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
+ "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml"
],
"tags": [
@@ -68461,8 +68641,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv",
"https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting",
+ "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml"
],
"tags": [
@@ -68485,10 +68665,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
"Internal Research",
"https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting",
- "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml"
],
"tags": [
@@ -68511,10 +68691,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
"Internal Research",
"https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting",
- "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml"
],
"tags": [
@@ -68537,10 +68717,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
"Internal Research",
"https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting",
- "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml"
],
"tags": [
@@ -68563,10 +68743,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
"Internal Research",
"https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting",
- "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml"
],
"tags": [
@@ -68816,8 +68996,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html",
"https://mobile.twitter.com/0gtweet/status/1564131230941122561",
+ "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_shell_chrome_api.yml"
],
"tags": [
@@ -68860,11 +69040,11 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/",
- "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/",
- "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md",
"https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/",
+ "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md",
+ "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/",
"https://hijacklibs.net/",
+ "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml"
],
"tags": [
@@ -68907,8 +69087,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/am0nsec/status/1412232114980982787",
"https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add",
+ "https://twitter.com/am0nsec/status/1412232114980982787",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml"
],
"tags": [
@@ -69103,6 +69283,41 @@
"uuid": "ec8c4047-fad9-416a-8c81-0f479353d7f6",
"value": "Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE"
},
+ {
+ "description": "Detects potential DLL sideloading of Python DLL files.",
+ "meta": {
+ "author": "Swachchhanda Shrawan Poudel",
+ "creation_date": "2024-10-06",
+ "falsepositive": [
+ "Legitimate software using Python DLLs"
+ ],
+ "filename": "image_load_side_load_python.yml",
+ "level": "medium",
+ "logsource.category": "image_load",
+ "logsource.product": "windows",
+ "refs": [
+ "https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/",
+ "https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python",
+ "https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_python.yml"
+ ],
+ "tags": [
+ "attack.defense-evasion",
+ "attack.t1574.002"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "d36f7c12-14a3-4d48-b6b8-774b9c66f44d",
+ "value": "Potential Python DLL SideLoading"
+ },
{
"description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.",
"meta": {
@@ -69116,9 +69331,9 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/",
- "https://twitter.com/mattifestation/status/1196390321783025666",
"https://twitter.com/oulusoyum/status/1191329746069655553",
+ "https://twitter.com/mattifestation/status/1196390321783025666",
+ "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_tttracer_module_load.yml"
],
"tags": [
@@ -69248,9 +69463,9 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Wmic/",
"https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html",
"https://twitter.com/dez_/status/986614411711442944",
+ "https://lolbas-project.github.io/lolbas/Binaries/Wmic/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml"
],
"tags": [
@@ -69361,9 +69576,9 @@
"https://decoded.avast.io/martinchlumecky/png-steganography/",
"https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/",
"https://github.com/Wh04m1001/SysmonEoP",
- "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/",
- "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html",
"https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992",
+ "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html",
+ "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml"
],
"tags": [
@@ -69407,10 +69622,10 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/",
- "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/",
- "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/",
"https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html",
+ "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/",
+ "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/",
+ "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml"
],
"tags": [
@@ -69518,10 +69733,10 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html",
"https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008",
- "https://thewover.github.io/Introducing-Donut/",
+ "https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html",
"https://github.com/tyranid/DotNetToJScript",
+ "https://thewover.github.io/Introducing-Donut/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml"
],
"tags": [
@@ -69664,8 +69879,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/",
"https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html",
+ "https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml"
],
"tags": [
@@ -69861,11 +70076,11 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/Max_Mal_/status/1775222576639291859",
"https://thehackernews.com/2024/03/two-chinese-apt-groups-ramp-up-cyber.html",
"https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/",
- "https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/",
"https://twitter.com/DTCERT/status/1712785426895839339",
+ "https://twitter.com/Max_Mal_/status/1775222576639291859",
+ "https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_keyscrambler.yml"
],
"tags": [
@@ -69907,10 +70122,10 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/",
"https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture",
"https://github.com/bohops/WSMan-WinRM",
"https://twitter.com/chadtilbury/status/1275851297770610688",
+ "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml"
],
"tags": [
@@ -70028,9 +70243,9 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/",
"https://securelist.com/apt-luminousmoth/103332/",
"https://twitter.com/WhichbufferArda/status/1658829954182774784",
+ "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_wwlib.yml"
],
"tags": [
@@ -70395,8 +70610,8 @@
"logsource.product": "windows",
"refs": [
"https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/",
- "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html",
"https://twitter.com/HunterPlaybook/status/1301207718355759107",
+ "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml"
],
"tags": [
@@ -70610,8 +70825,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://github.com/ly4k/SpoolFool",
"https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/",
+ "https://github.com/ly4k/SpoolFool",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml"
],
"tags": [
@@ -70691,9 +70906,9 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
+ "https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true",
"https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql",
"https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion",
- "https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_unsigned_dll.yml"
],
"tags": [
@@ -70820,8 +71035,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://www.roboform.com/",
"https://twitter.com/t3ft3lb/status/1656194831830401024",
+ "https://www.roboform.com/",
"https://twitter.com/StopMalvertisin/status/1648604148848549888",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_robform.yml"
],
@@ -70906,10 +71121,10 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html",
- "https://github.com/S12cybersecurity/RDPCredentialStealer",
"https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa",
+ "https://github.com/S12cybersecurity/RDPCredentialStealer",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password",
+ "https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml"
],
"tags": [
@@ -71153,8 +71368,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html",
"https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html",
+ "https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_libvlc.yml"
],
"tags": [
@@ -71314,8 +71529,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "Internal Research",
"https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/",
+ "Internal Research",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml"
],
"tags": [
@@ -71338,8 +71553,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt",
"https://github.com/binderlabs/DirCreate2System",
+ "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_comctl32.yml"
],
"tags": [
@@ -71417,10 +71632,10 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/",
- "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/",
- "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/",
"https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html",
+ "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/",
+ "https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/",
+ "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml"
],
"tags": [
@@ -71548,8 +71763,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://www.mandiant.com/resources/blog/lnk-between-browsers",
"https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/",
+ "https://www.mandiant.com/resources/blog/lnk-between-browsers",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml"
],
"tags": [
@@ -71903,8 +72118,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/",
"https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets",
+ "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_classicexplorer32.yml"
],
"tags": [
@@ -72199,9 +72414,9 @@
"logsource.category": "ps_classic_start",
"logsource.product": "windows",
"refs": [
- "https://github.com/besimorhino/powercat",
- "https://nmap.org/ncat/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md",
+ "https://nmap.org/ncat/",
+ "https://github.com/besimorhino/powercat",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml"
],
"tags": [
@@ -72334,9 +72549,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/",
"https://github.com/bohops/WSMan-WinRM",
"https://twitter.com/chadtilbury/status/1275851297770610688",
+ "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml"
],
"tags": [
@@ -72508,7 +72723,7 @@
"value": "Nslookup PowerShell Download Cradle"
},
{
- "description": "Detects renamed powershell",
+ "description": "Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.\n",
"meta": {
"author": "Harish Segar, frack113",
"creation_date": "2020-06-29",
@@ -72525,7 +72740,8 @@
],
"tags": [
"attack.execution",
- "attack.t1059.001"
+ "attack.t1059.001",
+ "attack.t1036.003"
]
},
"related": [
@@ -72535,6 +72751,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
+ },
+ {
+ "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
}
],
"uuid": "30a8cb77-8eb3-4cfb-8e79-ad457c5a4592",
@@ -72587,8 +72810,8 @@
"logsource.category": "ps_classic_start",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md",
"https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml"
],
"tags": [
@@ -72787,8 +73010,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/",
"https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA",
+ "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml"
],
"tags": [
@@ -72957,8 +73180,8 @@
"logsource.product": "windows",
"refs": [
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4",
- "https://adsecurity.org/?p=2604",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4",
+ "https://adsecurity.org/?p=2604",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml"
],
"tags": [
@@ -72991,11 +73214,11 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps",
- "http://woshub.com/manage-windows-firewall-powershell/",
- "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell",
"https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php",
+ "http://woshub.com/manage-windows-firewall-powershell/",
"https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html",
+ "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell",
+ "https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml"
],
"tags": [
@@ -73062,8 +73285,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2",
+ "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml"
],
"tags": [
@@ -73129,8 +73352,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting",
+ "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml"
],
"tags": [
@@ -73366,8 +73589,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a",
"https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a",
"https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml"
],
@@ -73424,8 +73647,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell",
"https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml"
],
"tags": [
@@ -73623,24 +73846,24 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
+ "https://github.com/calebstewart/CVE-2021-1675",
"https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
"https://adsecurity.org/?p=2921",
- "https://github.com/HarmJ0y/DAMP",
- "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
- "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html",
- "https://github.com/besimorhino/powercat",
- "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
"https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
- "https://github.com/calebstewart/CVE-2021-1675",
- "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
- "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
- "https://github.com/samratashok/nishang",
- "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1",
+ "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
"https://github.com/Kevin-Robertson/Powermad",
- "https://github.com/adrecon/ADRecon",
+ "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
+ "https://github.com/HarmJ0y/DAMP",
"https://github.com/adrecon/AzureADRecon",
"https://github.com/DarkCoderSc/PowerRunAsSystem/",
- "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
+ "https://github.com/besimorhino/powercat",
+ "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
+ "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1",
+ "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html",
+ "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
+ "https://github.com/adrecon/ADRecon",
+ "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
+ "https://github.com/samratashok/nishang",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml"
],
"tags": [
@@ -73939,8 +74162,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1",
"https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319",
+ "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml"
],
"tags": [
@@ -74297,9 +74520,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html",
- "https://github.com/GhostPack/Rubeus",
"https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus",
+ "https://github.com/GhostPack/Rubeus",
+ "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml"
],
"tags": [
@@ -74448,8 +74671,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount",
"https://www.powershellgallery.com/packages/DSInternals",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml"
],
"tags": [
@@ -74661,8 +74884,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
"https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/",
+ "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml"
],
"tags": [
@@ -74922,8 +75145,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2",
"https://twitter.com/Alh4zr3d/status/1580925761996828672",
+ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml"
],
"tags": [
@@ -75075,8 +75298,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
+ "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml"
],
"tags": [
@@ -75110,9 +75333,9 @@
"logsource.product": "windows",
"refs": [
"https://youtu.be/5mqid-7zp8k?t=2481",
- "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1",
"https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/",
"https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html",
+ "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml"
],
"tags": [
@@ -75360,9 +75583,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13",
- "https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md",
"https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing",
+ "https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md",
+ "https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_packet_capture.yml"
],
"tags": [
@@ -75430,9 +75653,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
+ "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1",
"https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py",
"https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/",
- "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml"
],
"tags": [
@@ -75588,8 +75811,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1",
+ "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml"
],
"tags": [
@@ -75656,9 +75879,9 @@
"logsource.product": "windows",
"refs": [
"https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7",
- "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462",
- "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1",
"https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1",
+ "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1",
+ "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml"
],
"tags": [
@@ -75767,8 +75990,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2",
"https://twitter.com/Alh4zr3d/status/1580925761996828672",
+ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml"
],
"tags": [
@@ -75803,8 +76026,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell",
+ "https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml"
],
"tags": [
@@ -75922,9 +76145,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41",
"https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication",
"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a",
+ "https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml"
],
"tags": [
@@ -75958,9 +76181,9 @@
"logsource.product": "windows",
"refs": [
"https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon",
- "https://powersploit.readthedocs.io/en/stable/Recon/README",
"https://thedfirreport.com/2020/10/08/ryuks-return",
"https://adsecurity.org/?p=2277",
+ "https://powersploit.readthedocs.io/en/stable/Recon/README",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml"
],
"tags": [
@@ -76161,8 +76384,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md",
"https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md",
"https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml"
],
@@ -76204,8 +76427,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://www.offensive-security.com/metasploit-unleashed/timestomp/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md",
+ "https://www.offensive-security.com/metasploit-unleashed/timestomp/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml"
],
"tags": [
@@ -76238,8 +76461,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://attack.mitre.org/datasources/DS0005/",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7",
+ "https://attack.mitre.org/datasources/DS0005/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml"
],
"tags": [
@@ -76306,10 +76529,10 @@
"logsource.product": "windows",
"refs": [
"https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841",
- "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team",
- "https://github.com/S3cur3Th1sSh1t/WinPwn",
- "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/",
"https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md",
+ "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/",
+ "https://github.com/S3cur3Th1sSh1t/WinPwn",
+ "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml"
],
"tags": [
@@ -76469,8 +76692,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image",
"https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml"
],
"tags": [
@@ -76503,9 +76726,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
- "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
"https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf",
+ "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
+ "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml"
],
"tags": [
@@ -76696,8 +76919,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps",
"https://twitter.com/NathanMcNulty/status/1569497348841287681",
+ "https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml"
],
"tags": [
@@ -76941,8 +77164,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management",
+ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml"
],
"tags": [
@@ -77008,8 +77231,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml"
],
"tags": [
@@ -77042,9 +77265,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md",
"https://twitter.com/oroneequalsone/status/1568432028361830402",
"https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml"
],
"tags": [
@@ -77111,8 +77334,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4",
+ "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml"
],
@@ -77146,8 +77369,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system",
"https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps",
+ "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system",
"https://learn.microsoft.com/en-us/windows/wsl/install-on-server",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml"
],
@@ -77238,8 +77461,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md",
+ "https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml"
],
"tags": [
@@ -77406,8 +77629,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md",
"https://techgenix.com/malicious-powershell-scripts-evade-detection/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml"
],
"tags": [
@@ -77482,8 +77705,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://o365blog.com/aadinternals/",
"https://github.com/Gerenios/AADInternals",
+ "https://o365blog.com/aadinternals/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml"
],
"tags": [
@@ -77953,8 +78176,8 @@
"logsource.product": "windows",
"refs": [
"https://bidouillesecurity.com/disable-windows-defender-in-powershell/",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml"
],
"tags": [
@@ -78020,10 +78243,10 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0",
+ "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content",
"https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content",
"https://twitter.com/ScumBots/status/1610626724257046529",
- "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content",
+ "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml"
],
"tags": [
@@ -78057,8 +78280,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso",
"https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml"
],
"tags": [
@@ -78265,9 +78488,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp",
"https://www.ietf.org/rfc/rfc2821.txt",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml"
],
"tags": [
@@ -78836,8 +79059,8 @@
"logsource.category": "ps_module",
"logsource.product": "windows",
"refs": [
- "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md",
"https://github.com/OTRF/detection-hackathon-apt29/issues/8",
+ "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml"
],
"tags": [
@@ -78904,22 +79127,22 @@
"logsource.product": "windows",
"refs": [
"https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
- "https://github.com/HarmJ0y/DAMP",
- "https://github.com/PowerShellMafia/PowerSploit",
- "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
- "https://github.com/nettitude/Invoke-PowerThIEf",
- "https://github.com/NetSPI/PowerUpSQL",
- "https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu",
"https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
- "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
- "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
+ "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
"https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
- "https://github.com/samratashok/nishang",
+ "https://github.com/nettitude/Invoke-PowerThIEf",
+ "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
+ "https://github.com/NetSPI/PowerUpSQL",
+ "https://github.com/PowerShellMafia/PowerSploit",
+ "https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu",
+ "https://github.com/HarmJ0y/DAMP",
+ "https://github.com/DarkCoderSc/PowerRunAsSystem/",
+ "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
"https://github.com/besimorhino/powercat",
"https://github.com/S3cur3Th1sSh1t/WinPwn",
"https://github.com/CsEnox/EventViewer-UACBypass",
- "https://github.com/DarkCoderSc/PowerRunAsSystem/",
- "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
+ "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
+ "https://github.com/samratashok/nishang",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml"
],
"tags": [
@@ -78952,8 +79175,8 @@
"logsource.category": "ps_module",
"logsource.product": "windows",
"refs": [
- "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/",
"https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md",
+ "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml"
],
"tags": [
@@ -79062,24 +79285,24 @@
"logsource.category": "ps_module",
"logsource.product": "windows",
"refs": [
+ "https://github.com/calebstewart/CVE-2021-1675",
"https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
"https://adsecurity.org/?p=2921",
- "https://github.com/HarmJ0y/DAMP",
- "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
- "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html",
- "https://github.com/besimorhino/powercat",
- "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
"https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
- "https://github.com/calebstewart/CVE-2021-1675",
- "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
- "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
- "https://github.com/samratashok/nishang",
- "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1",
+ "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
"https://github.com/Kevin-Robertson/Powermad",
- "https://github.com/adrecon/ADRecon",
+ "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
+ "https://github.com/HarmJ0y/DAMP",
"https://github.com/adrecon/AzureADRecon",
"https://github.com/DarkCoderSc/PowerRunAsSystem/",
- "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
+ "https://github.com/besimorhino/powercat",
+ "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
+ "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1",
+ "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html",
+ "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
+ "https://github.com/adrecon/ADRecon",
+ "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
+ "https://github.com/samratashok/nishang",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"
],
"tags": [
@@ -79169,8 +79392,8 @@
"logsource.category": "ps_module",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0",
"https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0",
+ "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml"
],
"tags": [
@@ -79428,8 +79651,8 @@
"logsource.category": "ps_module",
"logsource.product": "windows",
"refs": [
- "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/",
"https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/",
+ "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/",
"https://www.mdeditor.tw/pl/pgRt",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml"
],
@@ -79750,17 +79973,17 @@
"logsource.category": "create_stream_hash",
"logsource.product": "windows",
"refs": [
- "https://github.com/codewhitesec/HandleKatz",
"https://github.com/fortra/nanodump",
"https://github.com/xuanxuan0/DripLoader",
- "https://github.com/ohpe/juicy-potato",
- "https://www.tarasco.org/security/pwdump_7/",
"https://github.com/antonioCoco/RoguePotato",
- "https://github.com/topotam/PetitPotam",
- "https://github.com/outflanknl/Dumpert",
+ "https://github.com/ohpe/juicy-potato",
+ "https://github.com/codewhitesec/HandleKatz",
"https://github.com/hfiref0x/UACME",
- "https://github.com/wavestone-cdt/EDRSandblast",
+ "https://github.com/outflanknl/Dumpert",
+ "https://github.com/topotam/PetitPotam",
+ "https://www.tarasco.org/security/pwdump_7/",
"https://github.com/gentilkiwi/mimikatz",
+ "https://github.com/wavestone-cdt/EDRSandblast",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml"
],
"tags": [
@@ -79910,8 +80133,8 @@
"logsource.category": "create_stream_hash",
"logsource.product": "windows",
"refs": [
- "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/",
"https://www.cisa.gov/uscert/ncas/alerts/aa22-321a",
+ "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/",
"https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/",
"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml"
@@ -79947,8 +80170,8 @@
"logsource.category": "create_stream_hash",
"logsource.product": "windows",
"refs": [
- "https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md",
"https://labs.withsecure.com/publications/detecting-onenote-abuse",
+ "https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml"
],
"tags": [
@@ -79982,8 +80205,8 @@
"logsource.product": "windows",
"refs": [
"https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html",
- "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png",
"https://github.com/codewhitesec/SysmonEnte/",
+ "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml"
],
"tags": [
@@ -80061,8 +80284,8 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
- "https://github.com/skelsec/pypykatz",
"https://twitter.com/bh4b3sh/status/1303674603819081728",
+ "https://github.com/skelsec/pypykatz",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_python_based_tool.yml"
],
"tags": [
@@ -80097,9 +80320,9 @@
"logsource.product": "windows",
"refs": [
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md",
- "https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html",
- "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html",
"https://research.splunk.com/endpoint/windows_possible_credential_dumping/",
+ "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html",
+ "https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml"
],
"tags": [
@@ -80166,8 +80389,8 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
- "https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611",
"https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/",
+ "https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml"
],
"tags": [
@@ -80305,8 +80528,8 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
- "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml",
"https://twitter.com/SBousseaden/status/1541920424635912196",
+ "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml",
"https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml"
],
@@ -80417,8 +80640,8 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/timbmsft/status/900724491076214784",
"https://github.com/hlldz/Invoke-Phant0m",
+ "https://twitter.com/timbmsft/status/900724491076214784",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_svchost_susp_access_request.yml"
],
"tags": [
@@ -80680,11 +80903,11 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf",
- "https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights",
- "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
"https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow",
+ "https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights",
"https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html",
+ "https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf",
+ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml"
],
"tags": [
@@ -80718,8 +80941,8 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
- "https://github.com/boku7/injectAmsiBypass",
"https://github.com/boku7/spawn",
+ "https://github.com/boku7/injectAmsiBypass",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml"
],
"tags": [
@@ -81033,9 +81256,9 @@
"logsource.category": "No established category",
"logsource.product": "zeek",
"refs": [
- "https://threatpost.com/microsoft-petitpotam-poc/168163/",
- "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp",
"https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf",
+ "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp",
+ "https://threatpost.com/microsoft-petitpotam-poc/168163/",
"https://msrc.microsoft.com/update-guide/vulnerability/ADV210003",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml"
],
@@ -81076,9 +81299,9 @@
"logsource.category": "No established category",
"logsource.product": "zeek",
"refs": [
+ "https://github.com/nknorg/nkn-sdk-go",
"https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/",
"https://github.com/Maka8ka/NGLite",
- "https://github.com/nknorg/nkn-sdk-go",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml"
],
"tags": [
@@ -81323,12 +81546,12 @@
"logsource.category": "No established category",
"logsource.product": "zeek",
"refs": [
- "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
"https://github.com/corelight/CVE-2021-1675",
- "https://old.zeek.org/zeekweek2019/slides/bzar.pdf",
"https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/",
- "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek",
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29",
+ "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek",
+ "https://old.zeek.org/zeekweek2019/slides/bzar.pdf",
+ "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml"
],
"tags": [
@@ -81355,10 +81578,10 @@
"logsource.category": "No established category",
"logsource.product": "zeek",
"refs": [
- "https://twitter.com/neu5ron/status/1346245602502443009",
+ "https://tools.ietf.org/html/rfc2929#section-2.1",
"https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma",
"https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS",
- "https://tools.ietf.org/html/rfc2929#section-2.1",
+ "https://twitter.com/neu5ron/status/1346245602502443009",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml"
],
"tags": [
@@ -81515,9 +81738,9 @@
"logsource.category": "No established category",
"logsource.product": "zeek",
"refs": [
- "https://twitter.com/_dirkjan/status/1309214379003588608",
- "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1",
"https://dirkjanm.io/a-different-way-of-abusing-zerologon/",
+ "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1",
+ "https://twitter.com/_dirkjan/status/1309214379003588608",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml"
],
"tags": [
@@ -81739,8 +81962,8 @@
"logsource.category": "No established category",
"logsource.product": "cisco",
"refs": [
- "https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html",
"https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609",
+ "https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_clear_logs.yml"
],
"tags": [
@@ -82390,8 +82613,8 @@
"logsource.category": "dns",
"logsource.product": "No established product",
"refs": [
- "https://twitter.com/stvemillertime/status/1024707932447854592",
"https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1",
+ "https://twitter.com/stvemillertime/status/1024707932447854592",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_txt_exec_strings.yml"
],
"tags": [
@@ -82465,10 +82688,10 @@
"logsource.category": "dns",
"logsource.product": "No established product",
"refs": [
- "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/",
"https://core.telegram.org/bots/faq",
- "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
"https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/",
+ "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/",
+ "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml"
],
"tags": [
@@ -82597,9 +82820,9 @@
"logsource.category": "firewall",
"logsource.product": "No established product",
"refs": [
+ "https://www.cisecurity.org/controls/cis-controls-list/",
"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
- "https://www.cisecurity.org/controls/cis-controls-list/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml"
],
"tags": [
@@ -82690,11 +82913,11 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
+ "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile",
"https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/",
+ "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100",
"https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile",
"https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile",
- "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile",
- "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_hktl_cobalt_strike_malleable_c2_requests.yml"
],
"tags": [
@@ -82730,8 +82953,8 @@
"refs": [
"https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462",
"https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html",
- "https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4",
"https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html",
+ "https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_webdav_external_execution.yml"
],
"tags": [
@@ -82806,10 +83029,10 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
+ "https://www.spamhaus.org/statistics/tlds/",
+ "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap",
"https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/",
"https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf",
- "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap",
- "https://www.spamhaus.org/statistics/tlds/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml"
],
"tags": [
@@ -82892,8 +83115,8 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
- "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/",
"https://twitter.com/jhencinski/status/1102695118455349248",
+ "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml"
],
"tags": [
@@ -82970,14 +83193,14 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
+ "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html",
"http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules",
- "https://twitter.com/crep1x/status/1635034100213112833",
+ "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large",
"https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q",
"http://www.botopedia.org/search?searchword=scan&searchphrase=all",
- "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large",
- "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents",
- "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html",
"https://perishablepress.com/blacklist/ua-2013.txt",
+ "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents",
+ "https://twitter.com/crep1x/status/1635034100213112833",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_malware.yml"
],
"tags": [
@@ -83044,8 +83267,8 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
- "https://blogs.jpcert.or.jp/en/2022/07/yamabot.html",
"https://deviceatlas.com/blog/list-of-user-agent-strings#desktop",
+ "https://blogs.jpcert.or.jp/en/2022/07/yamabot.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_susp_base64.yml"
],
"tags": [
@@ -83148,8 +83371,8 @@
"logsource.product": "No established product",
"refs": [
"https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11",
- "https://blog.talosintelligence.com/ipfs-abuse/",
"https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638",
+ "https://blog.talosintelligence.com/ipfs-abuse/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml"
],
"tags": [
@@ -83232,9 +83455,9 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
- "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516",
"https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029",
"https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash",
+ "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml"
],
"tags": [
@@ -83309,8 +83532,8 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
- "https://www.advanced-port-scanner.com/",
"https://www.advanced-ip-scanner.com/",
+ "https://www.advanced-port-scanner.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_pua_advanced_ip_scanner_update_check.yml"
],
"tags": [
@@ -83680,9 +83903,9 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
+ "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/",
"https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/",
"https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
- "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_telegram_api.yml"
],
"tags": [
@@ -83833,8 +84056,8 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1",
"https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html",
+ "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_source_code_enumeration.yml"
],
"tags": [
@@ -83867,11 +84090,11 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
+ "https://twitter.com/httpvoid0x2f/status/1532924261035384832",
"https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035",
"https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md",
- "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/",
- "https://twitter.com/httpvoid0x2f/status/1532924261035384832",
"https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/",
+ "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_java_payload_in_access_logs.yml"
],
"tags": [
@@ -83940,8 +84163,8 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://github.com/pimps/JNDI-Exploit-Kit",
"https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit",
+ "https://github.com/pimps/JNDI-Exploit-Kit",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_jndi_exploit.yml"
],
"tags": [
@@ -84010,8 +84233,8 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92",
"https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst",
+ "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92",
"https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_susp_useragents.yml"
],
@@ -84046,8 +84269,8 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection",
"https://github.com/payloadbox/ssti-payloads",
+ "https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_ssti_in_access_logs.yml"
],
"tags": [
@@ -84080,9 +84303,9 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516",
"https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029",
"https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash",
+ "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml"
],
"tags": [
@@ -84116,8 +84339,8 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/",
"https://bad-jubies.github.io/RCE-NOW-WHAT/",
+ "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml"
],
"tags": [
@@ -84152,11 +84375,11 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/",
- "https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection",
+ "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/",
"https://github.com/payloadbox/sql-injection-payload-list",
"https://brightsec.com/blog/sql-injection-payloads/",
- "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/",
+ "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/",
+ "https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml"
],
"tags": [
@@ -84190,8 +84413,8 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://github.com/projectdiscovery/nuclei-templates",
"https://book.hacktricks.xyz/pentesting-web/file-inclusion",
+ "https://github.com/projectdiscovery/nuclei-templates",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_path_traversal_exploitation_attempt.yml"
],
"tags": [
@@ -84259,8 +84482,8 @@
"logsource.product": "No established product",
"refs": [
"https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml",
- "https://github.com/lijiejie/IIS_shortname_Scanner",
"https://www.exploit-db.com/exploits/19525",
+ "https://github.com/lijiejie/IIS_shortname_Scanner",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml"
],
"tags": [
@@ -84393,9 +84616,9 @@
"logsource.category": "application",
"logsource.product": "jvm",
"refs": [
+ "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs",
"https://rules.sonarsource.com/java/RSPEC-2755",
"https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing",
- "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_xxe_exploitation_attempt.yml"
],
"tags": [
@@ -84496,8 +84719,8 @@
"logsource.category": "application",
"logsource.product": "spring",
"refs": [
- "https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection",
"https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs",
+ "https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/spring/spring_spel_injection.yml"
],
"tags": [
@@ -84564,8 +84787,8 @@
"logsource.product": "ruby_on_rails",
"refs": [
"https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception",
- "http://edgeguides.rubyonrails.org/security.html",
"https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb",
+ "http://edgeguides.rubyonrails.org/security.html",
"http://guides.rubyonrails.org/action_controller_overview.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml"
],
@@ -84600,8 +84823,8 @@
"logsource.category": "application",
"logsource.product": "velocity",
"refs": [
- "https://antgarsil.github.io/posts/velocity/",
"https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs",
+ "https://antgarsil.github.io/posts/velocity/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/velocity/velocity_ssti_injection.yml"
],
"tags": [
@@ -84734,8 +84957,8 @@
"logsource.category": "application",
"logsource.product": "opencanary",
"refs": [
- "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52",
+ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_smb_file_open.yml"
],
"tags": [
@@ -84777,8 +85000,8 @@
"logsource.category": "application",
"logsource.product": "opencanary",
"refs": [
- "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52",
+ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_vnc_connection_attempt.yml"
],
"tags": [
@@ -84811,8 +85034,8 @@
"logsource.category": "application",
"logsource.product": "opencanary",
"refs": [
- "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52",
+ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_ssh_new_connection.yml"
],
"tags": [
@@ -84863,8 +85086,8 @@
"logsource.category": "application",
"logsource.product": "opencanary",
"refs": [
- "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52",
+ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_tftp_request.yml"
],
"tags": [
@@ -84897,8 +85120,8 @@
"logsource.category": "application",
"logsource.product": "opencanary",
"refs": [
- "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52",
+ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_ftp_login_attempt.yml"
],
"tags": [
@@ -84940,8 +85163,8 @@
"logsource.category": "application",
"logsource.product": "opencanary",
"refs": [
- "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52",
+ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml"
],
"tags": [
@@ -84975,8 +85198,8 @@
"logsource.category": "application",
"logsource.product": "opencanary",
"refs": [
- "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52",
+ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_http_post_login_attempt.yml"
],
"tags": [
@@ -85009,8 +85232,8 @@
"logsource.category": "application",
"logsource.product": "opencanary",
"refs": [
- "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52",
+ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_git_clone_request.yml"
],
"tags": [
@@ -85043,8 +85266,8 @@
"logsource.category": "application",
"logsource.product": "opencanary",
"refs": [
- "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52",
+ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_snmp_cmd.yml"
],
"tags": [
@@ -85086,8 +85309,8 @@
"logsource.category": "application",
"logsource.product": "opencanary",
"refs": [
- "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52",
+ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_sip_request.yml"
],
"tags": [
@@ -85120,8 +85343,8 @@
"logsource.category": "application",
"logsource.product": "opencanary",
"refs": [
- "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52",
+ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_ssh_login_attempt.yml"
],
"tags": [
@@ -85172,8 +85395,8 @@
"logsource.category": "application",
"logsource.product": "opencanary",
"refs": [
- "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52",
+ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_mysql_login_attempt.yml"
],
"tags": [
@@ -85215,8 +85438,8 @@
"logsource.category": "application",
"logsource.product": "opencanary",
"refs": [
- "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52",
+ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_redis_command.yml"
],
"tags": [
@@ -85258,8 +85481,8 @@
"logsource.category": "application",
"logsource.product": "opencanary",
"refs": [
- "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52",
+ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_mssql_login_sqlauth.yml"
],
"tags": [
@@ -85301,8 +85524,8 @@
"logsource.category": "application",
"logsource.product": "opencanary",
"refs": [
- "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52",
+ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_telnet_login_attempt.yml"
],
"tags": [
@@ -85344,8 +85567,8 @@
"logsource.category": "application",
"logsource.product": "opencanary",
"refs": [
- "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52",
+ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_mssql_login_winauth.yml"
],
"tags": [
@@ -85387,8 +85610,8 @@
"logsource.category": "application",
"logsource.product": "opencanary",
"refs": [
- "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52",
+ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_http_get.yml"
],
"tags": [
@@ -85421,8 +85644,8 @@
"logsource.category": "application",
"logsource.product": "opencanary",
"refs": [
- "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52",
+ "https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/opencanary/opencanary_ntp_monlist.yml"
],
"tags": [
@@ -85488,8 +85711,8 @@
"logsource.category": "No established category",
"logsource.product": "kubernetes",
"refs": [
- "https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/",
"https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/",
+ "https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_secrets_modified_or_deleted.yml"
],
"tags": [
@@ -85545,8 +85768,8 @@
"logsource.category": "No established category",
"logsource.product": "kubernetes",
"refs": [
- "https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab",
"https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/",
+ "https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_rolebinding_modification.yml"
],
"tags": [
@@ -85602,8 +85825,8 @@
"logsource.category": "No established category",
"logsource.product": "kubernetes",
"refs": [
- "https://security.padok.fr/en/blog/kubernetes-webhook-attackers",
"https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/",
+ "https://security.padok.fr/en/blog/kubernetes-webhook-attackers",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml"
],
"tags": [
@@ -85653,8 +85876,8 @@
"logsource.category": "No established category",
"logsource.product": "kubernetes",
"refs": [
- "https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues",
"https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/",
+ "https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_unauthorized_unauthenticated_actions.yml"
],
"tags": [
@@ -85678,8 +85901,8 @@
"logsource.category": "No established category",
"logsource.product": "kubernetes",
"refs": [
- "https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob",
"https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/",
+ "https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_cronjob_modification.yml"
],
"tags": [
@@ -85841,10 +86064,10 @@
"logsource.category": "application",
"logsource.product": "kubernetes",
"refs": [
- "https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html",
- "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/",
"https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer",
+ "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/",
"https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html",
+ "https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml"
],
"tags": [
@@ -85908,8 +86131,8 @@
"logsource.category": "application",
"logsource.product": "kubernetes",
"refs": [
- "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/",
"https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch",
+ "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml"
],
"tags": [
@@ -85941,8 +86164,8 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://github.com/zeronetworks/rpcfirewall",
+ "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml"
],
"tags": [
@@ -85966,9 +86189,9 @@
"logsource.product": "rpc_firewall",
"refs": [
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931",
- "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
- "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md",
+ "https://github.com/zeronetworks/rpcfirewall",
+ "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml"
],
"tags": [
@@ -85991,9 +86214,9 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://github.com/zeronetworks/rpcfirewall",
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md",
+ "https://github.com/zeronetworks/rpcfirewall",
"https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml"
],
@@ -86017,9 +86240,9 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
- "https://github.com/zeronetworks/rpcfirewall",
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9",
+ "https://github.com/zeronetworks/rpcfirewall",
+ "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml"
],
"tags": [
@@ -86061,9 +86284,9 @@
"logsource.product": "rpc_firewall",
"refs": [
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931",
- "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
- "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md",
+ "https://github.com/zeronetworks/rpcfirewall",
+ "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml"
],
"tags": [
@@ -86105,9 +86328,9 @@
"logsource.product": "rpc_firewall",
"refs": [
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931",
- "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
- "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md",
+ "https://github.com/zeronetworks/rpcfirewall",
+ "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml"
],
"tags": [
@@ -86148,10 +86371,10 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
- "https://github.com/zeronetworks/rpcfirewall",
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md",
+ "https://github.com/zeronetworks/rpcfirewall",
+ "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml"
],
"tags": [
@@ -86184,12 +86407,12 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
- "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1",
"https://github.com/zeronetworks/rpcfirewall",
- "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md",
"https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8",
+ "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md",
+ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1",
+ "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml"
],
"tags": [
@@ -86213,9 +86436,9 @@
"logsource.product": "rpc_firewall",
"refs": [
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931",
- "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
- "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md",
+ "https://github.com/zeronetworks/rpcfirewall",
+ "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml"
],
"tags": [
@@ -86256,10 +86479,10 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md",
- "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
- "https://github.com/zeronetworks/rpcfirewall",
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9",
+ "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md",
+ "https://github.com/zeronetworks/rpcfirewall",
+ "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml"
],
"tags": [
@@ -86292,10 +86515,10 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://github.com/zeronetworks/rpcfirewall",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md",
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN",
+ "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml"
],
"tags": [
@@ -86329,9 +86552,9 @@
"logsource.product": "rpc_firewall",
"refs": [
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931",
- "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
- "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md",
+ "https://github.com/zeronetworks/rpcfirewall",
+ "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml"
],
"tags": [
@@ -86354,9 +86577,9 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
- "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md",
+ "https://github.com/zeronetworks/rpcfirewall",
+ "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml"
],
@@ -86391,9 +86614,9 @@
"logsource.product": "rpc_firewall",
"refs": [
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931",
- "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
- "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md",
+ "https://github.com/zeronetworks/rpcfirewall",
+ "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml"
],
"tags": [
@@ -86416,9 +86639,9 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
- "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md",
+ "https://github.com/zeronetworks/rpcfirewall",
+ "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml"
],
@@ -86442,10 +86665,10 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
+ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9",
+ "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md",
"https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
- "https://github.com/zeronetworks/rpcfirewall",
- "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml"
],
"tags": [
@@ -86468,10 +86691,10 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
+ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183",
+ "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md",
"https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
- "https://github.com/zeronetworks/rpcfirewall",
- "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml"
],
"tags": [
@@ -86503,8 +86726,8 @@
"logsource.category": "file_event",
"logsource.product": "macos",
"refs": [
- "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md",
+ "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml"
],
"tags": [
@@ -86607,8 +86830,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior",
"https://objective-see.org/blog/blog_0x6D.html",
+ "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior",
"https://ss64.com/osx/csrutil.html",
"https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml"
@@ -86676,8 +86899,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://redcanary.com/blog/applescript/",
"https://ss64.com/osx/osacompile.html",
+ "https://redcanary.com/blog/applescript/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml"
],
"tags": [
@@ -86784,10 +87007,10 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
+ "https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior",
"https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior",
"https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html",
"https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior",
- "https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml"
],
"tags": [
@@ -86820,9 +87043,9 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset",
"https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/",
"https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97",
+ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml"
],
"tags": [
@@ -86879,8 +87102,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine",
"https://www.loobins.io/binaries/tmutil/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_tmutil_disable_backup.yml"
],
"tags": [
@@ -86914,8 +87137,8 @@
"logsource.product": "macos",
"refs": [
"https://github.com/MythicAgents/typhon/",
- "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html",
"https://www.zoocoup.org/casper/jamf_cheatsheet.pdf",
+ "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml"
],
"tags": [
@@ -86973,10 +87196,10 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
+ "https://www.loobins.io/binaries/launchctl/",
+ "https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/",
"https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md",
- "https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/",
- "https://www.loobins.io/binaries/launchctl/",
"https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml"
],
@@ -87027,9 +87250,9 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://ss64.com/mac/hdiutil.html",
- "https://www.loobins.io/binaries/hdiutil/",
"https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/",
+ "https://www.loobins.io/binaries/hdiutil/",
+ "https://ss64.com/mac/hdiutil.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_hdiutil_create.yml"
],
"tags": [
@@ -87052,8 +87275,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos",
"https://ss64.com/osx/sysadminctl.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml"
],
"tags": [
@@ -87087,8 +87310,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md",
"https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml"
],
"tags": [
@@ -87121,9 +87344,9 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior",
- "https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior",
"https://ss64.com/osx/sw_vers.html",
+ "https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior",
+ "https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml"
],
"tags": [
@@ -87157,8 +87380,8 @@
"logsource.product": "macos",
"refs": [
"https://github.com/MythicAgents/typhon/",
- "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html",
"https://www.zoocoup.org/casper/jamf_cheatsheet.pdf",
+ "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml"
],
"tags": [
@@ -87181,8 +87404,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos",
"https://ss64.com/osx/dscl.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml"
],
"tags": [
@@ -87217,8 +87440,8 @@
"logsource.product": "macos",
"refs": [
"https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md",
- "https://ss64.com/osx/dsenableroot.html",
"https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml",
+ "https://ss64.com/osx/dsenableroot.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml"
],
"tags": [
@@ -87334,8 +87557,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web",
"https://www.manpagez.com/man/8/firmwarepasswd/",
+ "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web",
"https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml"
],
@@ -87359,9 +87582,9 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://ss64.com/mac/hdiutil.html",
- "https://www.loobins.io/binaries/hdiutil/",
"https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/",
+ "https://www.loobins.io/binaries/hdiutil/",
+ "https://ss64.com/mac/hdiutil.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_hdiutil_mount.yml"
],
"tags": [
@@ -87435,8 +87658,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md",
"https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_screencapture.yml"
],
"tags": [
@@ -87535,13 +87758,13 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/",
- "https://evasions.checkpoint.com/techniques/macos.html",
"https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/",
- "https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior",
- "https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior",
- "https://objective-see.org/blog/blog_0x1E.html",
"https://www.loobins.io/binaries/sysctl/#",
+ "https://objective-see.org/blog/blog_0x1E.html",
+ "https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior",
+ "https://evasions.checkpoint.com/techniques/macos.html",
+ "https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/",
+ "https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml"
],
"tags": [
@@ -87616,9 +87839,9 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md",
"https://linux.die.net/man/1/dd",
"https://linux.die.net/man/1/truncate",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml"
],
"tags": [
@@ -87719,8 +87942,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://redcanary.com/blog/applescript/",
"https://objective-see.org/blog/blog_0x4B.html",
+ "https://redcanary.com/blog/applescript/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml"
],
"tags": [
@@ -87844,8 +88067,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md",
"https://redcanary.com/blog/applescript/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_applescript.yml"
],
"tags": [
@@ -87911,8 +88134,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior",
"https://objective-see.org/blog/blog_0x6D.html",
+ "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior",
"https://ss64.com/osx/csrutil.html",
"https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml"
@@ -87980,8 +88203,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685",
"https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/",
+ "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml"
],
"tags": [
@@ -88360,9 +88583,9 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl",
- "https://www.loobins.io/binaries/nscurl/",
"https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd",
+ "https://www.loobins.io/binaries/nscurl/",
+ "https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_nscurl_usage.yml"
],
"tags": [
@@ -88429,8 +88652,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://ss64.com/osx/sysadminctl.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md",
+ "https://ss64.com/osx/sysadminctl.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_create_account.yml"
],
"tags": [
@@ -88530,12 +88753,12 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://ss64.com/mac/system_profiler.html",
- "https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html",
- "https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf",
"https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/",
+ "https://ss64.com/mac/system_profiler.html",
"https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af",
"https://objective-see.org/blog/blog_0x62.html",
+ "https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html",
+ "https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml"
],
"tags": [
@@ -88610,8 +88833,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/",
"https://ss64.com/mac/chflags.html",
+ "https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/",
"https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf",
"https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_chflags_hidden_flag.yml"
@@ -88703,8 +88926,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine",
"https://www.loobins.io/binaries/tmutil/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_tmutil_delete_backup.yml"
],
"tags": [
@@ -88912,8 +89135,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine",
"https://www.loobins.io/binaries/tmutil/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_tmutil_exclude_file_from_backup.yml"
],
"tags": [
@@ -89101,8 +89324,8 @@
"logsource.category": "No established category",
"logsource.product": "github",
"refs": [
- "https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts",
"https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization",
+ "https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml"
],
"tags": [
@@ -89176,10 +89399,10 @@
"logsource.category": "No established category",
"logsource.product": "github",
"refs": [
- "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions",
- "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository",
- "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization",
"https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise",
+ "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions",
+ "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization",
+ "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disable_high_risk_configuration.yml"
],
"tags": [
@@ -89247,10 +89470,10 @@
"logsource.category": "No established category",
"logsource.product": "github",
"refs": [
- "https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership",
- "https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository",
"https://docs.github.com/en/migrations",
+ "https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership",
"https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration",
+ "https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_repo_or_org_transferred.yml"
],
"tags": [
@@ -89361,8 +89584,8 @@
"logsource.category": "No established category",
"logsource.product": "github",
"refs": [
- "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority",
"https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities",
+ "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_ssh_certificate_config_changed.yml"
],
"tags": [
@@ -89540,8 +89763,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml"
],
"tags": [
@@ -89564,8 +89787,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_identity_provider_created.yml"
],
"tags": [
@@ -89598,8 +89821,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml"
],
"tags": [
@@ -89632,9 +89855,9 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://dataconomy.com/2023/10/23/okta-data-breach/",
- "https://www.beyondtrust.com/blog/entry/okta-support-unit-breach",
"https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/",
+ "https://www.beyondtrust.com/blog/entry/okta-support-unit-breach",
+ "https://dataconomy.com/2023/10/23/okta-data-breach/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml"
],
"tags": [
@@ -89680,9 +89903,9 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data",
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm",
+ "https://developer.okta.com/docs/reference/api/system-log/",
+ "https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_password_in_alternateid_field.yml"
],
"tags": [
@@ -89715,8 +89938,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml"
],
"tags": [
@@ -89739,8 +89962,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml"
],
"tags": [
@@ -89797,9 +90020,9 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm",
"https://developer.okta.com/docs/reference/api/event-types/",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml"
],
"tags": [
@@ -89822,8 +90045,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml"
],
"tags": [
@@ -89846,8 +90069,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml"
],
"tags": [
@@ -89870,8 +90093,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml"
],
"tags": [
@@ -89904,8 +90127,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml"
],
"tags": [
@@ -89928,8 +90151,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_new_behaviours_admin_console.yml"
],
"tags": [
@@ -89962,9 +90185,9 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://sec.okta.com/fastpassphishingdetection",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_fastpass_phishing_detection.yml"
],
"tags": [
@@ -89997,8 +90220,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assignment_created.yml"
],
"tags": [
@@ -90021,8 +90244,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml"
],
"tags": [
@@ -90047,8 +90270,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml"
],
"tags": [
@@ -90071,8 +90294,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml"
],
"tags": [
@@ -90107,8 +90330,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml"
],
"tags": [
@@ -90141,8 +90364,8 @@
"logsource.category": "No established category",
"logsource.product": "cisco",
"refs": [
- "https://help.duo.com/s/article/6327?language=en_US",
"https://duo.com/docs/adminapi#logs",
+ "https://help.duo.com/s/article/6327?language=en_US",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/cisco/duo/cisco_duo_mfa_bypass_via_bypass_code.yml"
],
"tags": [
@@ -90386,8 +90609,8 @@
"logsource.category": "No established category",
"logsource.product": "aws",
"refs": [
- "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/",
"https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html",
+ "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml"
],
"tags": [
@@ -90607,9 +90830,9 @@
"logsource.category": "No established category",
"logsource.product": "aws",
"refs": [
- "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html",
"https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/",
"https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md",
+ "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml"
],
"tags": [
@@ -90759,9 +90982,9 @@
"logsource.category": "No established category",
"logsource.product": "aws",
"refs": [
- "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml",
"https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html",
"https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html",
+ "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml"
],
"tags": [
@@ -91147,9 +91370,9 @@
"logsource.category": "No established category",
"logsource.product": "aws",
"refs": [
+ "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html",
"https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/",
"https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things",
- "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml"
],
"tags": [
@@ -91234,8 +91457,8 @@
"logsource.product": "aws",
"refs": [
"https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html",
- "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py",
"https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html",
+ "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml"
],
"tags": [
@@ -91425,12 +91648,12 @@
"logsource.product": "aws",
"refs": [
"https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html",
- "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html",
- "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html",
"https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html",
- "https://github.com/elastic/detection-rules/pull/1145/files",
- "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html",
+ "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html",
+ "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html",
"https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html",
+ "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html",
+ "https://github.com/elastic/detection-rules/pull/1145/files",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_s3_data_management_tampering.yml"
],
"tags": [
@@ -91845,8 +92068,8 @@
"logsource.product": "gcp",
"refs": [
"https://cloud.google.com/access-context-manager/docs/audit-logging",
- "https://cloud.google.com/logging/docs/audit/understanding-audit-logs",
"https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog",
+ "https://cloud.google.com/logging/docs/audit/understanding-audit-logs",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml"
],
"tags": [
@@ -91906,8 +92129,8 @@
"logsource.category": "No established category",
"logsource.product": "gcp",
"refs": [
- "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html",
"https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging",
+ "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_full_network_traffic_packet_capture.yml"
],
"tags": [
@@ -92073,11 +92296,11 @@
"logsource.category": "No established category",
"logsource.product": "gcp",
"refs": [
- "https://github.com/elastic/detection-rules/pull/1267",
- "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole",
"https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging",
- "https://kubernetes.io/docs/reference/access-authn-authz/rbac/",
"https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control",
+ "https://kubernetes.io/docs/reference/access-authn-authz/rbac/",
+ "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole",
+ "https://github.com/elastic/detection-rules/pull/1267",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_rolebinding.yml"
],
"tags": [
@@ -92195,9 +92418,9 @@
"logsource.category": "No established category",
"logsource.product": "gcp",
"refs": [
- "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION",
"https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3",
"https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION",
+ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_mfa_disabled.yml"
],
"tags": [
@@ -92244,9 +92467,9 @@
"logsource.category": "No established category",
"logsource.product": "gcp",
"refs": [
- "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST",
- "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION",
"https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3",
+ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION",
+ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_removed.yml"
],
"tags": [
@@ -92269,8 +92492,8 @@
"logsource.category": "No established category",
"logsource.product": "gcp",
"refs": [
- "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings",
"https://support.google.com/a/answer/9261439",
+ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml"
],
"tags": [
@@ -92304,8 +92527,8 @@
"logsource.category": "No established category",
"logsource.product": "gcp",
"refs": [
- "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS",
"https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3",
+ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml"
],
"tags": [
@@ -92438,8 +92661,8 @@
"logsource.category": "No established category",
"logsource.product": "bitbucket",
"refs": [
- "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html",
"https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html",
+ "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml"
],
"tags": [
@@ -92472,8 +92695,8 @@
"logsource.category": "No established category",
"logsource.product": "bitbucket",
"refs": [
- "https://confluence.atlassian.com/bitbucketserver/global-permissions-776640369.html",
"https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html",
+ "https://confluence.atlassian.com/bitbucketserver/global-permissions-776640369.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml"
],
"tags": [
@@ -92507,8 +92730,8 @@
"logsource.category": "No established category",
"logsource.product": "bitbucket",
"refs": [
- "https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html",
"https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html",
+ "https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml"
],
"tags": [
@@ -92550,8 +92773,8 @@
"logsource.category": "No established category",
"logsource.product": "bitbucket",
"refs": [
- "https://support.atlassian.com/security-and-access-policies/docs/export-user-accounts",
"https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html",
+ "https://support.atlassian.com/security-and-access-policies/docs/export-user-accounts",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml"
],
"tags": [
@@ -92668,8 +92891,8 @@
"logsource.category": "No established category",
"logsource.product": "bitbucket",
"refs": [
- "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html",
"https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html",
+ "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml"
],
"tags": [
@@ -92736,8 +92959,8 @@
"logsource.category": "No established category",
"logsource.product": "bitbucket",
"refs": [
- "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html",
"https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html",
+ "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml"
],
"tags": [
@@ -92779,8 +93002,8 @@
"logsource.category": "No established category",
"logsource.product": "bitbucket",
"refs": [
- "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html",
"https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html",
+ "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml"
],
"tags": [
@@ -92854,8 +93077,8 @@
"logsource.category": "No established category",
"logsource.product": "bitbucket",
"refs": [
- "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html",
"https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html",
+ "https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml"
],
"tags": [
@@ -92888,8 +93111,8 @@
"logsource.category": "No established category",
"logsource.product": "bitbucket",
"refs": [
- "https://confluence.atlassian.com/bitbucketserver/users-and-groups-776640439.html",
"https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html",
+ "https://confluence.atlassian.com/bitbucketserver/users-and-groups-776640439.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml"
],
"tags": [
@@ -92938,8 +93161,8 @@
"logsource.category": "No established category",
"logsource.product": "m365",
"refs": [
- "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf",
"https://www.sygnia.co/golden-saml-advisory",
+ "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf",
"https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html",
"https://us-cert.cisa.gov/ncas/alerts/aa21-008a",
"https://o365blog.com/post/aadbackdoor/",
@@ -93042,8 +93265,8 @@
"logsource.category": "No established category",
"logsource.product": "m365",
"refs": [
- "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference",
"https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy",
+ "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_activity_from_infrequent_country.yml"
],
"tags": [
@@ -93076,8 +93299,8 @@
"logsource.category": "No established category",
"logsource.product": "m365",
"refs": [
- "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference",
"https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy",
+ "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml"
],
"tags": [
@@ -93110,8 +93333,8 @@
"logsource.category": "No established category",
"logsource.product": "m365",
"refs": [
- "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference",
"https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy",
+ "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_activity_from_anonymous_ip_addresses.yml"
],
"tags": [
@@ -93144,8 +93367,8 @@
"logsource.category": "No established category",
"logsource.product": "m365",
"refs": [
- "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference",
"https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy",
+ "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_unusual_volume_of_file_deletion.yml"
],
"tags": [
@@ -93178,8 +93401,8 @@
"logsource.category": "No established category",
"logsource.product": "m365",
"refs": [
- "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference",
"https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy",
+ "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_susp_inbox_forwarding.yml"
],
"tags": [
@@ -93212,8 +93435,8 @@
"logsource.category": "No established category",
"logsource.product": "m365",
"refs": [
- "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference",
"https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy",
+ "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_susp_oauth_app_file_download_activities.yml"
],
"tags": [
@@ -93269,8 +93492,8 @@
"logsource.category": "No established category",
"logsource.product": "m365",
"refs": [
- "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference",
"https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy",
+ "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_user_restricted_from_sending_email.yml"
],
"tags": [
@@ -93303,8 +93526,8 @@
"logsource.category": "No established category",
"logsource.product": "m365",
"refs": [
- "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference",
"https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy",
+ "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_potential_ransomware_activity.yml"
],
"tags": [
@@ -93337,8 +93560,8 @@
"logsource.category": "No established category",
"logsource.product": "m365",
"refs": [
- "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference",
"https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy",
+ "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_activity_by_terminated_user.yml"
],
"tags": [
@@ -93361,8 +93584,8 @@
"logsource.category": "No established category",
"logsource.product": "m365",
"refs": [
- "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference",
"https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy",
+ "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml"
],
"tags": [
@@ -93395,8 +93618,8 @@
"logsource.category": "No established category",
"logsource.product": "m365",
"refs": [
- "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference",
"https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy",
+ "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_management/microsoft365_data_exfiltration_to_unsanctioned_app.yml"
],
"tags": [
@@ -93462,8 +93685,8 @@
"logsource.category": "No established category",
"logsource.product": "m365",
"refs": [
- "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference",
"https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy",
+ "https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/threat_detection/microsoft365_from_susp_ip_addresses.yml"
],
"tags": [
@@ -94178,8 +94401,8 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/",
"https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487",
+ "https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/",
"https://twitter.com/NathanMcNulty/status/1785051227568632263",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml"
],
@@ -94819,8 +95042,8 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/",
"https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022",
+ "https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml"
],
"tags": [
@@ -95726,8 +95949,8 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address",
"https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins",
+ "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml"
],
"tags": [
@@ -95763,8 +95986,8 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly",
"https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins",
+ "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml"
],
"tags": [
@@ -95797,8 +96020,8 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel",
"https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins",
+ "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml"
],
"tags": [
@@ -95834,8 +96057,8 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt",
"https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins",
+ "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml"
],
"tags": [
@@ -95868,8 +96091,8 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address",
"https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins",
+ "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml"
],
"tags": [
@@ -95902,8 +96125,8 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token",
"https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins",
+ "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml"
],
"tags": [
@@ -95973,8 +96196,8 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address",
"https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins",
+ "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml"
],
"tags": [
@@ -96041,8 +96264,8 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser",
"https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins",
+ "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml"
],
"tags": [
@@ -96078,8 +96301,8 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding",
"https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins",
+ "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml"
],
"tags": [
@@ -96149,9 +96372,9 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
+ "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins",
"https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user",
"https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in",
- "https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml"
],
"tags": [
@@ -96187,8 +96410,8 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#leaked-credentials",
"https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins",
+ "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#leaked-credentials",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml"
],
"tags": [
@@ -96221,8 +96444,8 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated",
"https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins",
+ "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml"
],
"tags": [
@@ -96255,8 +96478,8 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules",
"https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins",
+ "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml"
],
"tags": [
@@ -96323,8 +96546,8 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address",
"https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0",
+ "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml"
],
"tags": [
@@ -96423,8 +96646,8 @@
"https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
"https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
"https://attack.mitre.org/matrices/enterprise/cloud/",
- "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml"
],
"tags": [
@@ -96476,8 +96699,8 @@
"https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
"https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
"https://attack.mitre.org/matrices/enterprise/cloud/",
- "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml"
],
"tags": [
@@ -96503,8 +96726,8 @@
"https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
"https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
"https://attack.mitre.org/matrices/enterprise/cloud/",
- "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml"
],
"tags": [
@@ -97092,8 +97315,8 @@
"https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
"https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
"https://attack.mitre.org/matrices/enterprise/cloud/",
- "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml"
],
"tags": [
@@ -97204,8 +97427,8 @@
"https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
"https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
"https://attack.mitre.org/matrices/enterprise/cloud/",
- "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml"
],
"tags": [
@@ -97356,8 +97579,8 @@
"https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
"https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
"https://attack.mitre.org/matrices/enterprise/cloud/",
- "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml"
],
"tags": [
@@ -97394,8 +97617,8 @@
"https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
"https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
"https://attack.mitre.org/matrices/enterprise/cloud/",
- "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml"
],
"tags": [
@@ -97675,10 +97898,10 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://kubernetes.io/docs/concepts/workloads/controllers/job/",
"https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/",
+ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml"
],
"tags": [
@@ -97713,8 +97936,8 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml",
+ "https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml"
],
"tags": [
@@ -97991,9 +98214,9 @@
"logsource.category": "No established category",
"logsource.product": "qualys",
"refs": [
+ "https://www.cisecurity.org/controls/cis-controls-list/",
"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
- "https://www.cisecurity.org/controls/cis-controls-list/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml"
],
"tags": "No established tags"
@@ -98014,10 +98237,10 @@
"logsource.category": "No established category",
"logsource.product": "qualys",
"refs": [
- "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists",
- "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
- "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
"https://www.cisecurity.org/controls/cis-controls-list/",
+ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
+ "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists",
+ "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml"
],
"tags": [
@@ -98040,9 +98263,9 @@
"logsource.category": "No established category",
"logsource.product": "No established product",
"refs": [
+ "https://www.cisecurity.org/controls/cis-controls-list/",
"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
- "https://www.cisecurity.org/controls/cis-controls-list/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml"
],
"tags": [
@@ -98111,8 +98334,8 @@
"logsource.product": "No established product",
"refs": [
"https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619",
- "https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448",
"https://www.nextron-systems.com/?s=antivirus",
+ "https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448",
"https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_password_dumper.yml"
],
"tags": [
@@ -98202,12 +98425,12 @@
"logsource.category": "antivirus",
"logsource.product": "No established product",
"refs": [
- "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7",
"https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916",
- "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045",
- "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c",
"https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d",
"https://www.nextron-systems.com/?s=antivirus",
+ "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7",
+ "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c",
+ "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045",
"https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_ransomware.yml"
],
"tags": [
@@ -98239,8 +98462,8 @@
"logsource.category": "antivirus",
"logsource.product": "No established product",
"refs": [
- "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/",
"https://www.nextron-systems.com/?s=antivirus",
+ "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_hacktool.yml"
],
"tags": [
@@ -98274,15 +98497,15 @@
"logsource.product": "No established product",
"refs": [
"https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection",
- "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection",
- "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection",
- "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection",
+ "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection",
"https://www.nextron-systems.com/?s=antivirus",
"https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection",
+ "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection",
+ "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection",
"https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection",
"https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection",
"https://github.com/tennc/webshell",
- "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection",
+ "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml"
],
"tags": [
@@ -98316,8 +98539,8 @@
"logsource.product": "No established product",
"refs": [
"https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466",
- "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797",
"https://www.nextron-systems.com/?s=antivirus",
+ "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797",
"https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424",
"https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_exploiting.yml"
],
@@ -98451,10 +98674,10 @@
"logsource.category": "file_event",
"logsource.product": "linux",
"refs": [
- "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
- "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
+ "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
+ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml"
],
"tags": [
@@ -98511,10 +98734,10 @@
"logsource.category": "file_event",
"logsource.product": "linux",
"refs": [
- "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
- "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
+ "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
+ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml"
],
"tags": [
@@ -98713,10 +98936,10 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://access.redhat.com/articles/4409591#audit-record-types-2",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md",
- "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing",
"https://linux.die.net/man/8/pam_tty_audit",
+ "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing",
+ "https://access.redhat.com/articles/4409591#audit-record-types-2",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml"
],
"tags": [
@@ -98891,10 +99114,10 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://mn3m.info/posts/suid-vs-capabilities/",
- "https://man7.org/linux/man-pages/man8/getcap.8.html",
- "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099",
"https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/",
+ "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099",
+ "https://man7.org/linux/man-pages/man8/getcap.8.html",
+ "https://mn3m.info/posts/suid-vs-capabilities/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml"
],
"tags": [
@@ -99035,8 +99258,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md",
+ "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml"
],
"tags": [
@@ -99102,8 +99325,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/",
"https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor",
+ "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml"
],
"tags": [
@@ -99169,8 +99392,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md",
"https://firewalld.org/documentation/man-pages/firewall-cmd.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml"
],
"tags": [
@@ -99237,8 +99460,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/",
"https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor",
+ "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml"
],
"tags": [
@@ -99279,8 +99502,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/",
"https://linux.die.net/man/1/xclip",
+ "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml"
],
"tags": [
@@ -99313,8 +99536,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://gtfobins.github.io/gtfobins/wget/",
"https://linux.die.net/man/1/wget",
+ "https://gtfobins.github.io/gtfobins/wget/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml"
],
"tags": [
@@ -99413,8 +99636,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa",
"https://linux.die.net/man/1/arecord",
+ "https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_audio_capture.yml"
],
"tags": [
@@ -99448,9 +99671,9 @@
"logsource.product": "linux",
"refs": [
"https://man7.org/linux/man-pages/man1/passwd.1.html",
+ "https://linux.die.net/man/1/chage",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md",
"https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu",
- "https://linux.die.net/man/1/chage",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml"
],
"tags": [
@@ -99583,9 +99806,9 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://imagemagick.org/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md",
"https://linux.die.net/man/1/import",
+ "https://imagemagick.org/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml"
],
"tags": [
@@ -99618,9 +99841,9 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://access.redhat.com/articles/4409591#audit-record-types-2",
"https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07",
"https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files",
+ "https://access.redhat.com/articles/4409591#audit-record-types-2",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml"
],
"tags": [
@@ -99687,8 +99910,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat",
"https://objective-see.org/blog/blog_0x68.html",
+ "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat",
"https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml"
],
@@ -100118,8 +100341,8 @@
"logsource.product": "linux",
"refs": [
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md",
- "https://linux.die.net/man/8/insmod",
"https://man7.org/linux/man-pages/man8/kmod.8.html",
+ "https://linux.die.net/man/8/insmod",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml"
],
"tags": [
@@ -100252,8 +100475,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content",
"https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf",
+ "https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content",
"https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence",
"https://regex101.com/r/RugQYK/1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_pnscan_binary_cli_pattern.yml"
@@ -100321,8 +100544,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally",
"https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk",
+ "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml"
],
"tags": [
@@ -100346,9 +100569,9 @@
"logsource.product": "linux",
"refs": [
"https://gtfobins.github.io/gtfobins/awk/#shell",
+ "https://gtfobins.github.io/gtfobins/gawk/#shell",
"https://gtfobins.github.io/gtfobins/nawk/#shell",
"https://gtfobins.github.io/gtfobins/mawk/#shell",
- "https://gtfobins.github.io/gtfobins/gawk/#shell",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_awk_shell_spawn.yml"
],
"tags": [
@@ -100405,8 +100628,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally",
"https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk",
+ "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml"
],
"tags": [
@@ -100495,8 +100718,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/",
"https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html",
+ "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml"
],
"tags": [
@@ -100745,8 +100968,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://attack.mitre.org/techniques/T1548/001/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md",
+ "https://attack.mitre.org/techniques/T1548/001/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml"
],
"tags": [
@@ -100779,10 +101002,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
- "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
+ "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
+ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml"
],
"tags": [
@@ -100901,8 +101124,8 @@
"logsource.product": "linux",
"refs": [
"https://github.com/Tib3rius/AutoRecon",
- "https://github.com/projectdiscovery/naabu",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md",
+ "https://github.com/projectdiscovery/naabu",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml"
],
"tags": [
@@ -101002,8 +101225,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md",
"https://github.com/sleventyeleven/linuxprivchecker/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml"
],
"tags": [
@@ -101160,10 +101383,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
- "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
+ "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
+ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml"
],
"tags": [
@@ -101221,8 +101444,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/",
"https://bpftrace.org/",
+ "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml"
],
"tags": [
@@ -101458,9 +101681,9 @@
"logsource.product": "linux",
"refs": [
"https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html",
- "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/",
"https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html",
"https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/",
+ "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml"
],
"tags": [
@@ -101535,8 +101758,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US",
"https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html",
+ "https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml"
],
"tags": [
@@ -101577,10 +101800,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
- "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
+ "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
+ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml"
],
"tags": [
@@ -101604,8 +101827,8 @@
"logsource.product": "linux",
"refs": [
"https://github.com/diego-treitos/linux-smart-enumeration",
- "https://github.com/carlospolop/PEASS-ng",
"https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes",
+ "https://github.com/carlospolop/PEASS-ng",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml"
],
"tags": [
@@ -101662,10 +101885,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
- "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
+ "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
+ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml"
],
"tags": [
@@ -101766,9 +101989,9 @@
"logsource.product": "linux",
"refs": [
"https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html",
- "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/",
"https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html",
"https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/",
+ "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml"
],
"tags": [
@@ -101791,8 +102014,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html",
"https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py",
+ "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html",
"https://github.com/apache/spark/pull/36315/files",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml"
],
@@ -101828,8 +102051,8 @@
"logsource.product": "linux",
"refs": [
"https://access.redhat.com/security/cve/cve-2019-14287",
- "https://twitter.com/matthieugarin/status/1183970598210412546",
"https://www.openwall.com/lists/oss-security/2019/10/14/1",
+ "https://twitter.com/matthieugarin/status/1183970598210412546",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml"
],
"tags": [
@@ -101973,9 +102196,9 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan",
- "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/",
"https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/",
+ "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/",
+ "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml"
],
"tags": [
@@ -102077,8 +102300,8 @@
"logsource.product": "linux",
"refs": [
"https://www.cyberciti.biz/faq/linux-remove-user-command/",
- "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/",
"https://linux.die.net/man/8/groupdel",
+ "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/",
"https://linuxize.com/post/how-to-delete-group-in-linux/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml"
],
@@ -102135,8 +102358,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.cyberciti.biz/faq/linux-remove-user-command/",
"https://linux.die.net/man/8/userdel",
+ "https://www.cyberciti.biz/faq/linux-remove-user-command/",
"https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/",
"https://linuxize.com/post/how-to-delete-group-in-linux/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml"
@@ -102171,10 +102394,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
- "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
+ "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
+ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml"
],
"tags": [
@@ -102300,8 +102523,8 @@
"logsource.product": "linux",
"refs": [
"https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vsan.html",
- "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html",
"https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html",
+ "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml"
],
"tags": [
@@ -102342,15 +102565,15 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://github.com/t3l3machus/hoaxshell",
- "https://github.com/t3l3machus/Villain",
- "https://github.com/carlospolop/PEASS-ng",
- "https://github.com/Ne0nd0g/merlin",
- "https://github.com/pathtofile/bad-bpf",
"https://github.com/Pennyw0rth/NetExec/",
- "https://github.com/1N3/Sn1per",
- "https://github.com/Gui774ume/ebpfkit",
+ "https://github.com/Ne0nd0g/merlin",
"https://github.com/HavocFramework/Havoc",
+ "https://github.com/pathtofile/bad-bpf",
+ "https://github.com/1N3/Sn1per",
+ "https://github.com/carlospolop/PEASS-ng",
+ "https://github.com/t3l3machus/Villain",
+ "https://github.com/Gui774ume/ebpfkit",
+ "https://github.com/t3l3machus/hoaxshell",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml"
],
"tags": [
@@ -102417,8 +102640,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://gtfobins.github.io/gtfobins/flock/#shell",
"https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html",
+ "https://gtfobins.github.io/gtfobins/flock/#shell",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_flock_shell_execution.yml"
],
"tags": [
@@ -102485,8 +102708,8 @@
"logsource.product": "linux",
"refs": [
"https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
- "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
+ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml"
],
"tags": [
@@ -102577,8 +102800,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/",
"https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_network.html",
+ "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml"
],
"tags": [
@@ -102619,8 +102842,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.makeuseof.com/how-to-install-and-use-doas/",
"https://research.splunk.com/endpoint/linux_doas_tool_execution/",
+ "https://www.makeuseof.com/how-to-install-and-use-doas/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml"
],
"tags": [
@@ -102654,8 +102877,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker",
"https://blog.skyplabs.net/posts/container-detection/",
+ "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml"
],
"tags": [
@@ -102745,10 +102968,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://gtfobins.github.io/gtfobins/gcc/#shell",
- "https://gtfobins.github.io/gtfobins/c89/#shell",
- "https://gtfobins.github.io/gtfobins/c99/#shell",
"https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html",
+ "https://gtfobins.github.io/gtfobins/c99/#shell",
+ "https://gtfobins.github.io/gtfobins/c89/#shell",
+ "https://gtfobins.github.io/gtfobins/gcc/#shell",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gcc_shell_execution.yml"
],
"tags": [
@@ -102782,8 +103005,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker",
"https://blog.skyplabs.net/posts/container-detection/",
+ "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml"
],
"tags": [
@@ -102849,9 +103072,9 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://gtfobins.github.io/gtfobins/rvim/",
"https://gtfobins.github.io/gtfobins/vim/",
"https://gtfobins.github.io/gtfobins/vimdiff/",
+ "https://gtfobins.github.io/gtfobins/rvim/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_vim_shell_execution.yml"
],
"tags": [
@@ -102884,11 +103107,11 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://curl.se/docs/manpage.html",
- "https://twitter.com/d1r4c/status/1279042657508081664",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file",
- "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html",
"https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76",
+ "https://curl.se/docs/manpage.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file",
+ "https://twitter.com/d1r4c/status/1279042657508081664",
+ "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml"
],
"tags": [
@@ -103053,8 +103276,8 @@
"logsource.product": "linux",
"refs": [
"https://gtfobins.github.io/gtfobins/nohup/",
- "https://en.wikipedia.org/wiki/Nohup",
"https://www.computerhope.com/unix/unohup.htm",
+ "https://en.wikipedia.org/wiki/Nohup",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml"
],
"tags": [
@@ -103240,8 +103463,8 @@
"logsource.product": "linux",
"refs": [
"https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_storage.html",
- "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html",
"https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html",
+ "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml"
],
"tags": [
@@ -103316,11 +103539,11 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
- "https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/",
- "https://www.revshells.com/",
- "https://www.infosecademy.com/netcat-reverse-shells/",
"https://man7.org/linux/man-pages/man1/ncat.1.html",
+ "https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/",
+ "https://www.infosecademy.com/netcat-reverse-shells/",
+ "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+ "https://www.revshells.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml"
],
"tags": [
@@ -103452,8 +103675,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally",
"https://github.com/arget13/DDexec",
+ "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml"
],
"tags": [
@@ -103552,10 +103775,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
- "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
+ "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
+ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml"
],
"tags": [
@@ -103611,8 +103834,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/",
"https://bpftrace.org/",
+ "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/",
"https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml"
],
@@ -103670,8 +103893,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://gtfobins.github.io/gtfobins/apt/",
"https://gtfobins.github.io/gtfobins/apt-get/",
+ "https://gtfobins.github.io/gtfobins/apt/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_apt_shell_execution.yml"
],
"tags": [
@@ -103704,10 +103927,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
- "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
+ "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
+ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml"
],
"tags": [
@@ -103740,9 +103963,9 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/",
"https://blogs.blackberry.com/",
"https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144",
+ "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml"
],
"tags": [
@@ -103808,8 +104031,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md",
"https://github.com/sleventyeleven/linuxprivchecker/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml"
],
"tags": [
@@ -103842,10 +104065,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://linuxhint.com/uninstall-debian-packages/",
- "https://sysdig.com/blog/mitre-defense-evasion-falco",
"https://linuxhint.com/uninstall_yum_package/",
+ "https://sysdig.com/blog/mitre-defense-evasion-falco",
"https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command",
+ "https://linuxhint.com/uninstall-debian-packages/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remove_package.yml"
],
"tags": [
@@ -103902,8 +104125,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker",
"https://blog.skyplabs.net/posts/container-detection/",
+ "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml"
],
"tags": [
@@ -104263,11 +104486,11 @@
"logsource.category": "network_connection",
"logsource.product": "linux",
"refs": [
+ "https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections",
"https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors",
- "https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html",
"https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team",
"https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html",
- "https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections",
+ "https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml"
],
"tags": [
@@ -104483,10 +104706,10 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
+ "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb",
"https://artkond.com/2017/03/23/pivoting-guide/",
"http://pastebin.com/FtygZ1cg",
"https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html",
- "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml"
],
"tags": [
@@ -104543,8 +104766,8 @@
"logsource.product": "linux",
"refs": [
"https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid",
- "https://linux.die.net/man/8/useradd",
"https://digital.nhs.uk/cyber-alerts/2018/cc-2825",
+ "https://linux.die.net/man/8/useradd",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_privileged_user_creation.yml"
],
"tags": [
@@ -104719,9 +104942,9 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md",
"https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics",
+ "https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml"
],
"tags": [
@@ -104912,8 +105135,8 @@
"logsource.product": "linux",
"refs": [
"https://access.redhat.com/security/cve/cve-2019-14287",
- "https://twitter.com/matthieugarin/status/1183970598210412546",
"https://www.openwall.com/lists/oss-security/2019/10/14/1",
+ "https://twitter.com/matthieugarin/status/1183970598210412546",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml"
],
"tags": [
@@ -105175,5 +105398,5 @@
"value": "Modifying Crontab"
}
],
- "version": 20241003
+ "version": 20241017
}
From 576a3433d4308f4d79f61da67c69474434dc7b37 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Thu, 17 Oct 2024 14:10:14 +0200
Subject: [PATCH 40/42] chg: [README] updated
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 917ab53..332fdc6 100644
--- a/README.md
+++ b/README.md
@@ -535,7 +535,7 @@ Category: *sector* - source: *CERT-EU* - total: *118* elements
[Sigma-Rules](https://www.misp-galaxy.org/sigma-rules) - MISP galaxy cluster based on Sigma Rules.
-Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2965* elements
+Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2970* elements
[[HTML](https://www.misp-galaxy.org/sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)]
From 9337227db7d2d6866bd1155c8a8f7e89aef9dc92 Mon Sep 17 00:00:00 2001
From: Daniel Plohmann
Date: Mon, 21 Oct 2024 08:48:56 +0200
Subject: [PATCH 41/42] added Unit42 name for Kimsuky (Sparkling Pisces)
---
clusters/threat-actor.json | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 40c3e41..c11735d 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -5681,7 +5681,8 @@
"https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html",
"https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage"
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage",
+ "https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/"
],
"synonyms": [
"Velvet Chollima",
@@ -5692,7 +5693,8 @@
"APT43",
"Emerald Sleet",
"THALLIUM",
- "Springtail"
+ "Springtail",
+ "Sparkling Pisces"
],
"targeted-sector": [
"Research - Innovation",
@@ -16985,5 +16987,5 @@
"value": "TaskMasters"
}
],
- "version": 316
+ "version": 317
}
From 6c4c2696b6ba0fb7cd92b901d4d2cdcf7223dbd1 Mon Sep 17 00:00:00 2001
From: Daniel Plohmann
Date: Fri, 25 Oct 2024 14:08:53 +0200
Subject: [PATCH 42/42] add APT37 alias used by AhnLab (TA-RedAnt)
---
clusters/threat-actor.json | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index c11735d..cc95b8f 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -6422,7 +6422,8 @@
"https://securelist.com/operation-daybreak/75100/",
"https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/",
"https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/",
- "https://unit42.paloaltonetworks.com/atoms/moldypisces/"
+ "https://unit42.paloaltonetworks.com/atoms/moldypisces/",
+ "https://asec.ahnlab.com/en/83877/"
],
"synonyms": [
"APT 37",
@@ -6439,7 +6440,8 @@
"Venus 121",
"ATK4",
"G0067",
- "Moldy Pisces"
+ "Moldy Pisces",
+ "TA-RedAnt"
]
},
"related": [
@@ -16987,5 +16989,5 @@
"value": "TaskMasters"
}
],
- "version": 317
+ "version": 318
}