diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json
index 066c4b2..0455d99 100644
--- a/clusters/sigma-rules.json
+++ b/clusters/sigma-rules.json
@@ -76,8 +76,8 @@
"logsource.category": "firewall",
"logsource.product": "No established product",
"refs": [
- "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
"https://www.cisecurity.org/controls/cis-controls-list/",
+ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml"
],
@@ -99,8 +99,8 @@
"logsource.category": "firewall",
"logsource.product": "No established product",
"refs": [
- "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation",
"https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195",
+ "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml"
],
"tags": [
@@ -134,10 +134,10 @@
"logsource.category": "dns",
"logsource.product": "No established product",
"refs": [
+ "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/",
"https://core.telegram.org/bots/faq",
"https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/",
"https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
- "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml"
],
"tags": [
@@ -246,8 +246,8 @@
"logsource.category": "dns",
"logsource.product": "No established product",
"refs": [
- "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1",
"https://twitter.com/stvemillertime/status/1024707932447854592",
+ "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_txt_exec_strings.yml"
],
"tags": [
@@ -1209,10 +1209,10 @@
"logsource.category": "No established category",
"logsource.product": "zeek",
"refs": [
- "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp",
- "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003",
- "https://threatpost.com/microsoft-petitpotam-poc/168163/",
"https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf",
+ "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003",
+ "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp",
+ "https://threatpost.com/microsoft-petitpotam-poc/168163/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml"
],
"tags": [
@@ -1590,9 +1590,9 @@
"logsource.category": "No established category",
"logsource.product": "zeek",
"refs": [
+ "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/",
"https://github.com/nknorg/nkn-sdk-go",
"https://github.com/Maka8ka/NGLite",
- "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml"
],
"tags": [
@@ -1649,8 +1649,8 @@
"logsource.category": "No established category",
"logsource.product": "zeek",
"refs": [
- "https://dirkjanm.io/a-different-way-of-abusing-zerologon/",
"https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1",
+ "https://dirkjanm.io/a-different-way-of-abusing-zerologon/",
"https://twitter.com/_dirkjan/status/1309214379003588608",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml"
],
@@ -1726,12 +1726,12 @@
"logsource.category": "No established category",
"logsource.product": "zeek",
"refs": [
- "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/",
+ "https://old.zeek.org/zeekweek2019/slides/bzar.pdf",
"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29",
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
- "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek",
- "https://old.zeek.org/zeekweek2019/slides/bzar.pdf",
"https://github.com/corelight/CVE-2021-1675",
+ "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek",
+ "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml"
],
"tags": [
@@ -1864,9 +1864,9 @@
"logsource.product": "zeek",
"refs": [
"https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS",
- "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma",
- "https://twitter.com/neu5ron/status/1346245602502443009",
"https://tools.ietf.org/html/rfc2929#section-2.1",
+ "https://twitter.com/neu5ron/status/1346245602502443009",
+ "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml"
],
"tags": [
@@ -2175,9 +2175,9 @@
"logsource.category": "application",
"logsource.product": "jvm",
"refs": [
+ "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing",
"https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs",
"https://rules.sonarsource.com/java/RSPEC-2755",
- "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_xxe_exploitation_attempt.yml"
],
"tags": [
@@ -2277,9 +2277,9 @@
"logsource.category": "application",
"logsource.product": "ruby_on_rails",
"refs": [
- "http://guides.rubyonrails.org/action_controller_overview.html",
- "http://edgeguides.rubyonrails.org/security.html",
"https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb",
+ "http://edgeguides.rubyonrails.org/security.html",
+ "http://guides.rubyonrails.org/action_controller_overview.html",
"https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml"
],
@@ -2314,9 +2314,9 @@
"logsource.product": "rpc_firewall",
"refs": [
"https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
- "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3",
- "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md",
"https://github.com/zeronetworks/rpcfirewall",
+ "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md",
+ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml"
],
"tags": [
@@ -2349,9 +2349,9 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78",
"https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md",
+ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78",
"https://github.com/zeronetworks/rpcfirewall",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml"
],
@@ -2376,9 +2376,9 @@
"logsource.product": "rpc_firewall",
"refs": [
"https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
+ "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md",
"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931",
- "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml"
],
"tags": [
@@ -2402,9 +2402,9 @@
"logsource.product": "rpc_firewall",
"refs": [
"https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
- "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9",
- "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md",
"https://github.com/zeronetworks/rpcfirewall",
+ "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md",
+ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml"
],
"tags": [
@@ -2438,9 +2438,9 @@
"logsource.product": "rpc_firewall",
"refs": [
"https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
+ "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md",
"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931",
- "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml"
],
"tags": [
@@ -2481,10 +2481,10 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://github.com/zeronetworks/rpcfirewall",
- "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md",
- "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN",
+ "https://github.com/zeronetworks/rpcfirewall",
+ "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
+ "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml"
],
"tags": [
@@ -2542,9 +2542,9 @@
"logsource.product": "rpc_firewall",
"refs": [
"https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
+ "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md",
"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931",
- "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml"
],
"tags": [
@@ -2586,8 +2586,8 @@
"logsource.product": "rpc_firewall",
"refs": [
"https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
- "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9",
"https://github.com/zeronetworks/rpcfirewall",
+ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml"
],
"tags": [
@@ -2629,9 +2629,9 @@
"logsource.product": "rpc_firewall",
"refs": [
"https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
+ "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md",
"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931",
- "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml"
],
"tags": [
@@ -2672,12 +2672,12 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
- "https://github.com/zeronetworks/rpcfirewall",
- "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8",
- "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md",
"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1",
+ "https://github.com/zeronetworks/rpcfirewall",
+ "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md",
+ "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
+ "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml"
],
"tags": [
@@ -2700,8 +2700,8 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183",
"https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
+ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md",
"https://github.com/zeronetworks/rpcfirewall",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml"
@@ -2736,8 +2736,8 @@
"logsource.product": "rpc_firewall",
"refs": [
"https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
- "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md",
+ "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942",
"https://github.com/zeronetworks/rpcfirewall",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml"
],
@@ -2762,9 +2762,9 @@
"logsource.product": "rpc_firewall",
"refs": [
"https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
+ "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md",
"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931",
- "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml"
],
"tags": [
@@ -2787,9 +2787,9 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78",
"https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md",
+ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78",
"https://github.com/zeronetworks/rpcfirewall",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml"
],
@@ -2824,9 +2824,9 @@
"logsource.product": "rpc_firewall",
"refs": [
"https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
- "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9",
- "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md",
"https://github.com/zeronetworks/rpcfirewall",
+ "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md",
+ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml"
],
"tags": [
@@ -2850,9 +2850,9 @@
"logsource.product": "rpc_firewall",
"refs": [
"https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/",
+ "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md",
"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931",
- "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml"
],
"tags": [
@@ -2943,10 +2943,10 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
- "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow",
"https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
- "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf",
"https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights",
+ "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow",
+ "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf",
"https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml"
],
@@ -3128,8 +3128,8 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/timbmsft/status/900724491076214784",
"https://github.com/hlldz/Invoke-Phant0m",
+ "https://twitter.com/timbmsft/status/900724491076214784",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_invoke_phantom.yml"
],
"tags": [
@@ -3162,8 +3162,8 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/_xpn_/status/1491557187168178176",
"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz",
+ "https://twitter.com/_xpn_/status/1491557187168178176",
"https://twitter.com/mrd0x/status/1460597833917251595",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml"
],
@@ -3418,9 +3418,9 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
+ "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html",
"https://research.splunk.com/endpoint/windows_possible_credential_dumping/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md",
- "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html",
"https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml"
],
@@ -3456,8 +3456,8 @@
"logsource.product": "windows",
"refs": [
"https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow",
- "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf",
"https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
+ "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf",
"https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml"
],
@@ -3493,10 +3493,10 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
- "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow",
"https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
- "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf",
"https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights",
+ "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow",
+ "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf",
"https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml"
],
@@ -3531,10 +3531,10 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
- "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow",
"https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
- "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf",
"https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights",
+ "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow",
+ "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf",
"https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml"
],
@@ -3752,8 +3752,8 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/_xpn_/status/1491557187168178176",
"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz",
+ "https://twitter.com/_xpn_/status/1491557187168178176",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml"
],
"tags": [
@@ -3787,9 +3787,9 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
+ "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png",
"https://github.com/codewhitesec/SysmonEnte/",
"https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html",
- "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hack_sysmonente.yml"
],
"tags": [
@@ -3822,8 +3822,8 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
- "https://github.com/boku7/injectAmsiBypass",
"https://github.com/boku7/spawn",
+ "https://github.com/boku7/injectAmsiBypass",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml"
],
"tags": [
@@ -3968,6 +3968,29 @@
"uuid": "c4b890e5-8d8c-4496-8c66-c805753817cd",
"value": "Sysmon Process Hollowing Detection"
},
+ {
+ "description": "Triggers on any Sysmon \"FileBlockShredding\" event, which indicates a violation of the configured shredding policy.",
+ "meta": {
+ "author": "frack113",
+ "creation_date": "2023/07/20",
+ "falsepositive": [
+ "Unlikely"
+ ],
+ "filename": "sysmon_file_block_shredding.yml",
+ "level": "high",
+ "logsource.category": "No established category",
+ "logsource.product": "windows",
+ "refs": [
+ "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_file_block_shredding.yml"
+ ],
+ "tags": [
+ "attack.defense_evasion"
+ ]
+ },
+ "uuid": "c3e5c1b1-45e9-4632-b242-27939c170239",
+ "value": "Sysmon Blocked File Shredding"
+ },
{
"description": "Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages",
"meta": {
@@ -4002,6 +4025,30 @@
"uuid": "815cd91b-7dbc-4247-841a-d7dd1392b0a8",
"value": "Sysmon Configuration Error"
},
+ {
+ "description": "Triggers on any Sysmon \"FileExecutableDetected\" event, which triggers every time a PE that is monitored by the config is created.",
+ "meta": {
+ "author": "frack113",
+ "creation_date": "2023/07/20",
+ "falsepositive": [
+ "Unlikely"
+ ],
+ "filename": "sysmon_file_executable.yml",
+ "level": "medium",
+ "logsource.category": "No established category",
+ "logsource.product": "windows",
+ "refs": [
+ "https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36",
+ "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_file_executable.yml"
+ ],
+ "tags": [
+ "attack.defense_evasion"
+ ]
+ },
+ "uuid": "693a44e9-7f26-4cb6-b787-214867672d3a",
+ "value": "Sysmon File Executable Creation Detected"
+ },
{
"description": "Detects when an attacker tries to hide from Sysmon by disabling or stopping it",
"meta": {
@@ -4049,8 +4096,8 @@
"logsource.category": "pipe_created",
"logsource.product": "windows",
"refs": [
- "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752",
"https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575",
+ "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml"
],
"tags": [
@@ -4084,8 +4131,8 @@
"logsource.category": "pipe_created",
"logsource.product": "windows",
"refs": [
- "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752",
"https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575",
+ "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml"
],
"tags": [
@@ -4176,11 +4223,11 @@
"logsource.category": "pipe_created",
"logsource.product": "windows",
"refs": [
+ "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/",
+ "https://github.com/SigmaHQ/sigma/issues/253",
"https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/",
"https://twitter.com/d4rksystem/status/1357010969264873472",
"https://redcanary.com/threat-detection-report/threats/cobalt-strike/",
- "https://github.com/SigmaHQ/sigma/issues/253",
- "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml"
],
"tags": [
@@ -4441,8 +4488,8 @@
"logsource.category": "pipe_created",
"logsource.product": "windows",
"refs": [
- "https://github.com/zcgonvh/EfsPotato",
"https://twitter.com/SBousseaden/status/1429530155291193354?s=20",
+ "https://github.com/zcgonvh/EfsPotato",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml"
],
"tags": [
@@ -4518,18 +4565,18 @@
"logsource.category": "pipe_created",
"logsource.product": "windows",
"refs": [
- "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/",
- "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/",
- "https://securelist.com/faq-the-projectsauron-apt/75533/",
- "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity",
"https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf",
- "https://github.com/RiccardoAncarani/LiquidSnake",
- "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf",
- "https://www.us-cert.gov/ncas/alerts/TA17-117A",
- "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/",
"https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a",
"https://thedfirreport.com/2020/06/21/snatch-ransomware/",
+ "https://github.com/RiccardoAncarani/LiquidSnake",
+ "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/",
+ "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity",
+ "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a",
+ "https://securelist.com/faq-the-projectsauron-apt/75533/",
+ "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf",
+ "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/",
+ "https://www.us-cert.gov/ncas/alerts/TA17-117A",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml"
],
"tags": [
@@ -4599,8 +4646,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/Azure/SimuLand",
- "https://o365blog.com/post/adfs/",
"https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml",
+ "https://o365blog.com/post/adfs/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml"
],
"tags": [
@@ -4757,8 +4804,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)",
"https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#",
+ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml"
],
"tags": "No established tags"
@@ -5073,10 +5120,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/MsftSecIntel/status/1257324139515269121",
+ "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image",
"https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore",
"https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages",
- "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image",
+ "https://twitter.com/MsftSecIntel/status/1257324139515269121",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml"
],
"tags": [
@@ -5109,8 +5156,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699",
"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701",
+ "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml"
],
"tags": [
@@ -5295,8 +5342,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423",
"https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md",
+ "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_device_installation_blocked.yml"
],
"tags": "No established tags"
@@ -5351,8 +5398,8 @@
"logsource.product": "windows",
"refs": [
"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672",
- "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964",
"https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md",
+ "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_logon.yml"
],
"tags": "No established tags"
@@ -5463,8 +5510,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/menasec1/status/1106899890377052160",
"https://www.secureworks.com/blog/ransomware-as-a-distraction",
+ "https://twitter.com/menasec1/status/1106899890377052160",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml"
],
"tags": [
@@ -5531,11 +5578,11 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427",
- "https://github.com/sensepost/ruler",
"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624",
- "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776",
"https://github.com/sensepost/ruler/issues/47",
+ "https://github.com/sensepost/ruler",
+ "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427",
+ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml"
],
"tags": [
@@ -5626,8 +5673,8 @@
"logsource.product": "windows",
"refs": [
"https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html",
- "https://awakesecurity.com/blog/threat-hunting-for-paexec/",
"https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf",
+ "https://awakesecurity.com/blog/threat-hunting-for-paexec/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml"
],
"tags": [
@@ -5820,9 +5867,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md",
"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647",
"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634",
- "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml"
],
"tags": "No established tags"
@@ -5876,8 +5923,8 @@
"logsource.product": "windows",
"refs": [
"https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete",
- "https://www.jpcert.or.jp/english/pub/sr/ir_research.html",
"https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm",
+ "https://www.jpcert.or.jp/english/pub/sr/ir_research.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml"
],
"tags": [
@@ -5996,8 +6043,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://dirkjanm.io/a-different-way-of-abusing-zerologon/",
"https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1",
+ "https://dirkjanm.io/a-different-way-of-abusing-zerologon/",
"https://twitter.com/_dirkjan/status/1309214379003588608",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml"
],
@@ -6123,8 +6170,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://threathunterplaybook.com/library/windows/active_directory_replication.html",
"https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html",
+ "https://threathunterplaybook.com/library/windows/active_directory_replication.html",
"https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml"
],
@@ -6338,9 +6385,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961",
"https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/",
"https://github.com/fox-it/LDAPFragger",
+ "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml"
],
"tags": [
@@ -6482,8 +6529,8 @@
"logsource.product": "windows",
"refs": [
"https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2",
- "https://twitter.com/gentilkiwi/status/1003236624925413376",
"https://blog.alsid.eu/dcshadow-explained-4510f52fc19d",
+ "https://twitter.com/gentilkiwi/status/1003236624925413376",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml"
],
"tags": [
@@ -6627,9 +6674,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "Live environment caused by malware",
"Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)",
"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616",
- "Live environment caused by malware",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml"
],
"tags": [
@@ -6843,8 +6890,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf",
"https://twitter.com/menasec1/status/1111556090137903104",
+ "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml"
],
"tags": [
@@ -6943,8 +6990,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit",
"https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md",
+ "https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml"
],
"tags": [
@@ -7173,8 +7220,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649",
"https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md",
+ "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_replay_attack_detected.yml"
],
"tags": "No established tags"
@@ -7195,10 +7242,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/SecurityJosh/status/1283027365770276866",
- "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8",
- "https://twitter.com/Flangvik/status/1283054508084473861",
"https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html",
+ "https://twitter.com/Flangvik/status/1283054508084473861",
+ "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8",
+ "https://twitter.com/SecurityJosh/status/1283027365770276866",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml"
],
"tags": [
@@ -7511,9 +7558,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/topotam/PetitPotam",
- "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/",
"https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml",
+ "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/",
+ "https://github.com/topotam/PetitPotam",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml"
],
"tags": [
@@ -7546,8 +7593,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/",
"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673",
+ "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_driver_loaded.yml"
],
"tags": [
@@ -7622,8 +7669,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/",
"https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment",
+ "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml"
],
"tags": [
@@ -7665,8 +7712,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity",
"https://adsecurity.org/?p=3458",
+ "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml"
],
"tags": [
@@ -7806,9 +7853,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743",
"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741",
"https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md",
+ "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml"
],
"tags": "No established tags"
@@ -8110,8 +8157,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://threathunterplaybook.com/library/windows/active_directory_replication.html",
"https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html",
+ "https://threathunterplaybook.com/library/windows/active_directory_replication.html",
"https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml"
],
@@ -8166,10 +8213,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
"https://www.cisecurity.org/controls/cis-controls-list/",
- "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800",
+ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
+ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml"
],
"tags": "No established tags"
@@ -8191,15 +8238,15 @@
"logsource.product": "windows",
"refs": [
"https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_",
- "https://bunnyinside.com/?term=f71e8cb9c76a",
"https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf",
- "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39",
- "https://twitter.com/_xpn_/status/1268712093928378368",
- "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr",
"https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables",
- "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38",
- "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code",
"http://managed670.rssing.com/chan-5590147/all_p1.html",
+ "https://bunnyinside.com/?term=f71e8cb9c76a",
+ "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr",
+ "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code",
+ "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38",
+ "https://twitter.com/_xpn_/status/1268712093928378368",
+ "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml"
],
"tags": [
@@ -8403,8 +8450,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://o365blog.com/post/hybridhealthagent/",
"https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml",
+ "https://o365blog.com/post/hybridhealthagent/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml"
],
"tags": [
@@ -8701,8 +8748,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/topotam/PetitPotam",
"https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml",
+ "https://github.com/topotam/PetitPotam",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_network_share.yml"
],
"tags": [
@@ -8735,9 +8782,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf",
"https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all",
"http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html",
+ "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml"
],
"tags": [
@@ -8770,9 +8817,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://blog.harmj0y.net/redteaming/another-word-on-delegation/",
- "https://msdn.microsoft.com/en-us/library/cc220234.aspx",
"https://adsecurity.org/?p=3466",
+ "https://msdn.microsoft.com/en-us/library/cc220234.aspx",
+ "https://blog.harmj0y.net/redteaming/another-word-on-delegation/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml"
],
"tags": [
@@ -8805,9 +8852,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/SBousseaden/status/1581300963650187264?",
"https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/",
"https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html",
- "https://twitter.com/SBousseaden/status/1581300963650187264?",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml"
],
"tags": [
@@ -8875,9 +8922,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.sans.org/webcasts/119395",
"https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/",
"https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/",
+ "https://www.sans.org/webcasts/119395",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml"
],
"tags": [
@@ -8961,10 +9008,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2",
- "https://twitter.com/gentilkiwi/status/1003236624925413376",
"https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r",
+ "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2",
"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662",
+ "https://twitter.com/gentilkiwi/status/1003236624925413376",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml"
],
"tags": [
@@ -8998,8 +9045,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625",
"https://twitter.com/SBousseaden/status/1101431884540710913",
+ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml"
],
"tags": [
@@ -9035,8 +9082,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/SBousseaden/status/1490608838701166596",
"https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html",
+ "https://twitter.com/SBousseaden/status/1490608838701166596",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml"
],
"tags": [
@@ -9103,8 +9150,8 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/malmoeb/status/1511760068743766026",
- "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py",
"https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py",
+ "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml"
],
"tags": [
@@ -9239,9 +9286,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/",
"https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis",
"https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events",
- "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml"
],
"tags": [
@@ -9456,10 +9503,10 @@
"logsource.product": "windows",
"refs": [
"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
- "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634",
"https://www.cisecurity.org/controls/cis-controls-list/",
- "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
+ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634",
"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730",
+ "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml"
],
"tags": "No established tags"
@@ -9513,8 +9560,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation",
"https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html",
+ "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml"
],
"tags": [
@@ -9549,10 +9596,10 @@
"logsource.product": "windows",
"refs": [
"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
- "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633",
- "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729",
"https://www.cisecurity.org/controls/cis-controls-list/",
+ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729",
"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
+ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml"
],
"tags": "No established tags"
@@ -9642,8 +9689,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/AdamTheAnalyst/status/1134394070045003776",
"https://github.com/zerosum0x0/CVE-2019-0708",
+ "https://twitter.com/AdamTheAnalyst/status/1134394070045003776",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml"
],
"tags": [
@@ -9762,10 +9809,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
- "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728",
- "https://www.cisecurity.org/controls/cis-controls-list/",
"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632",
+ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
+ "https://www.cisecurity.org/controls/cis-controls-list/",
+ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728",
"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml"
],
@@ -9903,8 +9950,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://goo.gl/PsqrhT",
"https://twitter.com/JohnLaTwC/status/1004895028995477505",
+ "https://goo.gl/PsqrhT",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml"
],
"tags": [
@@ -9972,8 +10019,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)",
"https://twitter.com/mgreen27/status/1558223256704122882",
+ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml"
],
"tags": [
@@ -9996,8 +10043,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)",
"https://twitter.com/mgreen27/status/1558223256704122882",
+ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yml"
],
"tags": [
@@ -10020,11 +10067,11 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/DidierStevens/status/1217533958096924676",
- "https://twitter.com/FlemmingRiis/status/1217147415482060800",
"https://nullsec.us/windows-event-log-audit-cve/",
+ "https://twitter.com/FlemmingRiis/status/1217147415482060800",
"https://www.youtube.com/watch?v=ebmW42YYveI",
"https://twitter.com/VM_vivisector/status/1217190929330655232",
+ "https://twitter.com/DidierStevens/status/1217533958096924676",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml"
],
"tags": [
@@ -10159,8 +10206,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5",
"https://technet.microsoft.com/en-us/library/security/4022344",
+ "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml"
],
"tags": [
@@ -10201,8 +10248,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5",
"https://technet.microsoft.com/en-us/library/security/4022344",
+ "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml"
],
"tags": [
@@ -10243,8 +10290,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf",
"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55",
+ "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf",
"https://github.com/deepinstinct/Lsass-Shtinkering",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml"
],
@@ -10278,8 +10325,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/",
"https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/",
+ "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/msexchange_control_panel/win_vul_cve_2020_0688.yml"
],
"tags": [
@@ -10346,9 +10393,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01",
- "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed",
"https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31",
+ "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed",
+ "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/Other/win_av_relevant_match.yml"
],
"tags": [
@@ -10542,8 +10589,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/",
"https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16",
+ "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml"
],
"tags": [
@@ -10567,8 +10614,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/",
"https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/",
+ "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml"
],
"tags": [
@@ -10624,8 +10671,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/",
"https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/",
+ "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml"
],
"tags": [
@@ -10671,8 +10718,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/",
"https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16",
+ "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/",
"https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml"
],
@@ -10794,8 +10841,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/",
"https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/",
+ "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml"
],
"tags": [
@@ -10828,8 +10875,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/j00sean/status/1537750439701225472",
"https://twitter.com/nas_bench/status/1539679555908141061",
+ "https://twitter.com/j00sean/status/1537750439701225472",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml"
],
"tags": [
@@ -10852,9 +10899,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "Internal Research",
- "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations",
"https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations",
+ "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations",
+ "Internal Research",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml"
],
"tags": [
@@ -10877,9 +10924,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "Internal Research",
- "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations",
"https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations",
+ "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations",
+ "Internal Research",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml"
],
"tags": [
@@ -10902,9 +10949,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "Internal Research",
- "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations",
"https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations",
+ "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations",
+ "Internal Research",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml"
],
"tags": [
@@ -10927,9 +10974,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations",
- "https://twitter.com/SBousseaden/status/1483810148602814466",
"https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log",
+ "https://twitter.com/SBousseaden/status/1483810148602814466",
+ "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations",
"https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml"
],
@@ -10953,9 +11000,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "Internal Research",
- "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations",
"https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations",
+ "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations",
+ "Internal Research",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml"
],
"tags": [
@@ -10978,9 +11025,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "Internal Research",
- "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations",
"https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations",
+ "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations",
+ "Internal Research",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml"
],
"tags": [
@@ -11003,9 +11050,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "Internal Research",
- "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations",
"https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations",
+ "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations",
+ "Internal Research",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml"
],
"tags": [
@@ -11028,8 +11075,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations",
"https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log",
+ "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations",
"https://twitter.com/wdormann/status/1590434950335320065",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml"
],
@@ -11063,9 +11110,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "Internal Research",
- "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations",
"https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations",
+ "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations",
+ "Internal Research",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml"
],
"tags": [
@@ -11098,9 +11145,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "Internal Research",
- "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations",
"https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations",
+ "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations",
+ "Internal Research",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml"
],
"tags": [
@@ -11123,8 +11170,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/KevTheHermit/status/1410203844064301056",
"https://github.com/hhlxf/PrintNightmare",
+ "https://twitter.com/KevTheHermit/status/1410203844064301056",
"https://github.com/afwu/PrintNightmare",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml"
],
@@ -11181,11 +11228,11 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH",
+ "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx",
+ "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
"https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse",
"https://winaero.com/enable-openssh-server-windows-10/",
- "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
- "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx",
- "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml"
],
"tags": [
@@ -11218,9 +11265,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml",
- "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers",
"https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection",
+ "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers",
+ "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml"
],
"tags": [
@@ -11447,9 +11494,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346",
"https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/",
"Internal Research",
+ "https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml"
],
"tags": [
@@ -11482,8 +11529,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e",
"https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus",
+ "https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_history_delete.yml"
],
"tags": [
@@ -11810,8 +11857,8 @@
"logsource.product": "windows",
"refs": [
"https://isc.sans.edu/diary/22264",
- "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
"https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
+ "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
"https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml"
],
@@ -11881,8 +11928,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md",
- "https://twitter.com/malmoeb/status/1535142803075960832",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
+ "https://twitter.com/malmoeb/status/1535142803075960832",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml"
],
"tags": [
@@ -12016,9 +12063,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/gentilkiwi/status/861641945944391680",
"https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83",
"https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx",
+ "https://twitter.com/gentilkiwi/status/861641945944391680",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml"
],
"tags": [
@@ -12148,8 +12195,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/zerosum0x0/CVE-2019-0708",
"https://github.com/Ekultek/BlueKeep",
+ "https://github.com/zerosum0x0/CVE-2019-0708",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml"
],
"tags": [
@@ -12458,8 +12505,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/",
"https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment",
+ "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml"
],
"tags": [
@@ -12859,9 +12906,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.sans.org/webcasts/119395",
"https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/",
"https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/",
+ "https://www.sans.org/webcasts/119395",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml"
],
"tags": [
@@ -13097,8 +13144,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/",
"https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231",
+ "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml"
],
"tags": [
@@ -14223,9 +14270,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html",
"https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx",
"https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx",
+ "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml"
],
"tags": [
@@ -14258,9 +14305,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html",
"https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx",
"https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx",
+ "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml"
],
"tags": [
@@ -14653,9 +14700,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://nxlog.co/documentation/nxlog-user-guide/applocker.html",
"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker",
"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker",
+ "https://nxlog.co/documentation/nxlog-user-guide/applocker.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml"
],
"tags": [
@@ -14726,11 +14773,11 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs",
- "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1",
- "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726",
- "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427",
"https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c",
+ "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs",
+ "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427",
+ "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726",
+ "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml"
],
"tags": [
@@ -14779,10 +14826,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
"Internal Research",
- "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting",
+ "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
+ "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml"
],
"tags": [
@@ -14805,10 +14852,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
"Internal Research",
- "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting",
+ "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
+ "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml"
],
"tags": [
@@ -14831,10 +14878,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
"Internal Research",
- "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting",
+ "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
+ "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml"
],
"tags": [
@@ -14857,10 +14904,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
"Internal Research",
- "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting",
+ "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
+ "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml"
],
"tags": [
@@ -14883,8 +14930,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv",
"https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting",
+ "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml"
],
"tags": [
@@ -14907,9 +14954,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/",
"https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
+ "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml"
],
"tags": [
@@ -14932,8 +14979,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv",
"https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting",
+ "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml"
],
"tags": [
@@ -15278,8 +15325,8 @@
"logsource.category": "create_stream_hash",
"logsource.product": "windows",
"refs": [
- "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015",
"https://www.cisa.gov/uscert/ncas/alerts/aa22-321a",
+ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml"
],
"tags": [
@@ -15337,8 +15384,8 @@
"logsource.category": "create_stream_hash",
"logsource.product": "windows",
"refs": [
- "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015",
"https://www.cisa.gov/uscert/ncas/alerts/aa22-321a",
+ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015",
"https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml"
],
@@ -15607,9 +15654,9 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "https://adepts.of0x.cc/netsh-portproxy-code/",
"https://www.dfirnotes.net/portproxy_detection/",
"https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html",
+ "https://adepts.of0x.cc/netsh-portproxy-code/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml"
],
"tags": [
@@ -15644,9 +15691,9 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
+ "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf",
"https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/",
"https://persistence-info.github.io/Data/recyclebin.html",
- "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml"
],
"tags": [
@@ -15679,8 +15726,8 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "https://blog.xpnsec.com/exploring-mimikatz-part-1/",
"https://twitter.com/SBousseaden/status/1183745981189427200",
+ "https://blog.xpnsec.com/exploring-mimikatz-part-1/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml"
],
"tags": [
@@ -15714,8 +15761,8 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md",
"https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml"
],
"tags": [
@@ -15749,11 +15796,11 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "https://nvd.nist.gov/vuln/detail/cve-2021-34527",
- "https://nvd.nist.gov/vuln/detail/cve-2021-1675",
- "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf",
- "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760",
"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913",
+ "https://nvd.nist.gov/vuln/detail/cve-2021-1675",
+ "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760",
+ "https://nvd.nist.gov/vuln/detail/cve-2021-34527",
+ "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml"
],
"tags": [
@@ -15821,9 +15868,9 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html",
"https://twitter.com/inversecos/status/1494174785621819397",
"https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/",
+ "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml"
],
"tags": [
@@ -15856,8 +15903,8 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/pabraeken/status/990717080805789697",
"https://lolbas-project.github.io/lolbas/Binaries/Runonce/",
+ "https://twitter.com/pabraeken/status/990717080805789697",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml"
],
"tags": [
@@ -16239,8 +16286,8 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/",
"https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/",
+ "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml"
],
"tags": [
@@ -16648,9 +16695,9 @@
"logsource.product": "windows",
"refs": [
"https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass",
- "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]",
- "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/",
"https://github.com/hfiref0x/UACME",
+ "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/",
+ "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml"
],
"tags": [
@@ -16793,9 +16840,9 @@
"logsource.category": "registry_delete",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer",
"https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html",
"http://woshub.com/how-to-clear-rdp-connections-history/",
+ "https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml"
],
"tags": [
@@ -16869,8 +16916,8 @@
"logsource.category": "registry_delete",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://seclists.org/fulldisclosure/2020/Mar/45",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml"
],
"tags": [
@@ -16970,10 +17017,10 @@
"logsource.product": "windows",
"refs": [
"https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code",
- "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md",
- "https://github.com/OTRF/detection-hackathon-apt29/issues/7",
"https://docs.microsoft.com/en-us/windows/win32/shell/launch",
"https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand",
+ "https://github.com/OTRF/detection-hackathon-apt29/issues/7",
+ "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml"
],
"tags": [
@@ -17006,8 +17053,8 @@
"logsource.category": "registry_add",
"logsource.product": "windows",
"refs": [
- "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/",
"https://blog.yoroi.company/research/ursnif-long-live-the-steganography/",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_ursnif.yml"
],
"tags": [
@@ -17073,8 +17120,8 @@
"logsource.category": "registry_add",
"logsource.product": "windows",
"refs": [
- "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/",
"https://persistence-info.github.io/Data/diskcleanuphandler.html",
+ "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml"
],
"tags": [
@@ -17131,11 +17178,11 @@
"logsource.category": "registry_add",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/",
"https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing",
- "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line",
"https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/",
"https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/",
+ "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/",
+ "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_netwire.yml"
],
"tags": [
@@ -17334,9 +17381,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/",
"https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml",
"https://twitter.com/Hexacorn/status/991447379864932352",
+ "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml"
],
"tags": [
@@ -17402,8 +17449,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN",
"https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/",
+ "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml"
],
"tags": [
@@ -17469,8 +17516,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://persistence-info.github.io/Data/htmlhelpauthor.html",
"https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/",
+ "https://persistence-info.github.io/Data/htmlhelpauthor.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_chm.yml"
],
"tags": [
@@ -17516,8 +17563,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/",
"https://github.com/rootm0s/WinPwnage",
+ "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml"
],
"tags": [
@@ -17691,11 +17738,11 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html",
+ "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6",
+ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN",
"https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/",
"https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html",
- "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6",
- "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html",
- "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml"
],
"tags": [
@@ -17754,8 +17801,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
- "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
+ "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml"
],
"tags": [
@@ -17788,12 +17835,12 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03",
- "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/",
- "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html",
- "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html",
- "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/",
"https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services",
+ "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/",
+ "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html",
+ "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03",
+ "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html",
+ "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/",
"http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml"
],
@@ -17861,8 +17908,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"https://twitter.com/malmoeb/status/1560536653709598721",
+ "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml"
],
"tags": [
@@ -17887,8 +17934,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
- "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
+ "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml"
],
"tags": [
@@ -17929,8 +17976,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://persistence-info.github.io/Data/wer_debugger.html",
"https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/",
+ "https://persistence-info.github.io/Data/wer_debugger.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml"
],
"tags": [
@@ -17976,8 +18023,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass",
"https://www.exploit-db.com/exploits/47696",
+ "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml"
],
"tags": [
@@ -18051,8 +18098,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social",
"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/",
+ "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml"
],
"tags": [
@@ -18169,8 +18216,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://vanmieghem.io/stealth-outlook-persistence/",
"https://twitter.com/_vivami/status/1347925307643355138",
+ "https://vanmieghem.io/stealth-outlook-persistence/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml"
],
"tags": [
@@ -18206,8 +18253,8 @@
"refs": [
"https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
- "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
+ "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml"
],
"tags": [
@@ -18240,8 +18287,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index",
"https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files",
+ "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml"
],
"tags": [
@@ -18307,9 +18354,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html",
"https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials",
"https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649",
- "https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml"
],
"tags": [
@@ -18450,9 +18497,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://persistence-info.github.io/Data/codesigning.html",
"https://github.com/gtworek/PSBits/tree/master/SIP",
"https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf",
+ "https://persistence-info.github.io/Data/codesigning.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml"
],
"tags": [
@@ -18488,8 +18535,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
- "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
+ "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml"
],
"tags": [
@@ -18588,8 +18635,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/",
"https://github.com/last-byte/PersistenceSniper",
+ "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml"
],
"tags": [
@@ -18779,8 +18826,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/WhichbufferArda/status/1543900539280293889",
"https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp",
+ "https://twitter.com/WhichbufferArda/status/1543900539280293889",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml"
],
"tags": [
@@ -18813,8 +18860,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml"
],
"tags": [
@@ -18847,8 +18894,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/",
"https://labs.f-secure.com/blog/scheduled-task-tampering/",
+ "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml"
],
"tags": [
@@ -18990,8 +19037,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/",
"https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/",
+ "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml"
],
"tags": [
@@ -19027,8 +19074,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/",
"https://persistence-info.github.io/Data/diskcleanuphandler.html",
+ "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml"
],
"tags": [
@@ -19108,8 +19155,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb",
+ "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_databases.yml"
],
"tags": [
@@ -19277,8 +19324,8 @@
"refs": [
"https://persistence-info.github.io/Data/userinitmprlogonscript.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
- "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
+ "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml"
],
"tags": [
@@ -19418,12 +19465,12 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03",
- "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/",
- "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html",
- "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html",
- "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/",
"https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services",
+ "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/",
+ "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html",
+ "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03",
+ "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html",
+ "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/",
"http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml"
],
@@ -19493,8 +19540,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
- "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
+ "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml"
],
"tags": [
@@ -19529,8 +19576,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
- "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
+ "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml"
],
"tags": [
@@ -19596,8 +19643,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/",
"https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53",
+ "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml"
],
"tags": [
@@ -19782,9 +19829,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/",
- "https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise",
"https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf",
+ "https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise",
+ "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml"
],
"tags": [
@@ -19864,9 +19911,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/win32/api/winevt/",
- "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/",
"https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/",
+ "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/",
+ "https://learn.microsoft.com/en-us/windows/win32/api/winevt/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml"
],
"tags": [
@@ -19901,8 +19948,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
- "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
+ "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml"
],
"tags": [
@@ -19935,10 +19982,10 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine",
- "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html",
"https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection",
"https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html",
+ "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html",
+ "https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml"
],
"tags": [
@@ -20226,13 +20273,13 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting",
"https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html",
+ "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
+ "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting",
+ "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
"https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html",
"https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
- "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html",
- "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml"
],
"tags": [
@@ -20369,8 +20416,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/",
"https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53",
+ "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml"
],
"tags": [
@@ -20420,8 +20467,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/",
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/",
+ "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/",
"https://twitter.com/inversecos/status/1494174785621819397",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml"
],
@@ -20774,8 +20821,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
- "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
+ "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml"
],
"tags": [
@@ -20808,8 +20855,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://persistence-info.github.io/Data/mpnotify.html",
"https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek",
+ "https://persistence-info.github.io/Data/mpnotify.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml"
],
"tags": [
@@ -20834,8 +20881,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
- "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
+ "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml"
],
"tags": [
@@ -20901,8 +20948,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://persistence-info.github.io/Data/aedebug.html",
"https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging",
+ "https://persistence-info.github.io/Data/aedebug.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml"
],
"tags": [
@@ -20960,8 +21007,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
- "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
+ "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml"
],
"tags": [
@@ -21028,9 +21075,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps",
"https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf",
"https://github.com/deepinstinct/Lsass-Shtinkering",
- "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml"
],
"tags": [
@@ -21063,9 +21110,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html",
"https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx",
"https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx",
+ "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml"
],
"tags": [
@@ -21106,10 +21153,10 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview",
"https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/",
"https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
- "https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml"
],
"tags": [
@@ -21142,8 +21189,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md",
"https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_special_accounts.yml"
],
"tags": [
@@ -21212,8 +21259,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ie.yml"
],
"tags": [
@@ -21277,8 +21324,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.sans.org/cyber-security-summit/archives",
"https://twitter.com/jamieantisocial/status/1304520651248668673",
+ "https://www.sans.org/cyber-security-summit/archives",
"https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml"
],
@@ -21540,8 +21587,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/",
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/",
+ "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/",
"https://twitter.com/inversecos/status/1494174785621819397",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml"
],
@@ -21737,8 +21784,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
"https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105",
+ "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml"
],
"tags": [
@@ -21772,8 +21819,8 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/pabraeken/status/998627081360695297",
- "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files",
"https://twitter.com/VakninHai/status/1517027824984547329",
+ "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml"
],
"tags": [
@@ -21839,8 +21886,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/",
"https://persistence-info.github.io/Data/autodialdll.html",
+ "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml"
],
"tags": [
@@ -21897,8 +21944,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650",
"https://youtu.be/zSihR3lTf7g",
+ "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml"
],
"tags": [
@@ -21934,8 +21981,8 @@
"refs": [
"https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
- "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
+ "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml"
],
"tags": [
@@ -22076,8 +22123,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task",
"https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml"
],
"tags": [
@@ -22111,8 +22158,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5",
"https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior",
+ "https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml"
],
"tags": [
@@ -22178,9 +22225,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba",
- "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope",
"https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/",
+ "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope",
+ "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml"
],
"tags": [
@@ -22203,10 +22250,10 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS",
"https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode",
- "https://github.com/elastic/detection-rules/issues/1371",
+ "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS",
"https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html",
+ "https://github.com/elastic/detection-rules/issues/1371",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml"
],
"tags": [
@@ -22234,6 +22281,40 @@
"uuid": "04b45a8a-d11d-49e4-9acc-4a1b524407a5",
"value": "DNS-over-HTTPS Enabled by Registry"
},
+ {
+ "description": "Detects potential WerFault \"ReflectDebugger\" registry value abuse for persistence.",
+ "meta": {
+ "author": "X__Junior",
+ "creation_date": "2023/05/18",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "registry_set_persistence_reflectdebugger.yml",
+ "level": "high",
+ "logsource.category": "registry_set",
+ "logsource.product": "windows",
+ "refs": [
+ "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html",
+ "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml"
+ ],
+ "tags": [
+ "attack.defense_evasion",
+ "attack.t1036.003"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "0cf2e1c6-8d10-4273-8059-738778f981ad",
+ "value": "Potential WerFault ReflectDebugger Registry Value Abuse"
+ },
{
"description": "Detect set UseActionCenterExperience to 0 to disable the Windows security center notification",
"meta": {
@@ -22280,10 +22361,10 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/nas_bench/status/1626648985824788480",
"https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks",
- "https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md",
"https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md",
+ "https://twitter.com/nas_bench/status/1626648985824788480",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml"
],
"tags": [
@@ -22350,9 +22431,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf",
"https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
"https://twitter.com/MichalKoczwara/status/1553634816016498688",
- "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml"
],
"tags": [
@@ -22375,17 +22456,17 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/",
"https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_",
- "https://bunnyinside.com/?term=f71e8cb9c76a",
+ "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/",
"https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf",
- "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39",
- "https://twitter.com/_xpn_/status/1268712093928378368",
- "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr",
"https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables",
- "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38",
- "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code",
"http://managed670.rssing.com/chan-5590147/all_p1.html",
+ "https://bunnyinside.com/?term=f71e8cb9c76a",
+ "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr",
+ "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code",
+ "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38",
+ "https://twitter.com/_xpn_/status/1268712093928378368",
+ "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml"
],
"tags": [
@@ -22461,8 +22542,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
- "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
+ "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml"
],
"tags": [
@@ -22495,8 +22576,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade",
"https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy",
+ "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_network_provider.yml"
],
"tags": [
@@ -22563,8 +22644,8 @@
"logsource.product": "windows",
"refs": [
"https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md",
"https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml"
],
"tags": [
@@ -22597,8 +22678,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass",
"https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/",
+ "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml"
],
"tags": [
@@ -22631,10 +22712,10 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://persistence-info.github.io/Data/ifilters.html",
- "https://twitter.com/0gtweet/status/1468548924600459267",
- "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308",
"https://github.com/gtworek/PSBits/tree/master/IFilter",
+ "https://twitter.com/0gtweet/status/1468548924600459267",
+ "https://persistence-info.github.io/Data/ifilters.html",
+ "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml"
],
"tags": [
@@ -22715,8 +22796,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time",
+ "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml"
],
"tags": [
@@ -22750,8 +22831,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump",
"https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html",
+ "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump",
"https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml"
],
@@ -22787,9 +22868,9 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/dez_/status/986614411711442944",
"https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html",
"https://lolbas-project.github.io/lolbas/Binaries/Wmic/",
- "https://twitter.com/dez_/status/986614411711442944",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml"
],
"tags": [
@@ -22984,8 +23065,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://decoded.avast.io/martinchlumecky/png-steganography/",
"https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992",
+ "https://decoded.avast.io/martinchlumecky/png-steganography/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_svchost_dlls.yml"
],
"tags": [
@@ -23028,9 +23109,9 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/",
"https://twitter.com/HunterPlaybook/status/1301207718355759107",
"https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html",
+ "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml"
],
"tags": [
@@ -23109,10 +23190,10 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
+ "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/",
+ "https://github.com/bohops/WSMan-WinRM",
"https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture",
"https://twitter.com/chadtilbury/status/1275851297770610688",
- "https://github.com/bohops/WSMan-WinRM",
- "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml"
],
"tags": [
@@ -23579,8 +23660,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/surya-dev-singh/AmsiBypass-OpenSession",
- "https://github.com/TheD1rkMtr/AMSI_patch",
"https://infosecwriteups.com/amsi-bypass-new-way-2023-d506345944e9",
+ "https://github.com/TheD1rkMtr/AMSI_patch",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_amsi_uncommon_process.yml"
],
"tags": [
@@ -23732,12 +23813,12 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/",
- "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992",
- "https://github.com/Wh04m1001/SysmonEoP",
- "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html",
"https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/",
+ "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html",
+ "https://github.com/Wh04m1001/SysmonEoP",
+ "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992",
"https://decoded.avast.io/martinchlumecky/png-steganography/",
+ "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml"
],
"tags": [
@@ -23966,10 +24047,10 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
+ "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md",
"https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/",
"https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/",
"https://hijacklibs.net/",
- "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml"
],
"tags": [
@@ -23999,6 +24080,40 @@
"uuid": "4fc0deee-0057-4998-ab31-d24e46e0aba4",
"value": "Potential System DLL Sideloading From Non System Locations"
},
+ {
+ "description": "Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations",
+ "meta": {
+ "author": "X__Junior (Nextron Systems)",
+ "creation_date": "2023/07/11",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "image_load_side_load_abused_dlls_susp_paths.yml",
+ "level": "high",
+ "logsource.category": "image_load",
+ "logsource.product": "windows",
+ "refs": [
+ "https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/",
+ "https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml"
+ ],
+ "tags": [
+ "attack.execution",
+ "attack.t1059"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "799a5f48-0ac1-4e0f-9152-71d137d48c2a",
+ "value": "Abusable DLL Potential Sideloading From Suspicious Location"
+ },
{
"description": "Detects the image load of vss_ps.dll by uncommon executables",
"meta": {
@@ -24012,8 +24127,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add",
"https://twitter.com/am0nsec/status/1412232114980982787",
+ "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml"
],
"tags": [
@@ -24034,6 +24149,49 @@
"uuid": "333cdbe8-27bb-4246-bf82-b41a0dca4b70",
"value": "Suspicious Volume Shadow Copy VSS_PS.dll Load"
},
+ {
+ "description": "Detects potential DLL sideloading of \"CCleanerDU.dll\"",
+ "meta": {
+ "author": "X__Junior (Nextron Systems)",
+ "creation_date": "2023/07/13",
+ "falsepositive": [
+ "False positives could occur from other custom installation paths. Apply additional filters accordingly."
+ ],
+ "filename": "image_load_side_load_ccleaner_du.yml",
+ "level": "medium",
+ "logsource.category": "image_load",
+ "logsource.product": "windows",
+ "refs": [
+ "https://lab52.io/blog/2344-2/",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_ccleaner_du.yml"
+ ],
+ "tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation",
+ "attack.t1574.001",
+ "attack.t1574.002"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ },
+ {
+ "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "1fbc0671-5596-4e17-8682-f020a0b995dc",
+ "value": "Potential CCleanerDU.DLL Sideloading"
+ },
{
"description": "Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access \"arubanetsvc.exe\" process using DLL Search Order Hijacking",
"meta": {
@@ -24132,8 +24290,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://adsecurity.org/?p=2921",
"https://github.com/p3nt4/PowerShdll",
+ "https://adsecurity.org/?p=2921",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml"
],
"tags": [
@@ -24287,8 +24445,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/",
"https://www.mandiant.com/resources/blog/lnk-between-browsers",
+ "https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml"
],
"tags": [
@@ -24355,8 +24513,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://www.py2exe.org/",
"https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/",
+ "https://www.py2exe.org/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_python_image_load.yml"
],
"tags": [
@@ -24472,10 +24630,10 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
+ "https://github.com/tyranid/DotNetToJScript",
+ "https://thewover.github.io/Introducing-Donut/",
"https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008",
"https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html",
- "https://thewover.github.io/Introducing-Donut/",
- "https://github.com/tyranid/DotNetToJScript",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml"
],
"tags": [
@@ -24496,6 +24654,49 @@
"uuid": "4508a70e-97ef-4300-b62b-ff27992990ea",
"value": "DotNet CLR DLL Loaded By Scripting Applications"
},
+ {
+ "description": "Detects potential DLL sideloading of \"CCleanerReactivator.dll\"",
+ "meta": {
+ "author": "X__Junior",
+ "creation_date": "2023/07/13",
+ "falsepositive": [
+ "False positives could occur from other custom installation paths. Apply additional filters accordingly."
+ ],
+ "filename": "image_load_side_load_ccleaner_reactivator.yml",
+ "level": "medium",
+ "logsource.category": "image_load",
+ "logsource.product": "windows",
+ "refs": [
+ "https://lab52.io/blog/2344-2/",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml"
+ ],
+ "tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation",
+ "attack.t1574.001",
+ "attack.t1574.002"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ },
+ {
+ "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "3735d5ac-d770-4da0-99ff-156b180bc600",
+ "value": "Potential CCleanerReactivator.DLL Sideloading"
+ },
{
"description": "Detects unsigned module load by ClickOnce application.",
"meta": {
@@ -24542,8 +24743,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump",
"https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html",
+ "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump",
"https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml"
],
@@ -24577,9 +24778,9 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/WhichbufferArda/status/1658829954182774784",
"https://securelist.com/apt-luminousmoth/103332/",
"https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/",
- "https://twitter.com/WhichbufferArda/status/1658829954182774784",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_wwlib.yml"
],
"tags": [
@@ -24655,8 +24856,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/",
"https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets",
+ "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_classicexplorer32.yml"
],
"tags": [
@@ -24918,8 +25119,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html",
"https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html",
+ "https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_libvlc.yml"
],
"tags": [
@@ -25463,8 +25664,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://github.com/ly4k/SpoolFool",
"https://github.com/hhlxf/PrintNightmare",
+ "https://github.com/ly4k/SpoolFool",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml"
],
"tags": [
@@ -25663,9 +25864,9 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password",
"https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password",
+ "https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml"
],
"tags": [
@@ -25733,8 +25934,8 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/mattifestation/status/1196390321783025666",
- "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/",
"https://twitter.com/oulusoyum/status/1191329746069655553",
+ "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_tttracer_mod_load.yml"
],
"tags": [
@@ -25850,9 +26051,9 @@
"logsource.category": "wmi_event",
"logsource.product": "windows",
"refs": [
+ "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/",
"https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19",
"https://github.com/RiccardoAncarani/LiquidSnake",
- "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml"
],
"tags": [
@@ -25885,9 +26086,9 @@
"logsource.category": "ps_classic_start",
"logsource.product": "windows",
"refs": [
+ "https://nmap.org/ncat/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md",
"https://github.com/besimorhino/powercat",
- "https://nmap.org/ncat/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml"
],
"tags": [
@@ -25920,9 +26121,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/chadtilbury/status/1275851297770610688",
- "https://github.com/bohops/WSMan-WinRM",
"https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/",
+ "https://github.com/bohops/WSMan-WinRM",
+ "https://twitter.com/chadtilbury/status/1275851297770610688",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml"
],
"tags": [
@@ -26341,8 +26542,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md",
+ "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml"
],
"tags": [
@@ -26485,9 +26686,9 @@
"logsource.category": "ps_module",
"logsource.product": "windows",
"refs": [
+ "https://www.mdeditor.tw/pl/pgRt",
"https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/",
"https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/",
- "https://www.mdeditor.tw/pl/pgRt",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml"
],
"tags": [
@@ -26581,8 +26782,8 @@
"logsource.category": "ps_module",
"logsource.product": "windows",
"refs": [
- "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md",
"https://github.com/OTRF/detection-hackathon-apt29/issues/8",
+ "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml"
],
"tags": [
@@ -26876,22 +27077,22 @@
"refs": [
"https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
"https://github.com/samratashok/nishang",
- "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
- "https://github.com/calebstewart/CVE-2021-1675",
- "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
- "https://github.com/HarmJ0y/DAMP",
- "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
- "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1",
- "https://adsecurity.org/?p=2921",
- "https://github.com/Kevin-Robertson/Powermad",
- "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
- "https://github.com/adrecon/AzureADRecon",
- "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
"https://github.com/adrecon/ADRecon",
- "https://github.com/DarkCoderSc/PowerRunAsSystem/",
+ "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
+ "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
+ "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
+ "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
+ "https://github.com/adrecon/AzureADRecon",
+ "https://github.com/HarmJ0y/DAMP",
"https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
- "https://github.com/besimorhino/powercat",
+ "https://adsecurity.org/?p=2921",
+ "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1",
+ "https://github.com/DarkCoderSc/PowerRunAsSystem/",
+ "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
"https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html",
+ "https://github.com/besimorhino/powercat",
+ "https://github.com/Kevin-Robertson/Powermad",
+ "https://github.com/calebstewart/CVE-2021-1675",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"
],
"tags": [
@@ -27258,21 +27459,21 @@
"refs": [
"https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
"https://github.com/samratashok/nishang",
- "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
- "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
- "https://github.com/CsEnox/EventViewer-UACBypass",
- "https://github.com/HarmJ0y/DAMP",
"https://github.com/nettitude/Invoke-PowerThIEf",
"https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
- "https://github.com/PowerShellMafia/PowerSploit",
- "https://github.com/besimorhino/powercat",
- "https://github.com/NetSPI/PowerUpSQL",
+ "https://github.com/CsEnox/EventViewer-UACBypass",
"https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
+ "https://github.com/AlsidOfficial/WSUSpendu/",
+ "https://github.com/NetSPI/PowerUpSQL",
"https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
+ "https://github.com/PowerShellMafia/PowerSploit",
+ "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
+ "https://github.com/HarmJ0y/DAMP",
+ "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
+ "https://github.com/besimorhino/powercat",
"https://github.com/S3cur3Th1sSh1t/WinPwn",
"https://github.com/DarkCoderSc/PowerRunAsSystem/",
- "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
- "https://github.com/AlsidOfficial/WSUSpendu/",
+ "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml"
],
"tags": [
@@ -27520,8 +27721,8 @@
"logsource.category": "ps_module",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md",
+ "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml"
],
"tags": [
@@ -27820,8 +28021,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md",
+ "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml"
],
"tags": [
@@ -27962,8 +28163,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle",
+ "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml"
],
"tags": [
@@ -28063,8 +28264,8 @@
"logsource.product": "windows",
"refs": [
"https://bidouillesecurity.com/disable-windows-defender-in-powershell/",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml"
],
"tags": [
@@ -28130,9 +28331,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt",
"https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html",
+ "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml"
],
"tags": [
@@ -28165,8 +28366,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md",
"https://techgenix.com/malicious-powershell-scripts-evade-detection/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml"
],
"tags": [
@@ -28283,9 +28484,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2020/10/08/ryuks-return",
- "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon",
"https://powersploit.readthedocs.io/en/stable/Recon/README",
+ "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon",
+ "https://thedfirreport.com/2020/10/08/ryuks-return",
"https://adsecurity.org/?p=2277",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml"
],
@@ -28361,8 +28562,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/bohops/status/948061991012327424",
"https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/",
+ "https://twitter.com/bohops/status/948061991012327424",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml"
],
"tags": [
@@ -28428,8 +28629,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp",
"https://www.ietf.org/rfc/rfc2821.txt",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp",
"https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml"
],
@@ -28464,8 +28665,8 @@
"logsource.product": "windows",
"refs": [
"https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf",
- "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
+ "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml"
],
"tags": [
@@ -28533,8 +28734,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2",
"https://twitter.com/Alh4zr3d/status/1580925761996828672",
+ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml"
],
"tags": [
@@ -28700,9 +28901,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "http://woshub.com/manage-windows-firewall-powershell/",
"https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell",
"https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps",
+ "http://woshub.com/manage-windows-firewall-powershell/",
"https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html",
"http://powershellhelp.space/commands/set-netfirewallrule-psv5.php",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml"
@@ -28737,8 +28938,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell",
"https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml"
],
"tags": [
@@ -28894,10 +29095,10 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
+ "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html",
"https://youtu.be/5mqid-7zp8k?t=2481",
"https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/",
"https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1",
- "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml"
],
"tags": [
@@ -28986,8 +29187,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
"https://www.fortypoundhead.com/showcontent.asp?artid=24022",
+ "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml"
],
"tags": [
@@ -29225,9 +29426,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1",
- "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1",
"https://adsecurity.org/?p=2604",
+ "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1",
+ "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml"
],
"tags": [
@@ -29543,8 +29744,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package",
"https://twitter.com/WindowsDocs/status/1620078135080325122",
+ "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml"
],
"tags": [
@@ -29803,8 +30004,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/NathanMcNulty/status/1569497348841287681",
"https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps",
+ "https://twitter.com/NathanMcNulty/status/1569497348841287681",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml"
],
"tags": [
@@ -29857,6 +30058,40 @@
"uuid": "f62176f3-8128-4faa-bf6c-83261322e5eb",
"value": "Malicious PowerShell Keywords"
},
+ {
+ "description": "Detects PowerShell scripts to set the ACL to a file in the Windows folder",
+ "meta": {
+ "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2023/07/18",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "posh_ps_set_acl_susp_location.yml",
+ "level": "high",
+ "logsource.category": "ps_script",
+ "logsource.product": "windows",
+ "refs": [
+ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1",
+ "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml"
+ ],
+ "tags": [
+ "attack.defense_evasion",
+ "attack.t1222"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "65917ae0-b854-4139-83fe-bf2441cf0196",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "3bf1d859-3a7e-44cb-8809-a99e066d3478",
+ "value": "PowerShell Set-Acl On Windows Folder - PsScript"
+ },
{
"description": "Detects Obfuscated use of Environment Variables to execute PowerShell",
"meta": {
@@ -30030,8 +30265,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md",
+ "https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml"
],
"tags": [
@@ -30098,8 +30333,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate",
+ "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_localuser.yml"
],
"tags": [
@@ -30381,8 +30616,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/Gerenios/AADInternals",
"https://o365blog.com/aadinternals/",
+ "https://github.com/Gerenios/AADInternals",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml"
],
"tags": [
@@ -30493,8 +30728,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell",
+ "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml"
],
"tags": [
@@ -30560,8 +30795,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "http://www.powertheshell.com/ntfsstreams/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md",
+ "http://www.powertheshell.com/ntfsstreams/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml"
],
"tags": [
@@ -30603,8 +30838,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting",
+ "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml"
],
"tags": [
@@ -30772,8 +31007,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness",
"https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml"
],
"tags": [
@@ -30864,8 +31099,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management",
"https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml"
],
"tags": [
@@ -31043,8 +31278,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1",
"https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/",
+ "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1",
"https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml"
],
@@ -31078,9 +31313,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a",
"https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html",
"https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml"
],
"tags": [
@@ -31100,6 +31335,39 @@
"uuid": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c",
"value": "Certificate Exported Via PowerShell - ScriptBlock"
},
+ {
+ "description": "Detects PowerShell scripts set ACL to of a file or a folder",
+ "meta": {
+ "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2023/07/18",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "posh_ps_set_acl.yml",
+ "level": "low",
+ "logsource.category": "ps_script",
+ "logsource.product": "windows",
+ "refs": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_acl.yml"
+ ],
+ "tags": [
+ "attack.defense_evasion",
+ "attack.t1222"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "65917ae0-b854-4139-83fe-bf2441cf0196",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "cae80281-ef23-44c5-873b-fd48d2666f49",
+ "value": "PowerShell Script Change Permission Via Set-Acl - PsScript"
+ },
{
"description": "Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts",
"meta": {
@@ -31113,8 +31381,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA",
"https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/",
+ "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml"
],
"tags": [
@@ -31249,8 +31517,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
+ "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml"
],
"tags": [
@@ -31350,8 +31618,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2",
"https://twitter.com/Alh4zr3d/status/1580925761996828672",
+ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml"
],
"tags": [
@@ -31453,8 +31721,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/",
"https://twitter.com/pabraeken/status/995111125447577600",
+ "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml"
],
"tags": [
@@ -31487,9 +31755,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer",
"https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md",
+ "https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml"
],
"tags": [
@@ -31639,8 +31907,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image",
"https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml"
],
"tags": [
@@ -31674,9 +31942,9 @@
"logsource.product": "windows",
"refs": [
"https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7",
- "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1",
- "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1",
"https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462",
+ "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1",
+ "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml"
],
"tags": [
@@ -31742,9 +32010,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
+ "https://learn.microsoft.com/en-us/windows/wsl/install-on-server",
"https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps",
"https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system",
- "https://learn.microsoft.com/en-us/windows/wsl/install-on-server",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml"
],
"tags": [
@@ -32076,10 +32344,10 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content",
- "https://twitter.com/ScumBots/status/1610626724257046529",
"https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content",
+ "https://twitter.com/ScumBots/status/1610626724257046529",
"https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0",
+ "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml"
],
"tags": [
@@ -32278,22 +32546,22 @@
"refs": [
"https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
"https://github.com/samratashok/nishang",
- "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
- "https://github.com/calebstewart/CVE-2021-1675",
- "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
- "https://github.com/HarmJ0y/DAMP",
- "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
- "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1",
- "https://adsecurity.org/?p=2921",
- "https://github.com/Kevin-Robertson/Powermad",
- "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
- "https://github.com/adrecon/AzureADRecon",
- "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
"https://github.com/adrecon/ADRecon",
- "https://github.com/DarkCoderSc/PowerRunAsSystem/",
+ "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
+ "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
+ "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
+ "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
+ "https://github.com/adrecon/AzureADRecon",
+ "https://github.com/HarmJ0y/DAMP",
"https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
- "https://github.com/besimorhino/powercat",
+ "https://adsecurity.org/?p=2921",
+ "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1",
+ "https://github.com/DarkCoderSc/PowerRunAsSystem/",
+ "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
"https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html",
+ "https://github.com/besimorhino/powercat",
+ "https://github.com/Kevin-Robertson/Powermad",
+ "https://github.com/calebstewart/CVE-2021-1675",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml"
],
"tags": [
@@ -32426,8 +32694,8 @@
"logsource.product": "windows",
"refs": [
"https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics",
- "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/",
"https://www.shellhacks.com/clear-history-powershell/",
+ "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml"
],
"tags": [
@@ -33026,8 +33294,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell",
"https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml"
],
"tags": [
@@ -33197,6 +33465,29 @@
"uuid": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7",
"value": "Invoke-Obfuscation Via Stdin - Powershell"
},
+ {
+ "description": "Detects usage of the WMI class \"Win32_NTEventlogFile\" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script",
+ "meta": {
+ "author": "Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2023/07/13",
+ "falsepositive": [
+ "Legitimate administration and backup scripts"
+ ],
+ "filename": "posh_ps_win32_nteventlogfile_usage.yml",
+ "level": "medium",
+ "logsource.category": "ps_script",
+ "logsource.product": "windows",
+ "refs": [
+ "https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml"
+ ],
+ "tags": [
+ "attack.defense_evasion"
+ ]
+ },
+ "uuid": "e2812b49-bae0-4b21-b366-7c142eafcde2",
+ "value": "Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript"
+ },
{
"description": "Detects PowerShell scripts leveraging the \"Invoke-WebRequest\" cmdlet to send data via either \"PUT\" or \"POST\" method.",
"meta": {
@@ -33210,9 +33501,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
+ "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md",
"https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2",
- "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml"
],
"tags": [
@@ -33421,8 +33712,8 @@
"logsource.category": "create_remote_thread",
"logsource.product": "windows",
"refs": [
- "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a",
"https://github.com/GhostPack/KeeThief",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a",
"https://github.com/denandz/KeeFarce",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml"
],
@@ -33589,8 +33880,8 @@
"logsource.category": "create_remote_thread",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io",
"Personal research, statistical analysis",
+ "https://lolbas-project.github.io",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml"
],
"tags": [
@@ -33857,10 +34148,10 @@
"logsource.category": "driver_load",
"logsource.product": "windows",
"refs": [
- "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b",
- "https://github.com/fengjixuchui/gdrv-loader",
- "https://twitter.com/malmoeb/status/1551449425842786306",
"https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details",
+ "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b",
+ "https://twitter.com/malmoeb/status/1551449425842786306",
+ "https://github.com/fengjixuchui/gdrv-loader",
"https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml"
],
@@ -33927,8 +34218,8 @@
"logsource.category": "driver_load",
"logsource.product": "windows",
"refs": [
- "https://systeminformer.sourceforge.io/",
"https://github.com/winsiderss/systeminformer",
+ "https://systeminformer.sourceforge.io/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_pua_system_informer.yml"
],
"tags": [
@@ -34036,8 +34327,8 @@
"logsource.category": "driver_load",
"logsource.product": "windows",
"refs": [
- "https://github.com/xmrig/xmrig/tree/master/bin/WinRing0",
"https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/",
+ "https://github.com/xmrig/xmrig/tree/master/bin/WinRing0",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml"
],
"tags": [
@@ -34070,8 +34361,8 @@
"logsource.category": "driver_load",
"logsource.product": "windows",
"refs": [
- "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/",
"https://reqrypt.org/windivert-doc.html",
+ "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_windivert.yml"
],
"tags": [
@@ -34305,8 +34596,8 @@
"logsource.category": "driver_load",
"logsource.product": "windows",
"refs": [
- "https://github.com/alfarom256/CVE-2022-3699/",
"https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities",
+ "https://github.com/alfarom256/CVE-2022-3699/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml"
],
"tags": [
@@ -34474,8 +34765,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf",
"https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/",
+ "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml"
],
"tags": [
@@ -34497,6 +34788,30 @@
"uuid": "e81528db-fc02-45e8-8e98-4e84aba1f10b",
"value": "Notepad Making Network Connection"
},
+ {
+ "description": "Detects office suit applications communicating to target systems on uncommon ports",
+ "meta": {
+ "author": "X__Junior (Nextron Systems)",
+ "creation_date": "2023/07/12",
+ "falsepositive": [
+ "Other ports can be used, apply additional filters accordingly"
+ ],
+ "filename": "net_connection_win_office_susp_ports.yml",
+ "level": "medium",
+ "logsource.category": "network_connection",
+ "logsource.product": "windows",
+ "refs": [
+ "https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_office_susp_ports.yml"
+ ],
+ "tags": [
+ "attack.defense_evasion",
+ "attack.command_and_control"
+ ]
+ },
+ "uuid": "3b5ba899-9842-4bc2-acc2-12308498bf42",
+ "value": "Suspicious Office Outbound Connections"
+ },
{
"description": "Detects a \"winlogon.exe\" process that initiate network communications with public IP addresses",
"meta": {
@@ -34535,7 +34850,7 @@
{
"description": "Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.",
"meta": {
- "author": "Sorina Ionescu",
+ "author": "Sorina Ionescu, X__Junior (Nextron Systems)",
"creation_date": "2022/08/17",
"falsepositive": [
"One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender."
@@ -34545,8 +34860,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/",
"https://content.fireeye.com/apt-41/rpt-apt41",
+ "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/",
"https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml"
],
@@ -34987,10 +35302,10 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a",
"https://twitter.com/M_haggis/status/1032799638213066752",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
"https://twitter.com/M_haggis/status/900741347035889665",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
"https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_susp_com.yml"
],
@@ -35126,8 +35441,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://www.poolwatch.io/coin/monero",
"https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt",
+ "https://www.poolwatch.io/coin/monero",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_crypto_mining_pools.yml"
],
"tags": [
@@ -35250,10 +35565,10 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/",
- "https://github.com/looCiprian/GC2-sheet",
"https://youtu.be/n2dFlSaBBKo",
"https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/",
+ "https://github.com/looCiprian/GC2-sheet",
+ "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/",
"https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_google_api_non_browser_access.yml"
],
@@ -35471,8 +35786,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://ngrok.com/",
"https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/",
+ "https://ngrok.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_io.yml"
],
"tags": [
@@ -35505,9 +35820,9 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/kleiton0x7e/status/1600567316810551296",
"https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al",
"https://github.com/kleiton0x00/RedditC2",
- "https://twitter.com/kleiton0x7e/status/1600567316810551296",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_reddit_api_non_browser_access.yml"
],
"tags": [
@@ -35540,8 +35855,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://github.com/mttaggart/OffensiveNotion",
"https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332",
+ "https://github.com/mttaggart/OffensiveNotion",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notion_api_susp_communication.yml"
],
"tags": [
@@ -35608,8 +35923,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://redcanary.com/blog/child-processes/",
"https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08",
+ "https://redcanary.com/blog/child-processes/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml"
],
"tags": [
@@ -35718,10 +36033,10 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md",
- "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a",
"https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/",
+ "https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md",
"https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html",
+ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml"
],
"tags": [
@@ -35754,8 +36069,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east",
"https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb",
+ "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml"
],
"tags": "No established tags"
@@ -35776,8 +36091,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://megatools.megous.com/",
"https://www.mandiant.com/resources/russian-targeting-gov-business",
+ "https://megatools.megous.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_mega_nz.yml"
],
"tags": [
@@ -35810,8 +36125,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_msiexec.yml"
],
"tags": [
@@ -35929,8 +36244,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/",
"https://adsecurity.org/?p=2398",
+ "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yml"
],
"tags": [
@@ -35971,10 +36286,10 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/WiredPulse/Invoke-HiveNightmare",
- "https://github.com/FireFart/hivenightmare/",
"https://twitter.com/cube0x0/status/1418920190759378944",
+ "https://github.com/WiredPulse/Invoke-HiveNightmare",
"https://github.com/GossiTheDog/HiveNightmare",
+ "https://github.com/FireFart/hivenightmare/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml"
],
"tags": [
@@ -36008,8 +36323,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "Internal Research",
"https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3",
+ "Internal Research",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml"
],
"tags": [
@@ -36032,9 +36347,9 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
+ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53",
"https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/",
"https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/",
- "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml"
],
"tags": [
@@ -36084,11 +36399,11 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations",
- "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/",
- "https://twitter.com/luc4m/status/1073181154126254080",
- "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles",
"https://twitter.com/malwrhunterteam/status/1235135745611960321",
+ "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles",
+ "https://twitter.com/luc4m/status/1073181154126254080",
+ "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/",
+ "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml"
],
"tags": [
@@ -36154,8 +36469,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/0gtweet/status/1465282548494487554",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy",
+ "https://twitter.com/0gtweet/status/1465282548494487554",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml"
],
"tags": [
@@ -36268,11 +36583,11 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.google.com/search?q=procdump+lsass",
- "https://github.com/helpsystems/nanodump",
- "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml",
"https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/",
"https://github.com/CCob/MirrorDump",
+ "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml",
+ "https://www.google.com/search?q=procdump+lsass",
+ "https://github.com/helpsystems/nanodump",
"https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_dump.yml"
],
@@ -36340,8 +36655,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/",
"https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/",
+ "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml"
],
"tags": [
@@ -36365,12 +36680,12 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/",
- "https://twitter.com/MaD_c4t/status/1623414582382567424",
"https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/",
- "https://labs.withsecure.com/publications/detecting-onenote-abuse",
"https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/",
"https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/",
+ "https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/",
+ "https://labs.withsecure.com/publications/detecting-onenote-abuse",
+ "https://twitter.com/MaD_c4t/status/1623414582382567424",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml"
],
"tags": [
@@ -36429,9 +36744,9 @@
"logsource.product": "windows",
"refs": [
"https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/",
- "https://pentestlab.blog/tag/ntds-dit/",
- "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1",
"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration",
+ "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1",
+ "https://pentestlab.blog/tag/ntds-dit/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml"
],
"tags": [
@@ -36464,8 +36779,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/davisrichardg/status/1616518800584704028",
"https://aboutdfir.com/the-key-to-identify-psexec/",
+ "https://twitter.com/davisrichardg/status/1616518800584704028",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml"
],
"tags": [
@@ -36542,11 +36857,11 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations",
- "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/",
- "https://twitter.com/luc4m/status/1073181154126254080",
- "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles",
"https://twitter.com/malwrhunterteam/status/1235135745611960321",
+ "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles",
+ "https://twitter.com/luc4m/status/1073181154126254080",
+ "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/",
+ "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml"
],
"tags": [
@@ -36612,10 +36927,10 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
+ "https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks",
"https://github.com/Yaxser/Backstab",
"https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer",
"https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/",
- "https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml"
],
"tags": [
@@ -36792,8 +37107,8 @@
"logsource.product": "windows",
"refs": [
"https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence",
- "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md",
"Internal Research",
+ "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml"
],
"tags": [
@@ -36859,10 +37174,10 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
+ "https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions",
"http://addbalance.com/word/startup.htm",
"https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/",
"https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3",
- "https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml"
],
"tags": [
@@ -36994,9 +37309,9 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/cube0x0/CVE-2021-1675",
"https://github.com/hhlxf/PrintNightmare",
"https://github.com/afwu/PrintNightmare",
+ "https://github.com/cube0x0/CVE-2021-1675",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml"
],
"tags": [
@@ -37032,8 +37347,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government",
"https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs",
+ "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml"
],
"tags": [
@@ -37080,10 +37395,10 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79",
- "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/",
- "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76",
"https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form",
+ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79",
+ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76",
+ "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml"
],
"tags": [
@@ -37151,8 +37466,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/",
"https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/",
+ "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml"
],
"tags": [
@@ -37519,11 +37834,11 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc",
- "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html",
"https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer",
"https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/",
+ "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html",
"https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf",
+ "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml"
],
"tags": [
@@ -37590,25 +37905,25 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/nettitude/Invoke-PowerThIEf",
- "https://github.com/NetSPI/PowerUpSQL",
- "https://github.com/DarkCoderSc/PowerRunAsSystem/",
- "https://github.com/AlsidOfficial/WSUSpendu/",
"https://github.com/samratashok/nishang",
- "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
"https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
- "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
- "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
- "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
- "https://github.com/PowerShellMafia/PowerSploit",
- "https://github.com/adrecon/ADRecon",
- "https://github.com/adrecon/AzureADRecon",
- "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
- "https://github.com/HarmJ0y/DAMP",
"https://github.com/CsEnox/EventViewer-UACBypass",
- "https://github.com/Kevin-Robertson/Powermad",
"https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
+ "https://github.com/NetSPI/PowerUpSQL",
+ "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
"https://github.com/S3cur3Th1sSh1t/WinPwn",
+ "https://github.com/Kevin-Robertson/Powermad",
+ "https://github.com/adrecon/ADRecon",
+ "https://github.com/DarkCoderSc/PowerRunAsSystem/",
+ "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
+ "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
+ "https://github.com/nettitude/Invoke-PowerThIEf",
+ "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
+ "https://github.com/adrecon/AzureADRecon",
+ "https://github.com/AlsidOfficial/WSUSpendu/",
+ "https://github.com/PowerShellMafia/PowerSploit",
+ "https://github.com/HarmJ0y/DAMP",
+ "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
"https://github.com/besimorhino/powercat",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml"
],
@@ -37642,9 +37957,9 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
+ "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html",
"https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html",
"https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/",
- "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml"
],
"tags": [
@@ -37917,8 +38232,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/",
"https://persistence-info.github.io/Data/powershellprofile.html",
+ "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml"
],
"tags": [
@@ -38054,8 +38369,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/",
"https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/",
+ "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml"
],
"tags": [
@@ -38267,8 +38582,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md",
"https://github.com/OTRF/detection-hackathon-apt29/issues/14",
+ "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml"
],
"tags": [
@@ -38337,8 +38652,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/",
"https://github.com/klinix5/InstallerFileTakeOver",
+ "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml"
],
"tags": [
@@ -38371,10 +38686,10 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008",
- "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml",
- "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html",
"https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/",
+ "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008",
+ "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html",
+ "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml"
],
"tags": [
@@ -38407,9 +38722,9 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs",
"https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
"https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs",
+ "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml"
],
"tags": [
@@ -38442,9 +38757,9 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g",
"https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute",
"https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw",
+ "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml"
],
"tags": [
@@ -38468,9 +38783,9 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
+ "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html",
"https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html",
"https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/",
- "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml"
],
"tags": [
@@ -38678,8 +38993,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/",
"https://cobalt.io/blog/kerberoast-attack-techniques",
+ "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml"
],
"tags": [
@@ -38886,8 +39201,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md",
+ "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml"
],
"tags": [
@@ -39021,9 +39336,9 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405",
"https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1",
"https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb",
+ "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml"
],
"tags": [
@@ -39214,8 +39529,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "Internal Research",
"https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3",
+ "Internal Research",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml"
],
"tags": [
@@ -39238,10 +39553,10 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/cube0x0/CVE-2021-36934",
- "https://github.com/HuskyHacks/ShadowSteal",
- "https://github.com/FireFart/hivenightmare",
"https://github.com/search?q=CVE-2021-36934",
+ "https://github.com/cube0x0/CVE-2021-36934",
+ "https://github.com/FireFart/hivenightmare",
+ "https://github.com/HuskyHacks/ShadowSteal",
"https://www.google.com/search?q=%22reg.exe+save%22+sam",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml"
],
@@ -39391,11 +39706,10 @@
"author": "D3F7A5105",
"creation_date": "2023/01/02",
"falsepositive": [
- "Admin activity",
- "Backup activity"
+ "Administrator or backup activity"
],
"filename": "file_event_win_create_evtx_non_common_locations.yml",
- "level": "medium",
+ "level": "high",
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
@@ -39547,8 +39861,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc",
"https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0",
+ "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml"
],
"tags": [
@@ -39692,6 +40006,30 @@
"uuid": "52753ea4-b3a0-4365-910d-36cff487b789",
"value": "Hijack Legit RDP Session to Move Laterally"
},
+ {
+ "description": "Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware",
+ "meta": {
+ "author": "X__Junior (Nextron Systems)",
+ "creation_date": "2023/07/12",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "file_event_win_susp_recycle_bin_fake_exec.yml",
+ "level": "high",
+ "logsource.category": "file_event",
+ "logsource.product": "windows",
+ "refs": [
+ "https://www.mandiant.com/resources/blog/infected-usb-steal-secrets",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml"
+ ],
+ "tags": [
+ "attack.persistence",
+ "attack.defense_evasion"
+ ]
+ },
+ "uuid": "cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca",
+ "value": "Suspicious File Creation Activity From Fake Recycle.Bin Folder"
+ },
{
"description": "Detects creation of a file named \"ntds.dit\" (Active Directory Database)",
"meta": {
@@ -39762,8 +40100,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63",
"https://github.com/GhostPack/SafetyKatz",
+ "https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml"
],
"tags": [
@@ -39851,10 +40189,10 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
- "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/",
"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore",
"https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/",
+ "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
+ "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml"
],
"tags": "No established tags"
@@ -40043,8 +40381,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/",
"https://github.com/last-byte/PersistenceSniper",
+ "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_errorhandler_persistence.yml"
],
"tags": [
@@ -40067,9 +40405,9 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961",
"https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/",
"https://github.com/fox-it/LDAPFragger",
+ "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml"
],
"tags": [
@@ -40171,8 +40509,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md",
+ "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml"
],
"tags": [
@@ -40271,8 +40609,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.joesandbox.com/analysis/465533/0/html",
"https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/",
+ "https://www.joesandbox.com/analysis/465533/0/html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_get_variable.yml"
],
"tags": [
@@ -40347,8 +40685,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md",
+ "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml"
],
"tags": [
@@ -40582,12 +40920,12 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc",
- "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/",
- "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992",
- "https://github.com/Wh04m1001/SysmonEoP",
"https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/",
+ "https://github.com/Wh04m1001/SysmonEoP",
+ "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992",
"https://decoded.avast.io/martinchlumecky/png-steganography/",
+ "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/",
+ "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml"
],
"tags": [
@@ -40672,8 +41010,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "Internal Research",
"https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3",
+ "Internal Research",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml"
],
"tags": [
@@ -40683,6 +41021,40 @@
"uuid": "e3845023-ca9a-4024-b2b2-5422156d5527",
"value": "PowerShell Module File Created By Non-PowerShell Process"
},
+ {
+ "description": "Detects the creation or modification of the Windows Terminal Profile settings file \"settings.json\" by an uncommon process.",
+ "meta": {
+ "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2023/07/22",
+ "falsepositive": [
+ "Some false positives may occur with admin scripts that set WT settings."
+ ],
+ "filename": "file_event_win_susp_windows_terminal_profile.yml",
+ "level": "medium",
+ "logsource.category": "file_event",
+ "logsource.product": "windows",
+ "refs": [
+ "https://twitter.com/nas_bench/status/1550836225652686848",
+ "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1547.015/T1547.015.md#atomic-test-1---persistence-by-modifying-windows-terminal-profile",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml"
+ ],
+ "tags": [
+ "attack.persistence",
+ "attack.t1547.015"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "84601337-6a55-4ad7-9c35-79e0d1ea2ab3",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "9b64de98-9db3-4033-bd7a-f51430105f00",
+ "value": "Windows Terminal Profile Settings Modification By Uncommon Process"
+ },
{
"description": "Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)\nbut with a space in order to trick DLL load search order and perform a \"DLL Search Order Hijacking\" attack\n",
"meta": {
@@ -40696,8 +41068,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://twitter.com/cyb3rops/status/1552932770464292864",
+ "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml"
],
"tags": [
@@ -40766,8 +41138,8 @@
"logsource.category": "file_rename",
"logsource.product": "windows",
"refs": [
- "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/",
"https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/",
+ "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml"
],
"tags": [
@@ -40800,8 +41172,8 @@
"logsource.category": "file_rename",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/ffforward/status/1481672378639912960",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location",
+ "https://twitter.com/ffforward/status/1481672378639912960",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml"
],
"tags": "No established tags"
@@ -40889,8 +41261,8 @@
"logsource.category": "file_delete",
"logsource.product": "windows",
"refs": [
- "https://github.com/cube0x0/CVE-2021-1675",
"https://github.com/hhlxf/PrintNightmare",
+ "https://github.com/cube0x0/CVE-2021-1675",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml"
],
"tags": [
@@ -41025,8 +41397,8 @@
"logsource.category": "file_delete",
"logsource.product": "windows",
"refs": [
- "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md",
"https://github.com/OTRF/detection-hackathon-apt29/issues/9",
+ "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml"
],
"tags": [
@@ -41263,8 +41635,8 @@
"logsource.category": "file_access",
"logsource.product": "windows",
"refs": [
- "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users",
"https://github.com/lclevy/firepwd",
+ "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml"
],
"tags": [
@@ -41297,8 +41669,8 @@
"logsource.category": "file_access",
"logsource.product": "windows",
"refs": [
- "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist",
"https://www.passcape.com/windows_password_recovery_dpapi_credhist",
+ "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml"
],
"tags": [
@@ -41497,10 +41869,10 @@
"logsource.category": "dns_query",
"logsource.product": "windows",
"refs": [
- "https://redcanary.com/blog/misbehaving-rats/",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution",
+ "https://redcanary.com/blog/misbehaving-rats/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml"
],
"tags": [
@@ -41811,9 +42183,9 @@
"logsource.category": "dns_query",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/neonprimetime/status/1436376497980428318",
"https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html",
"https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon",
+ "https://twitter.com/neonprimetime/status/1436376497980428318",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_ipify.yml"
],
"tags": [
@@ -41846,12 +42218,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16",
- "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html",
- "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176",
"https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/",
- "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
"https://redcanary.com/blog/raspberry-robin/",
+ "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
+ "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176",
+ "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html",
+ "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml"
],
"tags": [
@@ -41975,8 +42347,8 @@
"logsource.product": "windows",
"refs": [
"http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/",
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/",
"http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml"
],
"tags": [
@@ -41997,6 +42369,29 @@
"uuid": "45239e6a-b035-4aaf-b339-8ad379fcb67e",
"value": "Use of Squirrel.exe"
},
+ {
+ "description": "Detects PowerShell commands that decrypt an \".LNK\" \"file to drop the next stage of the malware.",
+ "meta": {
+ "author": "X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2023/06/30",
+ "falsepositive": [
+ "Unlikely"
+ ],
+ "filename": "proc_creation_win_powershell_decrypt_pattern.yml",
+ "level": "high",
+ "logsource.category": "process_creation",
+ "logsource.product": "windows",
+ "refs": [
+ "https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml"
+ ],
+ "tags": [
+ "attack.execution"
+ ]
+ },
+ "uuid": "434c08ba-8406-4d15-8b24-782cb071a691",
+ "value": "PowerShell Execution With Potential Decryption Capabilities"
+ },
{
"description": "Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface.",
"meta": {
@@ -42077,8 +42472,8 @@
"logsource.product": "windows",
"refs": [
"https://lolbas-project.github.io/lolbas/Binaries/Certoc/",
- "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2",
"https://twitter.com/sblmsrsn/status/1445758411803480072?s=20",
+ "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml"
],
"tags": [
@@ -42111,8 +42506,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/",
"https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings",
+ "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml"
],
"tags": [
@@ -42261,12 +42656,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://thedfirreport.com/2020/05/08/adfind-recon/",
+ "https://www.joeware.net/freetools/tools/adfind/",
"https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/",
- "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx",
"https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md",
"https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/",
- "https://www.joeware.net/freetools/tools/adfind/",
- "https://thedfirreport.com/2020/05/08/adfind-recon/",
+ "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml"
],
"tags": [
@@ -42439,8 +42834,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/",
"https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/",
+ "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_loadassembly.yml"
],
"tags": [
@@ -42507,8 +42902,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/",
"https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment",
+ "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml"
],
"tags": [
@@ -42648,9 +43043,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/countuponsec/status/910977826853068800",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/",
"https://twitter.com/countuponsec/status/910969424215232518",
+ "https://twitter.com/countuponsec/status/910977826853068800",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml"
],
"tags": [
@@ -42683,8 +43078,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/",
"https://lolbas-project.github.io/lolbas/Binaries/Regasm/",
+ "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/",
"https://www.fortiguard.com/threat-signal-report/4718?s=09",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regasm_suspicious_execution.yml"
],
@@ -42751,8 +43146,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://h.43z.one/ipconverter/",
"https://twitter.com/Yasser_Elsnbary/status/1553804135354564608",
+ "https://h.43z.one/ipconverter/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml"
],
"tags": [
@@ -42822,8 +43217,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md",
"https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml"
],
"tags": [
@@ -42945,9 +43340,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s",
"https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/",
"https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/",
- "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml"
],
"tags": [
@@ -42981,8 +43376,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/shantanu561993/SharpChisel",
"https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/",
+ "https://github.com/shantanu561993/SharpChisel",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml"
],
"tags": [
@@ -43015,9 +43410,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/SBousseaden/status/1464566846594691073?s=20",
- "https://twitter.com/Hexacorn/status/1420053502554951689",
"https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
+ "https://twitter.com/Hexacorn/status/1420053502554951689",
+ "https://twitter.com/SBousseaden/status/1464566846594691073?s=20",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml"
],
"tags": [
@@ -43058,9 +43453,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s",
"https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/",
"https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/",
- "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml"
],
"tags": [
@@ -43128,13 +43523,13 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection",
"https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/",
+ "https://twitter.com/xorJosh/status/1598646907802451969",
"https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp",
+ "https://ngrok.com/docs",
+ "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection",
"https://www.softwaretestinghelp.com/how-to-use-ngrok/",
"https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html",
- "https://twitter.com/xorJosh/status/1598646907802451969",
- "https://ngrok.com/docs",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml"
],
"tags": [
@@ -43167,8 +43562,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/",
"https://lolbas-project.github.io/lolbas/Binaries/Gpscript/",
+ "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml"
],
"tags": [
@@ -43201,8 +43596,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/",
"https://twitter.com/1ZRR4H/status/1534259727059787783",
+ "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml"
],
"tags": [
@@ -43235,14 +43630,14 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/",
"https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/",
- "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters",
- "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)",
+ "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/",
"https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/",
- "https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest",
- "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html",
+ "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters",
"https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/",
+ "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest",
+ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml"
],
"tags": [
@@ -43284,9 +43679,9 @@
"logsource.product": "windows",
"refs": [
"https://github.com/hfiref0x/UACME",
- "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/",
"https://twitter.com/hFireF0X/status/897640081053364225",
"https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf",
+ "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml"
],
"tags": [
@@ -43411,8 +43806,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product",
"https://thedfirreport.com/2023/03/06/2022-year-in-review/",
+ "https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product",
"https://www.yeahhub.com/list-installed-programs-version-path-windows/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml"
],
@@ -43448,8 +43843,8 @@
"refs": [
"https://redcanary.com/blog/yellow-cockatoo/",
"https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65",
- "https://zero2auto.com/2020/05/19/netwalker-re/",
"https://mez0.cc/posts/cobaltstrike-powershell-exec/",
+ "https://zero2auto.com/2020/05/19/netwalker-re/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml"
],
"tags": [
@@ -43607,9 +44002,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.joeware.net/freetools/tools/adfind/",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md",
"https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md",
+ "https://www.joeware.net/freetools/tools/adfind/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml"
],
"tags": [
@@ -43755,8 +44150,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/hexacorn/status/1448037865435320323",
"https://twitter.com/Gal_B1t/status/1062971006078345217",
+ "https://twitter.com/hexacorn/status/1448037865435320323",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml"
],
"tags": [
@@ -43878,15 +44273,15 @@
"logsource.product": "windows",
"refs": [
"https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_",
- "https://bunnyinside.com/?term=f71e8cb9c76a",
"https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf",
- "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39",
- "https://twitter.com/_xpn_/status/1268712093928378368",
- "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr",
"https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables",
- "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38",
- "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code",
"http://managed670.rssing.com/chan-5590147/all_p1.html",
+ "https://bunnyinside.com/?term=f71e8cb9c76a",
+ "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr",
+ "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code",
+ "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38",
+ "https://twitter.com/_xpn_/status/1268712093928378368",
+ "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml"
],
"tags": [
@@ -43919,8 +44314,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/0gtweet/status/1457676633809330184",
"https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/",
+ "https://twitter.com/0gtweet/status/1457676633809330184",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml"
],
"tags": [
@@ -43953,9 +44348,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create",
"http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
+ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml"
],
"tags": [
@@ -44067,8 +44462,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/0gtweet/status/1638069413717975046",
"https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend",
+ "https://twitter.com/0gtweet/status/1638069413717975046",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml"
],
"tags": [
@@ -44234,8 +44629,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/fatedier/frp",
"https://asec.ahnlab.com/en/38156/",
+ "https://github.com/fatedier/frp",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_frp.yml"
],
"tags": [
@@ -44387,9 +44782,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/0gtweet/status/1628720819537936386",
"https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings",
"https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/",
+ "https://twitter.com/0gtweet/status/1628720819537936386",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml"
],
"tags": [
@@ -44614,8 +45009,8 @@
"logsource.product": "windows",
"refs": [
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/",
- "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15",
"https://twitter.com/bryon_/status/975835709587075072",
+ "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml"
],
"tags": [
@@ -44788,10 +45183,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/",
- "https://twitter.com/splinter_code/status/1483815103279603714",
"https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3",
+ "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/",
"https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/",
+ "https://twitter.com/splinter_code/status/1483815103279603714",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml"
],
"tags": "No established tags"
@@ -44985,10 +45380,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/",
- "https://twitter.com/Z3Jpa29z/status/1317545798981324801",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/",
+ "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/",
+ "https://twitter.com/Z3Jpa29z/status/1317545798981324801",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csi_execution.yml"
],
"tags": [
@@ -45174,8 +45569,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html",
"https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat",
+ "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml"
],
"tags": [
@@ -45331,8 +45726,8 @@
"logsource.product": "windows",
"refs": [
"https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/",
- "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/",
"https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js",
+ "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml"
],
"tags": [
@@ -45498,8 +45893,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.revshells.com/",
"https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+ "https://www.revshells.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml"
],
"tags": [
@@ -45664,10 +46059,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/",
- "https://twitter.com/splinter_code/status/1483815103279603714",
"https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3",
+ "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/",
"https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/",
+ "https://twitter.com/splinter_code/status/1483815103279603714",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml"
],
"tags": "No established tags"
@@ -45689,8 +46084,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md",
- "https://github.com/dsnezhkov/TruffleSnout",
"https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md",
+ "https://github.com/dsnezhkov/TruffleSnout",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml"
],
"tags": [
@@ -45724,8 +46119,8 @@
"logsource.product": "windows",
"refs": [
"https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection",
- "https://twitter.com/vxunderground/status/1423336151860002816?s=20",
"https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/",
+ "https://twitter.com/vxunderground/status/1423336151860002816?s=20",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml"
],
"tags": [
@@ -45759,10 +46154,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/",
"https://twitter.com/EricaZelic/status/1614075109827874817",
"https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos",
"https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList",
+ "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml"
],
"tags": [
@@ -45880,8 +46275,8 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/pabraeken/status/995837734379032576",
- "https://twitter.com/pabraeken/status/999090532839313408",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/",
+ "https://twitter.com/pabraeken/status/999090532839313408",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml"
],
"tags": [
@@ -45948,8 +46343,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/",
"https://twitter.com/0gtweet/status/1206692239839289344",
+ "https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml"
],
"tags": [
@@ -46016,9 +46411,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html",
"https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16",
"https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
+ "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml"
],
"tags": [
@@ -46052,8 +46447,8 @@
"logsource.product": "windows",
"refs": [
"https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/",
- "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/",
"https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md",
+ "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml"
],
"tags": [
@@ -46087,8 +46482,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/",
"https://www.uptycs.com/blog/lolbins-are-no-laughing-matter",
+ "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml"
],
"tags": [
@@ -46187,8 +46582,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/",
"https://dtm.uk/wuauclt/",
+ "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml"
],
"tags": [
@@ -46223,8 +46618,8 @@
"logsource.product": "windows",
"refs": [
"https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method",
- "https://unicode-explorer.com/c/202E",
"https://redcanary.com/blog/right-to-left-override/",
+ "https://unicode-explorer.com/c/202E",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml"
],
"tags": [
@@ -46258,8 +46653,8 @@
"logsource.product": "windows",
"refs": [
"https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/",
- "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf",
"https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2",
+ "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml"
],
"tags": [
@@ -46300,10 +46695,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior",
- "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior",
- "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior",
"https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior",
+ "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior",
+ "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior",
+ "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml"
],
"tags": [
@@ -46391,14 +46786,14 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md",
- "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md",
"https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e",
"https://twitter.com/gN3mes1s/status/941315826107510784",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md",
+ "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection",
"https://reaqta.com/2017/12/mavinject-microsoft-injector/",
"https://github.com/SigmaHQ/sigma/issues/3742",
"https://twitter.com/Hexacorn/status/776122138063409152",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml"
],
"tags": [
@@ -46441,8 +46836,8 @@
"logsource.product": "windows",
"refs": [
"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/",
- "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
"https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1",
+ "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml"
],
"tags": [
@@ -46609,8 +47004,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/",
"https://twitter.com/nao_sec/status/1530196847679401984",
+ "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml"
],
"tags": [
@@ -46694,8 +47089,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1",
"https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/",
+ "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1",
"https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml"
],
@@ -46797,11 +47192,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/Hexacorn/status/885570278637678592",
- "https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques",
"https://twitter.com/vysecurity/status/885545634958385153",
"https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/",
+ "https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques",
"https://twitter.com/Hexacorn/status/885553465417756673",
+ "https://twitter.com/Hexacorn/status/885570278637678592",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml"
],
"tags": [
@@ -47192,9 +47587,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://adepts.of0x.cc/netsh-portproxy-code/",
"https://www.dfirnotes.net/portproxy_detection/",
"https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html",
+ "https://adepts.of0x.cc/netsh-portproxy-code/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml"
],
"tags": [
@@ -47253,7 +47648,7 @@
{
"description": "Detects the creation of a schtask that executes a file from C:\\Users\\<USER>\\AppData\\Local",
"meta": {
- "author": "pH-T (Nextron Systems), Nasreddine Bencherchali",
+ "author": "pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)",
"creation_date": "2022/03/15",
"falsepositive": [
"Unknown"
@@ -47450,8 +47845,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/orange_8361/status/1518970259868626944",
"https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute",
+ "https://twitter.com/orange_8361/status/1518970259868626944",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml"
],
"tags": [
@@ -47509,8 +47904,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57",
"https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign",
+ "https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml"
],
"tags": [
@@ -47587,9 +47982,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password",
- "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/",
"https://github.com/defaultnamehere/cookie_crimes/",
+ "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/",
+ "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password",
"https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml"
],
@@ -47654,8 +48049,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set",
"https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2",
+ "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml"
],
"tags": [
@@ -47765,9 +48160,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/",
"https://lolbas-project.github.io/lolbas/Binaries/Certutil/",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
+ "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode.yml"
],
"tags": [
@@ -47800,8 +48195,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/",
"https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment",
+ "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml"
],
"tags": [
@@ -47834,8 +48229,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/",
"https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20",
+ "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml"
],
"tags": [
@@ -47858,8 +48253,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/johnlatwc/status/1408062131321270282?s=12",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf",
+ "https://twitter.com/johnlatwc/status/1408062131321270282?s=12",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml"
],
"tags": [
@@ -47892,8 +48287,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://pentestlab.blog/2017/03/30/weak-service-permissions/",
"https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment",
+ "https://pentestlab.blog/2017/03/30/weak-service-permissions/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml"
],
"tags": [
@@ -48172,9 +48567,9 @@
"logsource.product": "windows",
"refs": [
"https://www.activecyber.us/activelabs/windows-uac-bypass",
- "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/",
- "https://twitter.com/ReaQta/status/1222548288731217921",
"https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html",
+ "https://twitter.com/ReaQta/status/1222548288731217921",
+ "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml"
],
"tags": [
@@ -48369,8 +48764,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://nsudo.m2team.org/en-us/",
"https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment",
+ "https://nsudo.m2team.org/en-us/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml"
],
"tags": [
@@ -48454,15 +48849,15 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar",
- "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100",
- "https://blog.talosintelligence.com/2017/05/wannacry.html",
- "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware",
"https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/",
+ "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100",
+ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
"https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/",
+ "https://blog.talosintelligence.com/2017/05/wannacry.html",
"https://redcanary.com/blog/intelligence-insights-october-2021/",
"https://github.com/Neo23x0/Raccine#the-process",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware",
+ "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml"
],
"tags": [
@@ -48504,8 +48899,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml",
"Turla has used fsutil fsinfo drives to list connected drives.",
+ "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml"
],
"tags": [
@@ -48572,10 +48967,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://man.openbsd.org/ssh_config#ProxyCommand",
- "https://man.openbsd.org/ssh_config#LocalCommand",
- "https://lolbas-project.github.io/lolbas/Binaries/Ssh/",
"https://gtfobins.github.io/gtfobins/ssh/",
+ "https://man.openbsd.org/ssh_config#ProxyCommand",
+ "https://lolbas-project.github.io/lolbas/Binaries/Ssh/",
+ "https://man.openbsd.org/ssh_config#LocalCommand",
"https://github.com/LOLBAS-Project/LOLBAS/pull/211/files",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml"
],
@@ -48609,8 +49004,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit",
"https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_secedit_execution.yml"
],
"tags": [
@@ -48822,8 +49217,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/Max_Mal_/status/1633863678909874176",
"Internal Research",
+ "https://twitter.com/Max_Mal_/status/1633863678909874176",
"https://twitter.com/_JohnHammond/status/1588155401752788994",
"https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml"
@@ -49033,12 +49428,12 @@
"logsource.product": "windows",
"refs": [
"https://www.cobaltstrike.com/help-opsec",
- "https://twitter.com/CyberRaiju/status/1251492025678983169",
- "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/",
- "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32",
+ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32",
"https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback",
"https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool",
- "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32",
+ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32",
+ "https://twitter.com/CyberRaiju/status/1251492025678983169",
+ "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml"
],
"tags": [
@@ -49071,11 +49466,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/",
"https://lolbas-project.github.io/lolbas/Binaries/Certutil/",
- "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
- "https://twitter.com/egre55/status/1087685529016193025",
"https://forensicitguy.github.io/agenttesla-vba-certutil-download/",
+ "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/",
+ "https://twitter.com/egre55/status/1087685529016193025",
+ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml"
],
"tags": [
@@ -49300,8 +49695,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/sensepost/impersonate",
"https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/",
+ "https://github.com/sensepost/impersonate",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml"
],
"tags": [
@@ -49368,8 +49763,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade",
"https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy",
+ "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml"
],
"tags": [
@@ -49402,9 +49797,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/",
"https://thedfirreport.com/2021/12/13/diavol-ransomware/",
"https://www.scythe.io/library/threat-emulation-qakbot",
- "https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml"
],
"tags": [
@@ -49427,8 +49822,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Pcalua/",
"https://pentestlab.blog/2020/07/06/indirect-command-execution/",
+ "https://lolbas-project.github.io/lolbas/Binaries/Pcalua/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml"
],
"tags": [
@@ -49461,9 +49856,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://lolbas-project.github.io/lolbas/Binaries/Winget/",
"https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install",
"https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget",
- "https://lolbas-project.github.io/lolbas/Binaries/Winget/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml"
],
"tags": [
@@ -49530,8 +49925,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell",
"https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps",
+ "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell",
"https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"
],
@@ -49599,8 +49994,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/x86matthew/status/1505476263464607744?s=12",
"https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b",
+ "https://twitter.com/x86matthew/status/1505476263464607744?s=12",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml"
],
"tags": "No established tags"
@@ -49622,9 +50017,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
- "https://twitter.com/AdamTheAnalyst/status/1483497517119590403",
"https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus",
+ "https://twitter.com/AdamTheAnalyst/status/1483497517119590403",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml"
],
"tags": [
@@ -49747,9 +50142,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/_st0pp3r_/status/1583914515996897281",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md",
"https://lolbas-project.github.io/lolbas/Binaries/Msiexec/",
- "https://twitter.com/_st0pp3r_/status/1583914515996897281",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml"
],
"tags": [
@@ -49869,9 +50264,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)",
"https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit",
"https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html",
+ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_export.yml"
],
"tags": [
@@ -50011,8 +50406,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70",
"https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html",
+ "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml"
],
"tags": [
@@ -50045,10 +50440,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html",
- "https://lolbas-project.github.io/lolbas/Binaries/Setres/",
- "https://twitter.com/0gtweet/status/1583356502340870144",
"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)",
+ "https://twitter.com/0gtweet/status/1583356502340870144",
+ "https://lolbas-project.github.io/lolbas/Binaries/Setres/",
+ "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml"
],
"tags": [
@@ -50089,10 +50484,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW",
- "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43",
- "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat",
"https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat",
+ "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43",
+ "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW",
+ "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml"
],
"tags": [
@@ -50439,7 +50834,7 @@
"creation_date": "2019/01/29",
"falsepositive": [
"Legitimate administration activity",
- "Software installations and removal"
+ "Software installations"
],
"filename": "proc_creation_win_netsh_fw_add_rule.yml",
"level": "medium",
@@ -50447,12 +50842,12 @@
"logsource.product": "windows",
"refs": [
"https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf",
- "https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml"
],
"tags": [
"attack.defense_evasion",
- "attack.t1562.004"
+ "attack.t1562.004",
+ "attack.s0246"
]
},
"related": [
@@ -50480,8 +50875,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/mrd0x/status/1475085452784844803?s=12",
"https://twitter.com/an0n_r0/status/1474698356635193346?s=12",
+ "https://twitter.com/mrd0x/status/1475085452784844803?s=12",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml"
],
"tags": "No established tags"
@@ -50538,8 +50933,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/Moriarty_Meng/status/984380793383370752",
"https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml",
+ "https://twitter.com/Moriarty_Meng/status/984380793383370752",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml"
],
"tags": [
@@ -50608,10 +51003,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine",
+ "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution",
"https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html",
"https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf",
- "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml"
],
"tags": [
@@ -50745,9 +51140,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29",
"https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/",
"https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control",
- "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml"
],
"tags": [
@@ -50848,10 +51243,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml",
- "https://twitter.com/ForensicITGuy/status/1334734244120309760",
- "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/",
"https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/",
+ "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml",
+ "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/",
+ "https://twitter.com/ForensicITGuy/status/1334734244120309760",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml"
],
"tags": [
@@ -50902,9 +51297,9 @@
"logsource.product": "windows",
"refs": [
"https://isc.sans.edu/diary/More+Data+Exfiltration/25698",
+ "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt",
"https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry",
"https://github.com/HyperSine/how-does-MobaXterm-encrypt-password",
- "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml"
],
"tags": [
@@ -50986,10 +51381,10 @@
"author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
"creation_date": "2022/08/06",
"falsepositive": [
- "Unknown"
+ "Software Installers"
],
"filename": "proc_creation_win_susp_ntfs_short_name_use_image.yml",
- "level": "high",
+ "level": "medium",
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
@@ -51051,9 +51446,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md",
- "https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html",
"https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html",
+ "https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dump.yml"
],
"tags": [
@@ -51263,8 +51658,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows",
"https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml"
],
"tags": [
@@ -51306,11 +51701,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md",
- "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation",
+ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
"https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html",
+ "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml"
],
"tags": [
@@ -51450,8 +51845,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration",
"https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/",
+ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_diskshadow.yml"
],
"tags": [
@@ -51484,8 +51879,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/0gtweet/status/1477925112561209344",
"https://twitter.com/wdormann/status/1478011052130459653?s=20",
+ "https://twitter.com/0gtweet/status/1477925112561209344",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_format.yml"
],
"tags": [
@@ -51508,8 +51903,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/",
"https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866",
+ "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml"
],
"tags": [
@@ -51551,11 +51946,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py",
"https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py",
"https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py",
- "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py",
"https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html",
+ "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py",
+ "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml"
],
"tags": [
@@ -51597,9 +51992,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://lolbas-project.github.io/lolbas/Binaries/Regini/",
"https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini",
- "https://lolbas-project.github.io/lolbas/Binaries/Regini/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_execution.yml"
],
"tags": [
@@ -51666,8 +52061,8 @@
"logsource.product": "windows",
"refs": [
"https://isc.sans.edu/diary/22264",
- "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
"https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
+ "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
"https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml"
],
@@ -51744,9 +52139,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/electron/rcedit",
- "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915",
"https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe",
+ "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915",
+ "https://github.com/electron/rcedit",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml"
],
"tags": [
@@ -51805,8 +52200,8 @@
"logsource.product": "windows",
"refs": [
"https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files",
- "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps",
"https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE",
+ "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml"
],
"tags": [
@@ -51874,8 +52269,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments",
+ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml"
],
"tags": [
@@ -51994,8 +52389,8 @@
"logsource.product": "windows",
"refs": [
"https://isc.sans.edu/diary/22264",
- "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
"https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
+ "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
"https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml"
],
@@ -52181,8 +52576,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md",
"https://attack.mitre.org/software/S0108/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml"
],
"tags": [
@@ -52262,8 +52657,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/",
"https://twitter.com/nas_bench/status/1534916659676422152",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/",
"https://twitter.com/nas_bench/status/1534915321856917506",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml"
],
@@ -52489,9 +52884,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab",
"https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0",
"https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd",
+ "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab",
"https://twitter.com/nas_bench/status/1537896324837781506",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml"
],
@@ -52848,8 +53243,8 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/mattifestation/status/1196390321783025666",
- "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/",
"https://twitter.com/oulusoyum/status/1191329746069655553",
+ "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml"
],
"tags": [
@@ -52926,9 +53321,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/",
"https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f",
"https://lolbas-project.github.io/lolbas/Binaries/Findstr/",
+ "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml"
],
"tags": [
@@ -52985,10 +53380,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.mandiant.com/resources/telegram-malware-iranian-espionage",
- "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject",
"https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz",
+ "https://www.mandiant.com/resources/telegram-malware-iranian-espionage",
"https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local",
+ "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml"
],
"tags": "No established tags"
@@ -53009,9 +53404,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1",
- "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1",
"https://adsecurity.org/?p=2604",
+ "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1",
+ "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1",
"https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml"
],
@@ -53152,8 +53547,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs",
"https://twitter.com/sblmsrsn/status/1456613494783160325?s=20",
+ "https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml"
],
"tags": [
@@ -53186,8 +53581,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100",
"https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100",
+ "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml"
],
"tags": [
@@ -53271,8 +53666,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/",
"https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing",
+ "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml"
],
"tags": [
@@ -53329,9 +53724,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf",
"https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/",
"https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/",
+ "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml"
],
"tags": [
@@ -53464,8 +53859,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.radmin.fr/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md",
+ "https://www.radmin.fr/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_radmin.yml"
],
"tags": [
@@ -53532,10 +53927,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/wunderwuzzi23/firefox-cookiemonster",
"https://github.com/defaultnamehere/cookie_crimes/",
"https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/",
"https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf",
+ "https://github.com/wunderwuzzi23/firefox-cookiemonster",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml"
],
"tags": [
@@ -53568,8 +53963,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/0gtweet/status/1474899714290208777?s=12",
"https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace",
+ "https://twitter.com/0gtweet/status/1474899714290208777?s=12",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml"
],
"tags": "No established tags"
@@ -53623,8 +54018,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html",
"https://twitter.com/blackorbird/status/1140519090961825792",
+ "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml"
],
"tags": [
@@ -53657,10 +54052,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf",
- "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20",
- "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/",
"https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf",
+ "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/",
+ "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20",
+ "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml"
],
"tags": [
@@ -53726,8 +54121,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/",
"https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/",
+ "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml"
],
"tags": [
@@ -53859,8 +54254,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml"
],
"tags": [
@@ -53889,7 +54284,7 @@
"Unknown"
],
"filename": "proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml",
- "level": "medium",
+ "level": "high",
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
@@ -53960,9 +54355,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/RedDrip7/status/1506480588827467785",
"https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf",
"https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/",
+ "https://twitter.com/RedDrip7/status/1506480588827467785",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml"
],
"tags": [
@@ -54137,8 +54532,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://redcanary.com/blog/child-processes/",
"https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08",
+ "https://redcanary.com/blog/child-processes/",
"https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml"
],
@@ -54172,8 +54567,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/",
"https://twitter.com/bopin2020/status/1366400799199272960",
+ "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml"
],
"tags": [
@@ -54297,8 +54692,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md",
"https://github.com/OTRF/detection-hackathon-apt29/issues/17",
+ "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml"
],
"tags": [
@@ -54470,8 +54865,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64",
"https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64",
+ "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml"
],
"tags": [
@@ -54540,8 +54935,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md",
+ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_clip_execution.yml"
],
"tags": [
@@ -54574,9 +54969,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.php.net/manual/en/features.commandline.php",
"https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
"https://www.revshells.com/",
+ "https://www.php.net/manual/en/features.commandline.php",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml"
],
"tags": [
@@ -54632,8 +55027,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.d7xtech.com/free-software/runx/",
"https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/",
+ "https://www.d7xtech.com/free-software/runx/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_runxcmd.yml"
],
"tags": [
@@ -54667,10 +55062,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/mrd0x/status/1511489821247684615",
"https://twitter.com/mrd0x/status/1511415432888131586",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/",
"https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f",
- "https://twitter.com/mrd0x/status/1511489821247684615",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml"
],
"tags": [
@@ -54744,11 +55139,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware",
- "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html",
- "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone",
"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a",
"https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/",
+ "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html",
+ "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware",
+ "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml"
],
"tags": [
@@ -54848,8 +55243,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package",
"https://twitter.com/WindowsDocs/status/1620078135080325122",
+ "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml"
],
"tags": [
@@ -54993,8 +55388,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://nsudo.m2team.org/en-us/",
"https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/",
+ "https://nsudo.m2team.org/en-us/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml"
],
"tags": [
@@ -55061,8 +55456,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md",
+ "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml"
],
"tags": [
@@ -55200,8 +55595,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac",
"https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16",
+ "https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac",
"https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml"
],
@@ -55276,14 +55671,14 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md",
- "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md",
"https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e",
"https://twitter.com/gN3mes1s/status/941315826107510784",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md",
+ "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection",
"https://reaqta.com/2017/12/mavinject-microsoft-injector/",
"https://github.com/SigmaHQ/sigma/issues/3742",
"https://twitter.com/Hexacorn/status/776122138063409152",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml"
],
"tags": [
@@ -55358,8 +55753,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz",
"https://github.com/skelsec/pypykatz",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pypykatz.yml"
],
"tags": [
@@ -55537,8 +55932,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll",
"https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/",
+ "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml"
],
"tags": [
@@ -55713,10 +56108,10 @@
"https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/",
"https://twitter.com/pythonresponder/status/1385064506049630211?s=21",
"https://twitter.com/shantanukhande/status/1229348874298388484",
- "https://twitter.com/Wietze/status/1542107456507203586",
- "https://twitter.com/SBousseaden/status/1167417096374050817",
"https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py",
"https://twitter.com/Hexacorn/status/1224848930795552769",
+ "https://twitter.com/SBousseaden/status/1167417096374050817",
+ "https://twitter.com/Wietze/status/1542107456507203586",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml"
],
"tags": [
@@ -55792,8 +56187,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
+ "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml"
],
"tags": [
@@ -55830,8 +56225,8 @@
"https://twitter.com/christophetd/status/1164506034720952320",
"https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks",
"https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html",
- "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/",
"https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html",
+ "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml"
],
"tags": [
@@ -55932,12 +56327,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner",
- "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc",
- "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html",
"https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer",
+ "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner",
"https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/",
+ "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html",
"https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf",
+ "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml"
],
"tags": [
@@ -55978,8 +56373,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/",
"https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/",
+ "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml"
],
"tags": [
@@ -56052,12 +56447,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52",
"http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/",
- "https://twitter.com/eral4m/status/1479080793003671557",
"https://twitter.com/eral4m/status/1479106975967240209",
+ "https://twitter.com/eral4m/status/1479080793003671557",
"https://twitter.com/Hexacorn/status/885258886428725250",
"https://twitter.com/nas_bench/status/1433344116071583746",
+ "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"
],
"tags": [
@@ -56218,8 +56613,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/Tylous/ZipExec",
"https://twitter.com/SBousseaden/status/1451237393017839616",
+ "https://github.com/Tylous/ZipExec",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_zipexec.yml"
],
"tags": [
@@ -56339,8 +56734,8 @@
"logsource.product": "windows",
"refs": [
"https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4",
- "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/",
"https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0",
+ "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml"
],
"tags": [
@@ -56373,8 +56768,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/",
"https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/",
+ "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml"
],
"tags": [
@@ -56441,9 +56836,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html",
- "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html",
"https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process",
+ "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html",
+ "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml"
],
"tags": [
@@ -56569,8 +56964,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/",
"https://twitter.com/mrd0x/status/1460815932402679809",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml"
],
"tags": [
@@ -56637,8 +57032,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/mrd0x/status/1463526834918854661",
"https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5",
+ "https://twitter.com/mrd0x/status/1463526834918854661",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml"
],
"tags": [
@@ -56672,11 +57067,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1",
- "https://blog.alyac.co.kr/1901",
- "https://en.wikipedia.org/wiki/Hangul_(word_processor)",
"https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/",
"https://twitter.com/cyberwar_15/status/1187287262054076416",
+ "https://blog.alyac.co.kr/1901",
+ "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1",
+ "https://en.wikipedia.org/wiki/Hangul_(word_processor)",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml"
],
"tags": [
@@ -56861,8 +57256,8 @@
"logsource.product": "windows",
"refs": [
"https://lolbas-project.github.io/lolbas/Binaries/Certoc/",
- "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2",
"https://twitter.com/sblmsrsn/status/1445758411803480072?s=20",
+ "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml"
],
"tags": [
@@ -56918,9 +57313,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/",
"https://twitter.com/nas_bench/status/1534957360032120833",
- "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml"
],
"tags": [
@@ -57004,8 +57399,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/cw1997/NATBypass",
"https://github.com/HiwinCN/HTran",
+ "https://github.com/cw1997/NATBypass",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml"
],
"tags": [
@@ -57039,9 +57434,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.nirsoft.net/utils/nircmd.html",
- "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/",
"https://www.nirsoft.net/utils/nircmd2.html#using",
+ "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/",
+ "https://www.nirsoft.net/utils/nircmd.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml"
],
"tags": [
@@ -57274,8 +57669,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/",
+ "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_bginfo.yml"
],
"tags": [
@@ -57392,9 +57787,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/",
"https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/",
"https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html",
- "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml"
],
"tags": [
@@ -57419,8 +57814,8 @@
"logsource.product": "windows",
"refs": [
"https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/",
- "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/",
"https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/",
+ "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml"
],
"tags": [
@@ -57686,9 +58081,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/",
"http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt",
"https://twitter.com/bigmacjpg/status/1349727699863011328?s=12",
- "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_finger_usage.yml"
],
"tags": [
@@ -57788,9 +58183,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/",
- "https://twitter.com/_JohnHammond/status/1531672601067675648",
"https://twitter.com/nao_sec/status/1530196847679401984",
+ "https://twitter.com/_JohnHammond/status/1531672601067675648",
+ "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml"
],
"tags": [
@@ -58169,13 +58564,13 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://thedfirreport.com/2020/05/08/adfind-recon/",
+ "https://www.joeware.net/freetools/tools/adfind/",
"https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/",
- "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx",
+ "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects",
"https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md",
"https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/",
- "https://www.joeware.net/freetools/tools/adfind/",
- "https://thedfirreport.com/2020/05/08/adfind-recon/",
- "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects",
+ "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml"
],
"tags": [
@@ -58232,8 +58627,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation",
"https://github.com/carlospolop/PEASS-ng",
+ "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml"
],
"tags": [
@@ -58316,8 +58711,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/subTee/status/1216465628946563073",
"https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26",
+ "https://twitter.com/subTee/status/1216465628946563073",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml"
],
"tags": [
@@ -58339,6 +58734,39 @@
"uuid": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0",
"value": "Tasks Folder Evasion"
},
+ {
+ "description": "Detects uncommon one-liner command having ping and copy at the same time, which is usually used by malware.",
+ "meta": {
+ "author": "X__Junior (Nextron Systems)",
+ "creation_date": "2023/07/18",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "proc_creation_win_cmd_ping_copy_combined_execution.yml",
+ "level": "medium",
+ "logsource.category": "process_creation",
+ "logsource.product": "windows",
+ "refs": [
+ "Internal Research",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml"
+ ],
+ "tags": [
+ "attack.defense_evasion",
+ "attack.t1070.004"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "ded2b07a-d12f-4284-9b76-653e37b6c8b0",
+ "value": "Suspicious Ping/Copy Command Combination"
+ },
{
"description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n",
"meta": {
@@ -58352,8 +58780,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks",
"Internal Research",
+ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_change.yml"
],
"tags": [
@@ -58386,8 +58814,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files",
"https://pentestlab.blog/2020/02/24/parent-pid-spoofing/",
+ "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files",
"https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing",
"https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml"
@@ -58422,8 +58850,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/bohops/status/948061991012327424",
"https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/",
+ "https://twitter.com/bohops/status/948061991012327424",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml"
],
"tags": [
@@ -58456,9 +58884,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/",
"https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall",
+ "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml"
],
"tags": [
@@ -58546,9 +58974,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task",
"https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
"https://twitter.com/MichalKoczwara/status/1553634816016498688",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml"
],
"tags": [
@@ -58662,8 +59090,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/",
"https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html",
+ "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml"
],
"tags": [
@@ -58696,8 +59124,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/PhilipTsukerman/status/992021361106268161",
"https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/",
+ "https://twitter.com/PhilipTsukerman/status/992021361106268161",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml"
],
"tags": [
@@ -58764,10 +59192,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support",
- "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/",
"https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7",
"https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/",
+ "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support",
+ "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml"
],
"tags": [
@@ -58844,9 +59272,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/",
"https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
"https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/",
- "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml"
],
"tags": [
@@ -58891,8 +59319,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html",
"https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax",
+ "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml"
],
"tags": [
@@ -58958,9 +59386,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf",
"https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/",
"https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/",
+ "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml"
],
"tags": [
@@ -59026,8 +59454,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/",
"https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16",
+ "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/",
"https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml"
],
@@ -59108,8 +59536,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_30.09.2022.txt",
"https://app.any.run/tasks/4985c746-601e-401a-9ccf-ae350ac2e887/",
+ "https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_30.09.2022.txt",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml"
],
"tags": [
@@ -59263,11 +59691,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/",
"https://lolbas-project.github.io/lolbas/Binaries/Certutil/",
- "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
- "https://twitter.com/egre55/status/1087685529016193025",
"https://forensicitguy.github.io/agenttesla-vba-certutil-download/",
+ "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/",
+ "https://twitter.com/egre55/status/1087685529016193025",
+ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml"
],
"tags": [
@@ -59300,8 +59728,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
"https://tools.thehacker.recipes/mimikatz/modules",
+ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml"
],
"tags": [
@@ -59491,8 +59919,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html",
"https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120",
+ "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system32.yml"
],
"tags": [
@@ -59525,9 +59953,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a",
"https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html",
"https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml"
],
"tags": "No established tags"
@@ -59548,9 +59976,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/",
- "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib",
+ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib",
+ "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system.yml"
],
"tags": [
@@ -59640,8 +60068,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html",
"https://guides.lib.umich.edu/c.php?g=282942&p=1885348",
+ "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html",
"https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml"
],
@@ -59710,8 +60138,8 @@
"logsource.product": "windows",
"refs": [
"https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html",
- "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37",
"https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md",
+ "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml"
],
"tags": [
@@ -59820,11 +60248,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html",
"https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
+ "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html",
+ "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/",
"https://twitter.com/cglyer/status/1355171195654709249",
"https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
- "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml"
],
"tags": [
@@ -59857,8 +60285,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/frgnca/AudioDeviceCmdlets",
"https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html",
+ "https://github.com/frgnca/AudioDeviceCmdlets",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml"
],
@@ -59893,8 +60321,8 @@
"logsource.product": "windows",
"refs": [
"https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf",
- "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
+ "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml"
],
"tags": [
@@ -59927,9 +60355,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/",
- "https://nodejs.org/api/cli.html",
"https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return",
+ "https://nodejs.org/api/cli.html",
+ "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/",
"http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml"
],
@@ -59963,8 +60391,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/hfiref0x/UACME",
"https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf",
+ "https://github.com/hfiref0x/UACME",
"https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml"
],
@@ -60032,8 +60460,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior",
"https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware",
+ "https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml"
],
"tags": [
@@ -60084,7 +60512,7 @@
}
],
"uuid": "fe63010f-8823-4864-a96b-a7b4a0f7b929",
- "value": "Findstr LSASS"
+ "value": "LSASS Process Reconnaissance Via Findstr.EXE"
},
{
"description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil",
@@ -60099,8 +60527,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell",
"https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml"
],
"tags": [
@@ -60252,8 +60680,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/mttaggart/quasar",
"https://taggart-tech.com/quasar-electron/",
+ "https://github.com/mttaggart/quasar",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml"
],
"tags": [
@@ -60318,9 +60746,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "http://www.xuetr.com/",
"https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/",
"https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/",
+ "http://www.xuetr.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml"
],
"tags": "No established tags"
@@ -60412,7 +60840,7 @@
"value": "Local Accounts Discovery"
},
{
- "description": "Detects findstring commands with a suspicious ParentCommandLine",
+ "description": "Detects execution of \"findstr\" as a child process of potentially suspicious parent command lines. This is often the case when \"findstr\" is used to filter out the results of certain reconnaissance commands such as \"tasklist\" or \"ipconfig /all\"",
"meta": {
"author": "frack113",
"creation_date": "2023/07/06",
@@ -60442,7 +60870,7 @@
}
],
"uuid": "ccb5742c-c248-4982-8c5c-5571b9275ad3",
- "value": "Findstr Suspicious ParentCommandLine"
+ "value": "Potentially Suspicious Findstr.EXE Execution"
},
{
"description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines",
@@ -60567,8 +60995,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/malmoeb/status/1616702107242971144",
"https://learn.microsoft.com/en-us/answers/questions/739120/how-to-add-re-write-global-rule-with-action-type-r",
+ "https://twitter.com/malmoeb/status/1616702107242971144",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml"
],
"tags": [
@@ -60668,9 +61096,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/pabraeken/status/990758590020452353",
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/",
"https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/",
+ "https://twitter.com/pabraeken/status/990758590020452353",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml"
],
"tags": [
@@ -60900,9 +61328,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/",
"https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/",
"https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html",
- "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml"
],
"tags": [
@@ -60925,10 +61353,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/",
- "https://www.pureid.io/dumping-abusing-windows-credentials-part-1/",
- "https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/",
"https://twitter.com/0gtweet/status/1299071304805560321?s=21",
+ "https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/",
+ "https://www.pureid.io/dumping-abusing-windows-credentials-part-1/",
+ "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml"
],
"tags": [
@@ -60962,8 +61390,8 @@
"logsource.product": "windows",
"refs": [
"https://isc.sans.edu/diary/22264",
- "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
"https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
+ "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
"https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml"
],
@@ -61030,9 +61458,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.echotrail.io/insights/search/mshta.exe",
"https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/",
"https://en.wikipedia.org/wiki/HTML_Application",
- "https://www.echotrail.io/insights/search/mshta.exe",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml"
],
"tags": [
@@ -61065,10 +61493,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior",
- "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior",
- "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior",
"https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior",
+ "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior",
+ "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior",
+ "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml"
],
"tags": [
@@ -61177,9 +61605,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.nirsoft.net/utils/nircmd.html",
- "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/",
"https://www.nirsoft.net/utils/nircmd2.html#using",
+ "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/",
+ "https://www.nirsoft.net/utils/nircmd.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml"
],
"tags": [
@@ -61437,9 +61865,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md",
- "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)",
"https://github.com/swagkarna/Defeat-Defender-V1.2.0",
+ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml"
],
"tags": [
@@ -61538,8 +61966,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf",
"https://github.com/danielbohannon/Invoke-DOSfuscation",
+ "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml"
],
"tags": [
@@ -61559,6 +61987,41 @@
"uuid": "a77c1610-fc73-4019-8e29-0f51efc04a51",
"value": "Potential Dosfuscation Activity"
},
+ {
+ "description": "Detects execution of \"WerFault.exe\" with the \"-pr\" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow",
+ "meta": {
+ "author": "X__Junior (Nextron Systems)",
+ "creation_date": "2023/06/30",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "proc_creation_win_werfault_reflect_debugger_exec.yml",
+ "level": "medium",
+ "logsource.category": "process_creation",
+ "logsource.product": "windows",
+ "refs": [
+ "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html",
+ "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml"
+ ],
+ "tags": [
+ "attack.execution",
+ "attack.defense_evasion",
+ "attack.t1036"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd",
+ "value": "Potential ReflectDebugger Content Execution Via WerFault.EXE"
+ },
{
"description": "Detects specific combinations of encoding methods in PowerShell via the commandline",
"meta": {
@@ -61614,8 +62077,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml"
],
"tags": [
@@ -61648,8 +62111,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/",
"https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter",
+ "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml"
],
"tags": [
@@ -61706,11 +62169,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file",
- "https://twitter.com/max_mal_/status/1542461200797163522",
"https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/",
- "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt",
+ "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file",
"https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464",
+ "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt",
+ "https://twitter.com/max_mal_/status/1542461200797163522",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml"
],
"tags": [
@@ -61886,8 +62349,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.intrinsec.com/apt27-analysis/",
"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/",
+ "https://www.intrinsec.com/apt27-analysis/",
"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml"
],
@@ -62005,8 +62468,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d",
"https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/",
+ "https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_plink_port_forwarding.yml"
],
"tags": [
@@ -62081,8 +62544,8 @@
"logsource.product": "windows",
"refs": [
"https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5",
- "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/",
"https://lolbas-project.github.io/lolbas/Binaries/Verclsid/",
+ "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml"
],
"tags": [
@@ -62115,9 +62578,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/",
"https://twitter.com/tccontre18/status/1480950986650832903",
"https://twitter.com/mrd0x/status/1461041276514623491",
+ "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml"
],
"tags": [
@@ -62150,8 +62613,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md",
"https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1",
+ "https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml"
],
"tags": [
@@ -62185,10 +62648,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/",
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/",
- "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml"
],
"tags": [
@@ -62221,9 +62684,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/mrd0x/status/1511489821247684615",
"https://twitter.com/mrd0x/status/1511415432888131586",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/",
- "https://twitter.com/mrd0x/status/1511489821247684615",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml"
],
"tags": [
@@ -62321,8 +62784,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn",
"https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html",
+ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml"
],
@@ -62390,8 +62853,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government",
"https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs",
+ "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml"
],
"tags": [
@@ -62456,8 +62919,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md",
+ "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml"
],
"tags": [
@@ -62599,12 +63062,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/",
"https://lolbas-project.github.io/lolbas/Binaries/Certutil/",
- "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
- "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/",
+ "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/",
"https://twitter.com/JohnLaTwC/status/835149808817991680",
+ "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/",
"https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil",
+ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_decode.yml"
],
"tags": [
@@ -62637,9 +63100,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment",
"https://github.com/antonioCoco/RogueWinRM",
"https://twitter.com/Cyb3rWard0g/status/1453123054243024897",
- "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment",
"https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml"
],
@@ -62673,8 +63136,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/Gerenios/AADInternals",
"https://o365blog.com/aadinternals/",
+ "https://github.com/Gerenios/AADInternals",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml"
],
"tags": [
@@ -62735,9 +63198,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6",
"https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement",
"http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html",
- "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml"
],
"tags": [
@@ -62804,9 +63267,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records",
- "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd",
"https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/",
+ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd",
+ "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml"
],
"tags": [
@@ -63075,8 +63538,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/",
"https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/",
+ "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml"
],
"tags": [
@@ -63211,8 +63674,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget",
"https://learn.microsoft.com/en-us/windows/package-manager/winget/source",
+ "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml"
],
"tags": [
@@ -63348,8 +63811,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml",
"https://twitter.com/pabraeken/status/993497996179492864",
+ "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml"
],
"tags": [
@@ -63579,8 +64042,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md",
"https://github.com/OTRF/detection-hackathon-apt29/issues/6",
+ "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml"
],
"tags": [
@@ -63671,10 +64134,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/mattifestation/status/986280382042595328",
"https://atomicredteam.io/defense-evasion/T1220/",
"https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html",
"https://lolbas-project.github.io/lolbas/Binaries/Wmic/",
+ "https://twitter.com/mattifestation/status/986280382042595328",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml"
],
"tags": [
@@ -63799,8 +64262,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/",
"https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/",
+ "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml"
],
"tags": [
@@ -63856,10 +64319,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://vms.drweb.fr/virus/?i=24144899",
"https://twitter.com/JohnLaTwC/status/1415295021041979392",
- "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1",
"https://bidouillesecurity.com/disable-windows-defender-in-powershell/",
+ "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1",
+ "https://vms.drweb.fr/virus/?i=24144899",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml"
],
"tags": [
@@ -63892,8 +64355,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf",
"https://sourceforge.net/projects/mouselock/",
+ "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml"
],
"tags": [
@@ -63914,6 +64377,30 @@
"uuid": "c9192ad9-75e5-43eb-8647-82a0a5b493e3",
"value": "PUA - Mouse Lock Execution"
},
+ {
+ "description": "Detects execution of netsh with the \"advfirewall\" and the \"set\" option in order to set new values for properties of a existing rule",
+ "meta": {
+ "author": "X__Junior (Nextron Systems)",
+ "creation_date": "2023/07/18",
+ "falsepositive": [
+ "Legitimate administration activity",
+ "Software installations and removal"
+ ],
+ "filename": "proc_creation_win_netsh_fw_set_rule.yml",
+ "level": "medium",
+ "logsource.category": "process_creation",
+ "logsource.product": "windows",
+ "refs": [
+ "https://ss64.com/nt/netsh.html",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml"
+ ],
+ "tags": [
+ "attack.defense_evasion"
+ ]
+ },
+ "uuid": "a70dcb37-3bee-453a-99df-d0c683151be6",
+ "value": "Firewall Rule Update Via Netsh.EXE"
+ },
{
"description": "Detects the export of the target Registry key to a file.",
"meta": {
@@ -63996,9 +64483,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/",
- "https://thedfirreport.com/2022/09/26/bumblebee-round-two/",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments",
+ "https://thedfirreport.com/2022/09/26/bumblebee-round-two/",
+ "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml"
],
"tags": [
@@ -64022,9 +64509,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html",
"https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf",
"https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors",
+ "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml"
],
"tags": [
@@ -64227,8 +64714,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2",
"https://twitter.com/Alh4zr3d/status/1580925761996828672",
+ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml"
],
"tags": [
@@ -64263,8 +64750,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/",
"https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html",
+ "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml"
],
"tags": [
@@ -64384,8 +64871,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml",
"https://docs.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-",
+ "https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml"
],
"tags": [
@@ -64427,10 +64914,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html",
"https://twitter.com/Alh4zr3d/status/1580925761996828672",
- "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/",
"https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/",
+ "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html",
+ "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml"
],
"tags": [
@@ -64465,9 +64952,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/",
"https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses",
"https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt",
- "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/",
"https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml"
],
@@ -64501,8 +64988,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf",
"https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/",
+ "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml"
],
"tags": [
@@ -64601,8 +65088,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/",
"https://twitter.com/bopin2020/status/1366400799199272960",
+ "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yml"
],
"tags": [
@@ -64677,9 +65164,9 @@
"logsource.product": "windows",
"refs": [
"https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191",
- "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178",
- "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165",
"https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64",
+ "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165",
+ "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml"
],
"tags": [
@@ -64745,9 +65232,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/_felamos/status/1204705548668555264",
- "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/",
+ "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/",
+ "https://twitter.com/_felamos/status/1204705548668555264",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dotnet.yml"
],
"tags": [
@@ -64882,8 +65369,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md",
"https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_share_and_sessions_enum.yml"
],
"tags": [
@@ -65022,10 +65509,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult",
- "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md",
"https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md",
+ "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml"
],
"tags": [
@@ -65058,10 +65545,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/",
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/",
"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/",
"https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml"
],
"tags": [
@@ -65094,8 +65581,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks",
"https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/",
+ "https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml"
],
"tags": [
@@ -65238,9 +65725,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/",
"https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340",
"https://twitter.com/bohops/status/1477717351017680899?s=12",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml"
],
"tags": [
@@ -65263,9 +65750,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/0gtweet/status/1564968845726580736",
- "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)",
"https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html",
+ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)",
+ "https://twitter.com/0gtweet/status/1564968845726580736",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml"
],
"tags": [
@@ -65308,16 +65795,16 @@
"logsource.product": "windows",
"refs": [
"https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml",
- "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/",
- "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/",
- "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100",
"https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A",
- "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml",
+ "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/",
"https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml",
- "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html",
"https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e",
- "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set",
+ "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100",
"https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html",
+ "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html",
+ "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml",
+ "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/",
+ "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml"
],
"tags": [
@@ -65368,10 +65855,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/",
+ "https://github.com/Neo23x0/DLLRunner",
"https://twitter.com/cyb3rops/status/1186631731543236608",
"https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/",
- "https://github.com/Neo23x0/DLLRunner",
- "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml"
],
"tags": [
@@ -65504,11 +65991,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar",
"https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/",
"https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/",
- "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/",
+ "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar",
"https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic",
+ "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_discovery.yml"
],
"tags": [
@@ -65596,9 +66083,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/",
"https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings",
"https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/",
+ "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml"
],
"tags": [
@@ -65715,10 +66202,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control",
- "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/",
"https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16",
+ "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/",
"https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
+ "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml"
],
"tags": [
@@ -65751,12 +66238,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://pentestlab.blog/2017/04/13/hot-potato/",
- "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes",
- "https://github.com/ohpe/juicy-potato",
"https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire",
- "https://www.localpotato.com/",
+ "https://pentestlab.blog/2017/04/13/hot-potato/",
+ "https://github.com/ohpe/juicy-potato",
"https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/",
+ "https://www.localpotato.com/",
+ "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml"
],
"tags": [
@@ -65863,8 +66350,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.autoitscript.com/site/",
"https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w",
+ "https://www.autoitscript.com/site/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml"
],
"tags": [
@@ -65897,11 +66384,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/",
"https://twitter.com/Alh4zr3d/status/1580925761996828672",
+ "https://twitter.com/0gtweet/status/1628720819537936386",
+ "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/",
"https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/",
"https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html",
- "https://twitter.com/0gtweet/status/1628720819537936386",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml"
],
"tags": [
@@ -66094,9 +66581,9 @@
"logsource.product": "windows",
"refs": [
"https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997",
- "https://twitter.com/mattifestation/status/1326228491302563846",
"http://blog.sevagas.com/?Hacking-around-HTA-files",
"https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356",
+ "https://twitter.com/mattifestation/status/1326228491302563846",
"https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml"
],
@@ -66364,8 +66851,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml"
],
"tags": [
@@ -66431,8 +66918,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options",
"https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html",
+ "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml"
],
"tags": [
@@ -66490,9 +66977,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://lolbas-project.github.io/lolbas/Binaries/Runonce/",
"https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA",
"https://twitter.com/pabraeken/status/990717080805789697",
- "https://lolbas-project.github.io/lolbas/Binaries/Runonce/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_runonce_execution.yml"
],
"tags": [
@@ -66525,8 +67012,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/",
"https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/",
+ "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml"
],
@@ -66704,9 +67191,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/gN3mes1s/status/1206874118282448897",
"https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/",
"https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/",
- "https://twitter.com/gN3mes1s/status/1206874118282448897",
"https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_folder.yml"
],
@@ -66976,8 +67463,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md",
"https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml"
],
"tags": [
@@ -67085,8 +67572,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md",
"https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml"
],
"tags": [
@@ -67119,8 +67606,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/harr0ey/status/989617817849876488",
"https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/",
+ "https://twitter.com/harr0ey/status/989617817849876488",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml"
],
"tags": [
@@ -67228,8 +67715,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242",
"https://github.com/byt3bl33d3r/CrackMapExec",
+ "https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml"
],
"tags": [
@@ -67271,8 +67758,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/",
"https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36",
+ "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml"
],
"tags": [
@@ -67305,10 +67792,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/",
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/",
"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules",
+ "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/",
"https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml"
],
"tags": [
@@ -67430,8 +67917,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2022/09/26/bumblebee-round-two/",
"https://redcanary.com/blog/raspberry-robin/",
+ "https://thedfirreport.com/2022/09/26/bumblebee-round-two/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml"
],
"tags": [
@@ -67442,15 +67929,15 @@
"value": "Rundll32 With Suspicious Parent Process"
},
{
- "description": "Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.",
+ "description": "Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.",
"meta": {
- "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport",
- "creation_date": "2022/02/12",
+ "author": "X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2023/07/18",
"falsepositive": [
- "Unlikely"
+ "Unknown"
],
"filename": "proc_creation_win_schtasks_reg_loader.yml",
- "level": "high",
+ "level": "medium",
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
@@ -67480,8 +67967,8 @@
"type": "related-to"
}
],
- "uuid": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78",
- "value": "Scheduled Task Executing Powershell Encoded Payload from Registry"
+ "uuid": "86588b36-c6d3-465f-9cee-8f9093e07798",
+ "value": "Scheduled Task Executing Payload from Registry"
},
{
"description": "Detects execution of \"odbcconf\" with the \"REGSVR\" action where the DLL in question doesn't contain a \".dll\" extension. Which is often used as a method to evade defenses.",
@@ -67496,9 +67983,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html",
"https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16",
"https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
+ "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml"
],
"tags": [
@@ -67531,9 +68018,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/sensepost/ruler",
- "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49",
"https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html",
+ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49",
+ "https://github.com/sensepost/ruler",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml"
],
"tags": [
@@ -67574,10 +68061,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png",
- "https://twitter.com/aceresponder/status/1636116096506818562",
- "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/",
"https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/",
+ "https://twitter.com/aceresponder/status/1636116096506818562",
+ "https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png",
+ "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/",
"https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml"
],
@@ -67612,8 +68099,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/nas_bench/status/1618021415852335105",
"https://twitter.com/nas_bench/status/1618021838407495681",
+ "https://twitter.com/nas_bench/status/1618021415852335105",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml"
],
"tags": [
@@ -67757,8 +68244,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md",
- "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/",
"https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html",
+ "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml"
],
"tags": [
@@ -67801,8 +68288,8 @@
"logsource.product": "windows",
"refs": [
"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)",
- "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/",
"https://twitter.com/vysecurity/status/873181705024266241",
+ "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/",
"https://twitter.com/vysecurity/status/974806438316072960",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml"
],
@@ -67910,9 +68397,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/",
"https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
- "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml"
],
"tags": [
@@ -67978,8 +68465,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview",
"https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview",
"https://github.com/tevora-threat/SharpView/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml"
],
@@ -68045,9 +68532,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/",
- "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf",
"https://github.com/hfiref0x/UACME",
+ "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf",
+ "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml"
],
"tags": [
@@ -68190,8 +68677,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/",
"https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb",
+ "https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml"
],
@@ -68267,9 +68754,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.revshells.com/",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md",
"https://nmap.org/ncat/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md",
+ "https://www.revshells.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netcat.yml"
],
"tags": [
@@ -68302,11 +68789,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/",
"https://lolbas-project.github.io/lolbas/Binaries/Certutil/",
- "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
- "https://twitter.com/egre55/status/1087685529016193025",
"https://forensicitguy.github.io/agenttesla-vba-certutil-download/",
+ "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/",
+ "https://twitter.com/egre55/status/1087685529016193025",
+ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml"
],
"tags": [
@@ -68339,8 +68826,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml"
],
"tags": [
@@ -68373,8 +68860,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md",
+ "https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml"
],
"tags": [
@@ -68407,9 +68894,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://ss64.com/ps/foreach-object.html",
"https://ss64.com/nt/for.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md",
- "https://ss64.com/ps/foreach-object.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml"
],
"tags": [
@@ -68508,8 +68995,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.revshells.com/",
"https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+ "https://www.revshells.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml"
],
"tags": [
@@ -68641,8 +69128,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://h.43z.one/ipconverter/",
"https://twitter.com/Yasser_Elsnbary/status/1553804135354564608",
+ "https://h.43z.one/ipconverter/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml"
],
"tags": [
@@ -68742,8 +69229,8 @@
"logsource.product": "windows",
"refs": [
"https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2",
- "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/",
"https://github.com/swagkarna/Defeat-Defender-V1.2.0",
+ "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml"
],
"tags": [
@@ -68776,9 +69263,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://kb.acronis.com/content/60892",
- "https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/",
"https://learn.microsoft.com/en-us/sysinternals/downloads/livekd",
+ "https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/",
+ "https://kb.acronis.com/content/60892",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml"
],
"tags": [
@@ -68845,6 +69332,30 @@
"uuid": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8",
"value": "Suspicious Process Created Via Wmic.EXE"
},
+ {
+ "description": "Detects process execution from a fake recycle bin folder, often used to avoid security solution.",
+ "meta": {
+ "author": "X__Junior (Nextron Systems)",
+ "creation_date": "2023/07/12",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "proc_creation_win_susp_recycle_bin_fake_execution.yml",
+ "level": "high",
+ "logsource.category": "process_creation",
+ "logsource.product": "windows",
+ "refs": [
+ "https://www.mandiant.com/resources/blog/infected-usb-steal-secrets",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml"
+ ],
+ "tags": [
+ "attack.persistence",
+ "attack.defense_evasion"
+ ]
+ },
+ "uuid": "5ce0f04e-3efc-42af-839d-5b3a543b76c0",
+ "value": "Suspicious Process Execution From Fake Recycle.Bin Folder"
+ },
{
"description": "Detects a suspicious execution of a Microsoft HTML Help (HH.exe)",
"meta": {
@@ -68976,8 +69487,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/Oddvarmoe/status/1641712700605513729",
"https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup",
+ "https://twitter.com/Oddvarmoe/status/1641712700605513729",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml"
],
"tags": [
@@ -69002,11 +69513,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md",
- "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee",
- "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html",
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil",
+ "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md",
+ "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/",
+ "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml"
],
"tags": [
@@ -69154,8 +69665,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py",
"https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1",
+ "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml"
],
"tags": [
@@ -69268,8 +69779,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/GhostPack/Seatbelt",
"https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html",
+ "https://github.com/GhostPack/Seatbelt",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml"
],
"tags": [
@@ -69318,8 +69829,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/Kevin-Robertson/Inveigh",
"https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
+ "https://github.com/Kevin-Robertson/Inveigh",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml"
],
"tags": [
@@ -69386,8 +69897,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.echotrail.io/insights/search/regsvr32.exe",
"https://redcanary.com/blog/intelligence-insights-april-2022/",
+ "https://www.echotrail.io/insights/search/regsvr32.exe",
"https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml"
],
@@ -69488,8 +69999,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget",
"https://learn.microsoft.com/en-us/windows/package-manager/winget/source",
+ "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml"
],
"tags": [
@@ -69623,11 +70134,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a",
"https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
+ "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
"https://isc.sans.edu/diary/22264",
- "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml"
],
"tags": [
@@ -69670,10 +70181,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/",
- "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/",
- "https://twitter.com/nao_sec/status/1530196847679401984",
"https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/",
+ "https://twitter.com/nao_sec/status/1530196847679401984",
+ "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/",
+ "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml"
],
"tags": [
@@ -69735,9 +70246,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html",
- "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA",
"https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/",
+ "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA",
+ "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml"
],
"tags": [
@@ -69770,8 +70281,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/GelosSnake/status/934900723426439170",
"https://asec.ahnlab.com/en/39828/",
+ "https://twitter.com/GelosSnake/status/934900723426439170",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml"
],
"tags": [
@@ -69872,8 +70383,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml"
],
"tags": [
@@ -69939,8 +70450,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/win32/shell/csidl",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military",
+ "https://learn.microsoft.com/en-us/windows/win32/shell/csidl",
"https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml"
],
@@ -69961,6 +70472,29 @@
"uuid": "1228c958-e64e-4e71-92ad-7d429f4138ba",
"value": "Script Interpreter Execution From Suspicious Folder"
},
+ {
+ "description": "Detects execution of \"curl.exe\" with the \"--insecure\" flag.",
+ "meta": {
+ "author": "X__Junior (Nextron Systems)",
+ "creation_date": "2023/06/30",
+ "falsepositive": [
+ "Access to badly maintained internal or development systems"
+ ],
+ "filename": "proc_creation_win_curl_insecure_connection.yml",
+ "level": "medium",
+ "logsource.category": "process_creation",
+ "logsource.product": "windows",
+ "refs": [
+ "Internal Research",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml"
+ ],
+ "tags": [
+ "attack.execution"
+ ]
+ },
+ "uuid": "cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec",
+ "value": "Insecure Transfer Via Curl.EXE"
+ },
{
"description": "Detects an attempt to execute code or create service on remote host via winrm.vbs.",
"meta": {
@@ -69974,9 +70508,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://redcanary.com/blog/lateral-movement-winrm-wmi/",
"https://twitter.com/bohops/status/994405551751815170",
"https://lolbas-project.github.io/lolbas/Scripts/Winrm/",
+ "https://redcanary.com/blog/lateral-movement-winrm-wmi/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml"
],
"tags": [
@@ -70009,8 +70543,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/",
"https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml",
+ "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_email_exfil.yml"
],
"tags": [
@@ -70033,8 +70567,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66",
"https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/",
+ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml"
],
"tags": [
@@ -70141,8 +70675,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget",
"https://learn.microsoft.com/en-us/windows/package-manager/winget/source",
+ "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml"
],
"tags": [
@@ -70176,8 +70710,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government",
"https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs",
+ "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml"
],
"tags": [
@@ -70387,10 +70921,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html",
"https://youtu.be/5mqid-7zp8k?t=2481",
"https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/",
"https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1",
- "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml"
],
"tags": [
@@ -70572,9 +71106,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/",
"https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html",
"https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/",
+ "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml"
],
"tags": [
@@ -70607,8 +71141,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md",
"https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml"
],
"tags": [
@@ -70808,8 +71342,8 @@
"logsource.product": "windows",
"refs": [
"https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection",
- "https://twitter.com/vxunderground/status/1423336151860002816?s=20",
"https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/",
+ "https://twitter.com/vxunderground/status/1423336151860002816?s=20",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml"
],
"tags": [
@@ -70842,9 +71376,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md",
"https://twitter.com/_st0pp3r_/status/1583914515996897281",
- "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml"
],
"tags": [
@@ -70877,8 +71411,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/kmkz_security/status/1220694202301976576",
"https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet",
+ "https://twitter.com/kmkz_security/status/1220694202301976576",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml"
],
"tags": [
@@ -70911,8 +71445,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create",
+ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml"
],
"tags": [
@@ -71341,11 +71875,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/",
+ "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe",
+ "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6",
"https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services",
"https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services",
- "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe",
- "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/",
- "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml"
],
"tags": [
@@ -71453,11 +71987,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
+ "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/",
+ "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955",
"https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html",
"https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg",
- "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml"
],
"tags": [
@@ -71490,9 +72024,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil",
"https://abuse.io/lockergoga.txt",
- "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml"
],
"tags": [
@@ -71635,9 +72169,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/",
"https://github.com/SigmaHQ/sigma/issues/1009",
"https://redcanary.com/blog/raspberry-robin/",
+ "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml"
],
"tags": [
@@ -71827,8 +72361,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md",
"https://github.com/OTRF/detection-hackathon-apt29/issues/6",
+ "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml"
],
"tags": [
@@ -71930,9 +72464,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/binderlabs/DirCreate2System",
"https://www.echotrail.io/insights/search/wermgr.exe",
"https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html",
+ "https://github.com/binderlabs/DirCreate2System",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml"
],
"tags": "No established tags"
@@ -71975,9 +72509,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://learn.microsoft.com/en-us/windows/wsl/install-on-server",
"https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps",
"https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system",
- "https://learn.microsoft.com/en-us/windows/wsl/install-on-server",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml"
],
"tags": [
@@ -72000,9 +72534,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176",
"https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/",
"https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
+ "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml"
],
"tags": [
@@ -72022,6 +72556,29 @@
"uuid": "cb0fe7c5-f3a3-484d-aa25-d350a7912729",
"value": "Suspicious Driver/DLL Installation Via Odbcconf.EXE"
},
+ {
+ "description": "Detects usage of the WMI class \"Win32_NTEventlogFile\" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script",
+ "meta": {
+ "author": "Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2023/07/13",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "proc_creation_win_susp_nteventlogfile_usage.yml",
+ "level": "high",
+ "logsource.category": "process_creation",
+ "logsource.product": "windows",
+ "refs": [
+ "https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml"
+ ],
+ "tags": [
+ "attack.defense_evasion"
+ ]
+ },
+ "uuid": "caf201a9-c2ce-4a26-9c3a-2b9525413711",
+ "value": "Potentially Suspicious Call To Win32_NTEventlogFile Class"
+ },
{
"description": "Detects Obfuscated Powershell via use Clip.exe in Scripts",
"meta": {
@@ -72077,8 +72634,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/pabraeken/status/993298228840992768",
"https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml",
+ "https://twitter.com/pabraeken/status/993298228840992768",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml"
],
"tags": [
@@ -72120,8 +72677,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon",
"https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom",
+ "https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml"
],
"tags": [
@@ -72203,9 +72760,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176",
"https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/",
"https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
+ "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml"
],
"tags": [
@@ -72307,22 +72864,22 @@
"refs": [
"https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
"https://github.com/samratashok/nishang",
- "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
- "https://github.com/calebstewart/CVE-2021-1675",
- "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
- "https://github.com/HarmJ0y/DAMP",
- "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
- "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1",
- "https://adsecurity.org/?p=2921",
- "https://github.com/Kevin-Robertson/Powermad",
- "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
- "https://github.com/adrecon/AzureADRecon",
- "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
"https://github.com/adrecon/ADRecon",
- "https://github.com/DarkCoderSc/PowerRunAsSystem/",
+ "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
+ "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
+ "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
+ "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
+ "https://github.com/adrecon/AzureADRecon",
+ "https://github.com/HarmJ0y/DAMP",
"https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
- "https://github.com/besimorhino/powercat",
+ "https://adsecurity.org/?p=2921",
+ "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1",
+ "https://github.com/DarkCoderSc/PowerRunAsSystem/",
+ "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
"https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html",
+ "https://github.com/besimorhino/powercat",
+ "https://github.com/Kevin-Robertson/Powermad",
+ "https://github.com/calebstewart/CVE-2021-1675",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"
],
"tags": [
@@ -72445,8 +73002,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md",
"https://twitter.com/_st0pp3r_/status/1583914244344799235",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml"
],
@@ -72480,9 +73037,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6",
"https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/",
"http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html",
- "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_rdp_redirect.yml"
],
"tags": [
@@ -72608,8 +73165,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md",
"https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe",
+ "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml"
],
"tags": [
@@ -72642,8 +73199,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode",
"https://www.mandiant.com/resources/telegram-malware-iranian-espionage",
+ "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_anomaly.yml"
],
"tags": [
@@ -72851,9 +73408,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/",
"https://twitter.com/tccontre18/status/1480950986650832903",
"https://twitter.com/mrd0x/status/1461041276514623491",
+ "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml"
],
"tags": [
@@ -72990,9 +73547,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md",
"https://lolbas-project.github.io/lolbas/Binaries/Psr/",
+ "https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml"
],
"tags": [
@@ -73270,8 +73827,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior",
"https://twitter.com/ShadowChasing1/status/1552595370961944576",
+ "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml"
],
"tags": [
@@ -73337,9 +73894,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md",
"https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md",
+ "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml"
],
"tags": [
@@ -73454,10 +74011,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware",
"https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack",
"https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml"
],
"tags": [
@@ -73650,8 +74207,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/",
"https://github.com/jpillora/chisel/",
+ "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/",
"https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_chisel.yml"
],
@@ -73719,11 +74276,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/JohnLaTwC/status/1223292479270600706",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md",
+ "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712",
"https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/",
"https://twitter.com/bohops/status/980659399495741441",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md",
- "https://twitter.com/JohnLaTwC/status/1223292479270600706",
- "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml"
],
"tags": [
@@ -73803,11 +74360,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html",
- "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html",
- "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe",
"https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html",
+ "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/",
+ "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html",
+ "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_susp_execution.yml"
],
"tags": [
@@ -73914,9 +74471,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml",
- "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp",
"https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/",
+ "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp",
+ "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml"
],
"tags": [
@@ -73950,8 +74507,8 @@
"logsource.product": "windows",
"refs": [
"https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/",
- "https://twitter.com/pabraeken/status/993298228840992768",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/",
+ "https://twitter.com/pabraeken/status/993298228840992768",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml"
],
"tags": [
@@ -74049,8 +74606,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/",
"https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/",
+ "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml"
],
"tags": [
@@ -74073,8 +74630,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/",
"https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html",
+ "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml"
],
"tags": [
@@ -74182,8 +74739,8 @@
"logsource.product": "windows",
"refs": [
"https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit",
- "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf",
"https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms",
+ "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csvde_export.yml"
],
"tags": [
@@ -74241,10 +74798,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/bohops/status/1276357235954909188?s=12",
- "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/",
"https://twitter.com/CyberRaiju/status/1273597319322058752",
"https://twitter.com/nas_bench/status/1535322450858233858",
+ "https://twitter.com/bohops/status/1276357235954909188?s=12",
+ "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml"
],
"tags": [
@@ -74310,8 +74867,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall",
"https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml"
],
"tags": [
@@ -74344,10 +74901,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/lefterispan/status/1286259016436514816",
- "https://twitter.com/jseerden/status/1247985304667066373/photo/1",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/",
"https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension",
+ "https://twitter.com/jseerden/status/1247985304667066373/photo/1",
+ "https://twitter.com/lefterispan/status/1286259016436514816",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml"
],
"tags": [
@@ -74489,8 +75046,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Print/",
"https://twitter.com/Oddvarmoe/status/985518877076541440",
+ "https://lolbas-project.github.io/lolbas/Binaries/Print/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml"
],
"tags": [
@@ -74523,8 +75080,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://pentestlab.blog/2020/07/06/indirect-command-execution/",
"https://lolbas-project.github.io/lolbas/Binaries/Forfiles/",
+ "https://pentestlab.blog/2020/07/06/indirect-command-execution/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml"
],
"tags": [
@@ -74557,8 +75114,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://persistence-info.github.io/Data/windowsterminalprofile.html",
"https://twitter.com/nas_bench/status/1550836225652686848",
+ "https://persistence-info.github.io/Data/windowsterminalprofile.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml"
],
"tags": [
@@ -74582,8 +75139,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/BloodHoundAD/SharpHound",
"https://github.com/BloodHoundAD/BloodHound",
+ "https://github.com/BloodHoundAD/SharpHound",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml"
],
"tags": [
@@ -74691,12 +75248,12 @@
"logsource.product": "windows",
"refs": [
"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration",
- "https://pentestlab.blog/tag/ntds-dit/",
- "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/",
- "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1",
"https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1",
"https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1",
+ "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/",
+ "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1",
"https://github.com/zcgonvh/NTDSDumpEx",
+ "https://pentestlab.blog/tag/ntds-dit/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml"
],
"tags": [
@@ -75134,8 +75691,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic",
"https://github.com/med0x2e/vba2clr",
+ "https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_svchost_parent.yml"
],
"tags": [
@@ -75160,8 +75717,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/pabraeken/status/991335019833708544",
"https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/",
+ "https://twitter.com/pabraeken/status/991335019833708544",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml"
],
"tags": [
@@ -75248,9 +75805,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
- "https://twitter.com/AdamTheAnalyst/status/1483497517119590403",
"https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus",
+ "https://twitter.com/AdamTheAnalyst/status/1483497517119590403",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml"
],
"tags": [
@@ -75339,8 +75896,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml",
"https://twitter.com/harr0ey/status/991670870384021504",
+ "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_openwith.yml"
],
"tags": [
@@ -75360,6 +75917,48 @@
"uuid": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f",
"value": "OpenWith.exe Executes Specified Binary"
},
+ {
+ "description": "Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.",
+ "meta": {
+ "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2022/02/12",
+ "falsepositive": [
+ "Unlikely"
+ ],
+ "filename": "proc_creation_win_schtasks_reg_loader_encoded.yml",
+ "level": "high",
+ "logsource.category": "process_creation",
+ "logsource.product": "windows",
+ "refs": [
+ "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml"
+ ],
+ "tags": [
+ "attack.execution",
+ "attack.persistence",
+ "attack.t1053.005",
+ "attack.t1059.001"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ },
+ {
+ "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78",
+ "value": "Scheduled Task Executing Encoded Payload from Registry"
+ },
{
"description": "Execute C# code with the Build Provider and proper folder structure in place.",
"meta": {
@@ -75407,8 +76006,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar",
- "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/",
"https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0",
+ "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml"
],
"tags": [
@@ -75451,8 +76050,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/",
"https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04",
+ "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml"
],
"tags": [
@@ -75505,6 +76104,30 @@
"uuid": "a4824fca-976f-4964-b334-0621379e84c4",
"value": "Potential File Overwrite Via Sysinternals SDelete"
},
+ {
+ "description": "Detects PowerShell execution to set the ACL of a file or a folder",
+ "meta": {
+ "author": "Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2022/10/18",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "proc_creation_win_powershell_set_acl.yml",
+ "level": "high",
+ "logsource.category": "process_creation",
+ "logsource.product": "windows",
+ "refs": [
+ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1",
+ "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml"
+ ],
+ "tags": [
+ "attack.defense_evasion"
+ ]
+ },
+ "uuid": "bdeb2cff-af74-4094-8426-724dc937f20a",
+ "value": "PowerShell Script Change Permission Via Set-Acl"
+ },
{
"description": "Detects potential LethalHTA technique where the \"mshta.exe\" is spwaned by an \"svchost.exe\" process",
"meta": {
@@ -75584,8 +76207,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/mrd0x/status/1463526834918854661",
"https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5",
+ "https://twitter.com/mrd0x/status/1463526834918854661",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml"
],
"tags": [
@@ -75661,8 +76284,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/mrd0x/status/1465058133303246867",
"https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps",
+ "https://twitter.com/mrd0x/status/1465058133303246867",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml"
],
"tags": [
@@ -75804,9 +76427,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://lolbas-project.github.io/lolbas/Binaries/Regini/",
"https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini",
- "https://lolbas-project.github.io/lolbas/Binaries/Regini/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml"
],
"tags": [
@@ -75893,6 +76516,30 @@
"uuid": "b98d0db6-511d-45de-ad02-e82a98729620",
"value": "Remotely Hosted HTA File Executed Via Mshta.EXE"
},
+ {
+ "description": "Detects PowerShell scripts to set the ACL to a file in the Windows folder",
+ "meta": {
+ "author": "Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2022/10/18",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "proc_creation_win_powershell_set_acl_susp_location.yml",
+ "level": "high",
+ "logsource.category": "process_creation",
+ "logsource.product": "windows",
+ "refs": [
+ "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1",
+ "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml"
+ ],
+ "tags": [
+ "attack.defense_evasion"
+ ]
+ },
+ "uuid": "0944e002-e3f6-4eb5-bf69-3a3067b53d73",
+ "value": "PowerShell Set-Acl On Windows Folder"
+ },
{
"description": "Detects execution of LiveKD based on PE metadata or image name",
"meta": {
@@ -75929,8 +76576,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/",
"https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/",
+ "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml"
],
"tags": [
@@ -76158,8 +76805,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/Hexacorn/status/1224848930795552769",
"http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/",
+ "https://twitter.com/Hexacorn/status/1224848930795552769",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml"
],
"tags": [
@@ -76360,10 +77007,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/lefterispan/status/1286259016436514816",
- "https://twitter.com/jseerden/status/1247985304667066373/photo/1",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/",
"https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension",
+ "https://twitter.com/jseerden/status/1247985304667066373/photo/1",
+ "https://twitter.com/lefterispan/status/1286259016436514816",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml"
],
"tags": [
@@ -76531,8 +77178,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/",
"https://twitter.com/harr0ey/status/992008180904419328",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml"
],
"tags": [
@@ -76598,8 +77245,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/",
"https://lolbas-project.github.io/lolbas/Binaries/Xwizard/",
+ "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml"
],
"tags": [
@@ -76823,8 +77470,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20",
"https://support.anydesk.com/Automatic_Deployment",
+ "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml"
],
"tags": [
@@ -76857,10 +77504,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html",
"https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml",
"https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/",
"https://twitter.com/gbti_sa/status/1249653895900602375?lang=en",
+ "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml"
],
"tags": [
@@ -76893,8 +77540,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/rikvduijn/status/853251879320662017",
"https://twitter.com/felixw3000/status/853354851128025088",
+ "https://twitter.com/rikvduijn/status/853251879320662017",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml"
],
"tags": [
@@ -76986,9 +77633,9 @@
"logsource.category": "antivirus",
"logsource.product": "No established product",
"refs": [
+ "https://twitter.com/mvelazco/status/1410291741241102338",
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675",
- "https://twitter.com/mvelazco/status/1410291741241102338",
"https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_printernightmare_cve_2021_34527.yml"
],
"tags": [
@@ -77055,9 +77702,9 @@
"logsource.product": "No established product",
"refs": [
"https://www.nextron-systems.com/?s=antivirus",
+ "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797",
"https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424",
"https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466",
- "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797",
"https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_exploiting.yml"
],
"tags": [
@@ -77133,16 +77780,16 @@
"logsource.category": "antivirus",
"logsource.product": "No established product",
"refs": [
- "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection",
"https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection",
- "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection",
- "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection",
- "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection",
"https://www.nextron-systems.com/?s=antivirus",
- "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection",
"https://github.com/tennc/webshell",
+ "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection",
+ "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection",
+ "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection",
"https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection",
"https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection",
+ "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection",
+ "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml"
],
"tags": [
@@ -77175,12 +77822,12 @@
"logsource.category": "antivirus",
"logsource.product": "No established product",
"refs": [
+ "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916",
+ "https://www.nextron-systems.com/?s=antivirus",
"https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c",
- "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d",
"https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7",
"https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045",
- "https://www.nextron-systems.com/?s=antivirus",
- "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916",
+ "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d",
"https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_ransomware.yml"
],
"tags": [
@@ -77258,8 +77905,8 @@
"logsource.product": "okta",
"refs": [
"https://sec.okta.com/fastpassphishingdetection",
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_fastpass_phishing_detection.yml"
],
"tags": [
@@ -77293,8 +77940,8 @@
"logsource.product": "okta",
"refs": [
"https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm",
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml"
],
"tags": "No established tags"
@@ -77315,8 +77962,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml"
],
"tags": [
@@ -77349,8 +77996,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml"
],
"tags": [
@@ -77373,8 +78020,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml"
],
"tags": [
@@ -77397,8 +78044,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml"
],
"tags": [
@@ -77421,8 +78068,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml"
],
"tags": [
@@ -77445,8 +78092,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assignment_created.yml"
],
"tags": [
@@ -77469,8 +78116,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml"
],
"tags": [
@@ -77503,8 +78150,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml"
],
"tags": [
@@ -77527,9 +78174,9 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm",
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data",
+ "https://developer.okta.com/docs/reference/api/system-log/",
+ "https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_password_in_alternateid_field.yml"
],
"tags": [
@@ -77562,8 +78209,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml"
],
"tags": [
@@ -77586,8 +78233,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml"
],
"tags": [
@@ -77610,8 +78257,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml"
],
"tags": [
@@ -77648,8 +78295,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml"
],
"tags": [
@@ -77832,11 +78479,11 @@
"logsource.category": "No established category",
"logsource.product": "m365",
"refs": [
+ "https://us-cert.cisa.gov/ncas/alerts/aa21-008a",
"https://www.sygnia.co/golden-saml-advisory",
"https://o365blog.com/post/aadbackdoor/",
- "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html",
"https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf",
- "https://us-cert.cisa.gov/ncas/alerts/aa21-008a",
+ "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_new_federated_domain_added.yml"
],
"tags": [
@@ -78267,8 +78914,8 @@
"logsource.category": "No established category",
"logsource.product": "github",
"refs": [
- "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization",
"https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions",
+ "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_outside_collaborator_detected.yml"
],
"tags": [
@@ -78544,10 +79191,10 @@
"logsource.category": "No established category",
"logsource.product": "gcp",
"refs": [
- "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control",
- "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole",
"https://github.com/elastic/detection-rules/pull/1267",
+ "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole",
"https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging",
+ "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control",
"https://kubernetes.io/docs/reference/access-authn-authz/rbac/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml"
],
@@ -78596,9 +79243,9 @@
"logsource.category": "No established category",
"logsource.product": "gcp",
"refs": [
- "https://cloud.google.com/kubernetes-engine/docs",
- "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/",
"https://kubernetes.io/docs/concepts/workloads/controllers/job/",
+ "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/",
+ "https://cloud.google.com/kubernetes-engine/docs",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_cronjob.yml"
],
"tags": [
@@ -78826,8 +79473,8 @@
"logsource.category": "No established category",
"logsource.product": "gcp",
"refs": [
- "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html",
"https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging",
+ "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml"
],
"tags": [
@@ -78861,8 +79508,8 @@
"logsource.product": "google_workspace",
"refs": [
"https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST",
- "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION",
"https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3",
+ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_application_removed.yml"
],
"tags": [
@@ -78885,8 +79532,8 @@
"logsource.category": "No established category",
"logsource.product": "google_workspace",
"refs": [
- "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE",
"https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3",
+ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml"
],
"tags": [
@@ -78919,8 +79566,8 @@
"logsource.category": "No established category",
"logsource.product": "google_workspace",
"refs": [
- "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings",
"https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3",
+ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml"
],
"tags": [
@@ -78943,8 +79590,8 @@
"logsource.category": "No established category",
"logsource.product": "google_workspace",
"refs": [
- "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings",
"https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3",
+ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml"
],
"tags": [
@@ -78967,9 +79614,9 @@
"logsource.category": "No established category",
"logsource.product": "google_workspace",
"refs": [
- "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION",
"https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION",
"https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3",
+ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml"
],
"tags": [
@@ -78992,8 +79639,8 @@
"logsource.category": "No established category",
"logsource.product": "google_workspace",
"refs": [
- "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS",
"https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3",
+ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml"
],
"tags": [
@@ -79072,13 +79719,13 @@
"logsource.category": "No established category",
"logsource.product": "aws",
"refs": [
- "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html",
- "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html",
- "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html",
"https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html",
- "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html",
+ "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html",
"https://github.com/elastic/detection-rules/pull/1145/files",
"https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html",
+ "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html",
+ "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html",
+ "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_s3_data_management_tampering.yml"
],
"tags": [
@@ -79356,8 +80003,8 @@
"logsource.category": "No established category",
"logsource.product": "aws",
"refs": [
- "https://github.com/elastic/detection-rules/pull/1214",
"https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html",
+ "https://github.com/elastic/detection-rules/pull/1214",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_assumerole_misuse.yml"
],
"tags": [
@@ -79793,8 +80440,8 @@
"logsource.category": "No established category",
"logsource.product": "aws",
"refs": [
- "https://github.com/elastic/detection-rules/pull/1213",
"https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html",
+ "https://github.com/elastic/detection-rules/pull/1213",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml"
],
"tags": [
@@ -79844,9 +80491,9 @@
"logsource.category": "No established category",
"logsource.product": "aws",
"refs": [
- "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html",
"https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html",
"https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py",
+ "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ecs_task_definition_cred_endpoint_query.yml"
],
"tags": [
@@ -79866,6 +80513,48 @@
"uuid": "b94bf91e-c2bf-4047-9c43-c6810f43baad",
"value": "AWS ECS Task Definition That Queries The Credential Endpoint"
},
+ {
+ "description": "Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.",
+ "meta": {
+ "author": "daniel.bohannon@permiso.io (@danielhbohannon)",
+ "creation_date": "2023/05/17",
+ "falsepositive": [
+ "Valid usage of S3 Browser for IAM LoginProfile listing and/or creation"
+ ],
+ "filename": "aws_iam_s3browser_loginprofile_creation.yml",
+ "level": "high",
+ "logsource.category": "No established category",
+ "logsource.product": "aws",
+ "refs": [
+ "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_iam_s3browser_loginprofile_creation.yml"
+ ],
+ "tags": [
+ "attack.execution",
+ "attack.persistence",
+ "attack.t1059.009",
+ "attack.t1078.004"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "55bb4471-ff1f-43b4-88c1-c9384ec47abf",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ },
+ {
+ "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "db014773-b1d3-46bd-ba26-133337c0ffee",
+ "value": "AWS IAM S3Browser LoginProfile Creation"
+ },
{
"description": "Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.",
"meta": {
@@ -79936,9 +80625,9 @@
"logsource.category": "No established category",
"logsource.product": "aws",
"refs": [
- "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml",
- "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html",
"https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html",
+ "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html",
+ "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml"
],
"tags": [
@@ -79996,8 +80685,8 @@
"logsource.category": "No established category",
"logsource.product": "aws",
"refs": [
- "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/",
"https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html",
+ "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml"
],
"tags": [
@@ -81089,8 +81778,8 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml",
"https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
+ "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_pods_deleted.yml"
],
"tags": [
@@ -81283,11 +81972,11 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
- "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://attack.mitre.org/matrices/enterprise/cloud/",
- "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
"https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
+ "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
+ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
+ "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml"
],
"tags": [
@@ -81568,8 +82257,8 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://blooteem.com/march-2022",
"https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/",
+ "https://blooteem.com/march-2022",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_suspicious_signin_bypassing_mfa.yml"
],
"tags": [
@@ -82406,11 +83095,11 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
- "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://attack.mitre.org/matrices/enterprise/cloud/",
- "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
"https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
+ "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
+ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
+ "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml"
],
"tags": [
@@ -82477,11 +83166,11 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
- "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://attack.mitre.org/matrices/enterprise/cloud/",
- "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
"https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
+ "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
+ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
+ "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_role_access.yml"
],
"tags": [
@@ -82658,11 +83347,11 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
- "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://attack.mitre.org/matrices/enterprise/cloud/",
- "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
"https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
+ "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
+ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
+ "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_container_registry_created_or_deleted.yml"
],
"tags": [
@@ -82718,8 +83407,8 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml",
"https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
+ "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_events_deleted.yml"
],
"tags": [
@@ -82804,9 +83493,9 @@
"logsource.product": "azure",
"refs": [
"https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
+ "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/",
"https://kubernetes.io/docs/concepts/workloads/controllers/job/",
- "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cronjob.yml"
],
"tags": [
@@ -82908,11 +83597,11 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
- "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://attack.mitre.org/matrices/enterprise/cloud/",
- "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
"https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
+ "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
+ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
+ "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml"
],
"tags": [
@@ -83541,11 +84230,11 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
- "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://attack.mitre.org/matrices/enterprise/cloud/",
- "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
"https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
+ "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
+ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
+ "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_network_policy_change.yml"
],
"tags": [
@@ -83570,11 +84259,11 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
- "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://attack.mitre.org/matrices/enterprise/cloud/",
- "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
"https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
+ "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
+ "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
+ "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml"
],
"tags": [
@@ -83696,8 +84385,8 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/",
"https://bad-jubies.github.io/RCE-NOW-WHAT/",
+ "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml"
],
"tags": [
@@ -83730,8 +84419,8 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://github.com/pimps/JNDI-Exploit-Kit",
"https://githubmemory.com/repo/FunctFan/JNDIExploit",
+ "https://github.com/pimps/JNDI-Exploit-Kit",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_jndi_exploit.yml"
],
"tags": "No established tags"
@@ -83754,10 +84443,10 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://brightsec.com/blog/sql-injection-payloads/",
- "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/",
- "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/",
"https://github.com/payloadbox/sql-injection-payload-list",
+ "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/",
+ "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/",
+ "https://brightsec.com/blog/sql-injection-payloads/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml"
],
"tags": "No established tags"
@@ -83778,8 +84467,8 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1",
"https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html",
+ "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_source_code_enumeration.yml"
],
"tags": [
@@ -83812,11 +84501,11 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/",
+ "https://twitter.com/httpvoid0x2f/status/1532924261035384832",
"https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035",
"https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/",
"https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md",
- "https://twitter.com/httpvoid0x2f/status/1532924261035384832",
+ "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_java_payload_in_access_logs.yml"
],
"tags": [
@@ -83842,8 +84531,8 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://github.com/payloadbox/xss-payload-list",
"https://portswigger.net/web-security/cross-site-scripting/contexts",
+ "https://github.com/payloadbox/xss-payload-list",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_xss_in_access_logs.yml"
],
"tags": "No established tags"
@@ -83898,9 +84587,9 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb",
"https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92",
"https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst",
+ "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_susp_useragents.yml"
],
"tags": [
@@ -83967,9 +84656,9 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://github.com/lijiejie/IIS_shortname_Scanner",
- "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml",
"https://www.exploit-db.com/exploits/19525",
+ "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml",
+ "https://github.com/lijiejie/IIS_shortname_Scanner",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml"
],
"tags": [
@@ -84037,8 +84726,8 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection",
"https://github.com/payloadbox/ssti-payloads",
+ "https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_ssti_in_access_logs.yml"
],
"tags": "No established tags"
@@ -84160,8 +84849,8 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
- "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/",
"https://twitter.com/jhencinski/status/1102695118455349248",
+ "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml"
],
"tags": [
@@ -84273,8 +84962,8 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
- "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/",
"https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw",
+ "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/",
"https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml"
],
@@ -84485,9 +85174,9 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
+ "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/",
"https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/",
"https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
- "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_telegram_api.yml"
],
"tags": [
@@ -84578,14 +85267,14 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
- "https://twitter.com/crep1x/status/1635034100213112833",
- "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules",
- "https://perishablepress.com/blacklist/ua-2013.txt",
- "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q",
- "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html",
"http://www.botopedia.org/search?searchword=scan&searchphrase=all",
- "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents",
"https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large",
+ "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents",
+ "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules",
+ "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q",
+ "https://twitter.com/crep1x/status/1635034100213112833",
+ "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html",
+ "https://perishablepress.com/blacklist/ua-2013.txt",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_malware.yml"
],
"tags": [
@@ -84619,8 +85308,8 @@
"logsource.product": "No established product",
"refs": [
"https://blog.talosintelligence.com/ipfs-abuse/",
- "https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11",
"https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638",
+ "https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml"
],
"tags": [
@@ -84696,8 +85385,8 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
- "https://rclone.org/",
"https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone",
+ "https://rclone.org/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_rclone.yml"
],
"tags": [
@@ -84764,8 +85453,8 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
- "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h",
"https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65",
+ "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_cryptominer.yml"
],
"tags": [
@@ -85050,8 +85739,8 @@
"logsource.product": "No established product",
"refs": [
"https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/",
- "https://www.spamhaus.org/statistics/tlds/",
"https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf",
+ "https://www.spamhaus.org/statistics/tlds/",
"https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml"
],
@@ -85311,8 +86000,8 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
- "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules",
"https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb",
+ "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_hacktool.yml"
],
"tags": [
@@ -85566,8 +86255,8 @@
"logsource.category": "file_event",
"logsource.product": "macos",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md",
"https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml"
],
"tags": [
@@ -85760,9 +86449,9 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://ss64.com/osx/dscl.html",
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos",
"https://ss64.com/osx/sysadminctl.html",
+ "https://ss64.com/osx/dscl.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_add_to_admin_group.yml"
],
"tags": [
@@ -85796,8 +86485,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md",
"https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_screencapture.yml"
],
"tags": [
@@ -86257,9 +86946,9 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md",
"https://linux.die.net/man/1/dd",
"https://linux.die.net/man/1/truncate",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml"
],
"tags": [
@@ -86492,8 +87181,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08",
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset",
+ "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml"
],
"tags": [
@@ -86549,9 +87238,9 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml",
"https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web",
"https://www.manpagez.com/man/8/firmwarepasswd/",
+ "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml"
],
"tags": [
@@ -86918,8 +87607,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md",
+ "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml"
],
"tags": [
@@ -86985,9 +87674,9 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97",
- "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/",
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset",
+ "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/",
+ "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml"
],
"tags": [
@@ -87177,9 +87866,9 @@
"logsource.category": "No established category",
"logsource.product": "qualys",
"refs": [
- "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
- "https://www.cisecurity.org/controls/cis-controls-list/",
"https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists",
+ "https://www.cisecurity.org/controls/cis-controls-list/",
+ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml"
],
@@ -87199,8 +87888,8 @@
"logsource.category": "No established category",
"logsource.product": "qualys",
"refs": [
- "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
"https://www.cisecurity.org/controls/cis-controls-list/",
+ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml"
],
@@ -87222,8 +87911,8 @@
"logsource.category": "No established category",
"logsource.product": "No established product",
"refs": [
- "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
"https://www.cisecurity.org/controls/cis-controls-list/",
+ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml"
],
@@ -87429,8 +88118,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor",
"https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/",
+ "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml"
],
"tags": [
@@ -87471,8 +88160,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa",
"https://linux.die.net/man/1/arecord",
+ "https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_audio_capture.yml"
],
"tags": [
@@ -87798,8 +88487,8 @@
"logsource.product": "linux",
"refs": [
"https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat",
- "https://objective-see.org/blog/blog_0x68.html",
"https://www.glitch-cat.com/p/green-lambert-and-attack",
+ "https://objective-see.org/blog/blog_0x68.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml"
],
"tags": [
@@ -87833,8 +88522,8 @@
"logsource.product": "linux",
"refs": [
"https://imagemagick.org/",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md",
"https://linux.die.net/man/1/import",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml"
],
"tags": [
@@ -87867,8 +88556,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md",
"https://firewalld.org/documentation/man-pages/firewall-cmd.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml"
],
"tags": [
@@ -87934,10 +88623,10 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/",
"https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099",
- "https://mn3m.info/posts/suid-vs-capabilities/",
"https://man7.org/linux/man-pages/man8/getcap.8.html",
+ "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/",
+ "https://mn3m.info/posts/suid-vs-capabilities/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml"
],
"tags": [
@@ -88012,8 +88701,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://blog.aquasec.com/container-security-tnt-container-attack",
"https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html",
+ "https://blog.aquasec.com/container-security-tnt-container-attack",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml"
],
"tags": [
@@ -88080,8 +88769,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md",
+ "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml"
],
"tags": [
@@ -88446,8 +89135,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor",
"https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/",
+ "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml"
],
"tags": [
@@ -88688,10 +89377,10 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md",
"https://linux.die.net/man/1/chage",
"https://man7.org/linux/man-pages/man1/passwd.1.html",
"https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml"
],
"tags": [
@@ -88791,9 +89480,9 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://linux.die.net/man/8/pam_tty_audit",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md",
"https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md",
+ "https://linux.die.net/man/8/pam_tty_audit",
"https://access.redhat.com/articles/4409591#audit-record-types-2",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml"
],
@@ -88901,9 +89590,9 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://access.redhat.com/articles/4409591#audit-record-types-2",
"https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07",
"https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files",
+ "https://access.redhat.com/articles/4409591#audit-record-types-2",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml"
],
"tags": [
@@ -88936,8 +89625,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan",
+ "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/",
"https://book.hacktricks.xyz/shells/shells/linux",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml"
],
@@ -89241,8 +89930,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid",
"https://digital.nhs.uk/cyber-alerts/2018/cc-2825",
+ "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid",
"https://linux.die.net/man/8/useradd",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_privileged_user_creation.yml"
],
@@ -89284,8 +89973,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/",
"https://github.com/Immersive-Labs-Sec/nimbuspwn",
+ "https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml"
],
"tags": [
@@ -89409,8 +90098,8 @@
"logsource.product": "linux",
"refs": [
"https://artkond.com/2017/03/23/pivoting-guide/",
- "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb",
"http://pastebin.com/FtygZ1cg",
+ "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb",
"https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml"
],
@@ -89710,8 +90399,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://twitter.com/matthieugarin/status/1183970598210412546",
"https://access.redhat.com/security/cve/cve-2019-14287",
+ "https://twitter.com/matthieugarin/status/1183970598210412546",
"https://www.openwall.com/lists/oss-security/2019/10/14/1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml"
],
@@ -89853,10 +90542,10 @@
"logsource.category": "file_event",
"logsource.product": "linux",
"refs": [
- "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
+ "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
"https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
- "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
+ "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml"
],
"tags": [
@@ -89890,10 +90579,10 @@
"logsource.category": "file_event",
"logsource.product": "linux",
"refs": [
- "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
+ "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
"https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
- "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
+ "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml"
],
"tags": [
@@ -90150,8 +90839,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://twitter.com/matthieugarin/status/1183970598210412546",
"https://access.redhat.com/security/cve/cve-2019-14287",
+ "https://twitter.com/matthieugarin/status/1183970598210412546",
"https://www.openwall.com/lists/oss-security/2019/10/14/1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml"
],
@@ -90227,10 +90916,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
+ "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
"https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
- "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
+ "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml"
],
"tags": [
@@ -90343,9 +91032,9 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
+ "https://gtfobins.github.io/gtfobins/vim/",
"https://gtfobins.github.io/gtfobins/rvim/",
"https://gtfobins.github.io/gtfobins/vimdiff/",
- "https://gtfobins.github.io/gtfobins/vim/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml"
],
"tags": [
@@ -90378,10 +91067,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
+ "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
"https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
- "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
+ "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml"
],
"tags": [
@@ -90458,10 +91147,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
+ "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
"https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
- "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
+ "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml"
],
"tags": [
@@ -90561,8 +91250,8 @@
"logsource.product": "linux",
"refs": [
"https://linuxhint.com/uninstall_yum_package/",
- "https://linuxhint.com/uninstall-debian-packages/",
"https://sysdig.com/blog/mitre-defense-evasion-falco",
+ "https://linuxhint.com/uninstall-debian-packages/",
"https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remove_package.yml"
],
@@ -90671,8 +91360,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md",
+ "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml"
],
"tags": [
@@ -90739,8 +91428,8 @@
"logsource.product": "linux",
"refs": [
"https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144",
- "https://blogs.blackberry.com/",
"https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html",
+ "https://blogs.blackberry.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml"
],
"tags": [
@@ -90773,8 +91462,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.revshells.com/",
"https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+ "https://www.revshells.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml"
],
"tags": [
@@ -90840,8 +91529,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.revshells.com/",
"https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+ "https://www.revshells.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml"
],
"tags": [
@@ -90874,11 +91563,11 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
+ "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file",
"https://twitter.com/d1r4c/status/1279042657508081664",
"https://curl.se/docs/manpage.html",
"https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76",
- "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml"
],
"tags": [
@@ -90919,8 +91608,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.revshells.com/",
"https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+ "https://www.revshells.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml"
],
"tags": [
@@ -90977,10 +91666,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.cyberciti.biz/faq/linux-remove-user-command/",
"https://linuxize.com/post/how-to-delete-group-in-linux/",
"https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/",
"https://linux.die.net/man/8/userdel",
+ "https://www.cyberciti.biz/faq/linux-remove-user-command/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml"
],
"tags": [
@@ -91259,10 +91948,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
+ "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
"https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
- "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
+ "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml"
],
"tags": [
@@ -91285,8 +91974,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://blogs.blackberry.com/",
"https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144",
+ "https://blogs.blackberry.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml"
],
"tags": [
@@ -91386,8 +92075,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.revshells.com/",
"https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+ "https://www.revshells.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml"
],
"tags": [
@@ -91477,8 +92166,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md",
"https://github.com/sleventyeleven/linuxprivchecker/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml"
],
"tags": [
@@ -91511,10 +92200,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
+ "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
"https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
- "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
+ "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml"
],
"tags": [
@@ -91547,8 +92236,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://bpftrace.org/",
"https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/",
+ "https://bpftrace.org/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml"
],
"tags": [
@@ -91581,8 +92270,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.revshells.com/",
"https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+ "https://www.revshells.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml"
],
"tags": [
@@ -91724,10 +92413,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.cyberciti.biz/faq/linux-remove-user-command/",
"https://linuxize.com/post/how-to-delete-group-in-linux/",
"https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/",
"https://linux.die.net/man/8/groupdel",
+ "https://www.cyberciti.biz/faq/linux-remove-user-command/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml"
],
"tags": [
@@ -91760,8 +92449,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS",
"https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html",
+ "https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml"
],
"tags": [
@@ -91794,9 +92483,9 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://github.com/diego-treitos/linux-smart-enumeration",
- "https://github.com/carlospolop/PEASS-ng",
"https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes",
+ "https://github.com/carlospolop/PEASS-ng",
+ "https://github.com/diego-treitos/linux-smart-enumeration",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml"
],
"tags": [
@@ -91896,8 +92585,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://blogs.blackberry.com/",
"https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144",
+ "https://blogs.blackberry.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml"
],
"tags": [
@@ -91963,9 +92652,9 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
+ "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
"https://linux.die.net/man/1/bash",
"https://www.revshells.com/",
- "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml"
],
"tags": [
@@ -91988,8 +92677,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://blogs.blackberry.com/",
"https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144",
+ "https://blogs.blackberry.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml"
],
"tags": [
@@ -92264,9 +92953,9 @@
"refs": [
"https://www.infosecademy.com/netcat-reverse-shells/",
"https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+ "https://www.revshells.com/",
"https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/",
"https://man7.org/linux/man-pages/man1/ncat.1.html",
- "https://www.revshells.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml"
],
"tags": [
@@ -92299,8 +92988,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://en.wikipedia.org/wiki/Nohup",
"https://www.computerhope.com/unix/unohup.htm",
+ "https://en.wikipedia.org/wiki/Nohup",
"https://gtfobins.github.io/gtfobins/nohup/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml"
],
@@ -92435,9 +93124,9 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
+ "Internal Research",
"https://github.com/pathtofile/bad-bpf",
"https://github.com/carlospolop/PEASS-ng",
- "Internal Research",
"https://github.com/Gui774ume/ebpfkit",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_hack_tools.yml"
],
@@ -92461,9 +93150,9 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
+ "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/",
"https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html",
"https://bpftrace.org/",
- "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml"
],
"tags": [
@@ -92520,9 +93209,9 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://blogs.blackberry.com/",
"https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/",
"https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144",
+ "https://blogs.blackberry.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml"
],
"tags": [
@@ -92555,10 +93244,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
+ "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
"https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
- "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
+ "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml"
],
"tags": [
@@ -92591,8 +93280,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.makeuseof.com/how-to-install-and-use-doas/",
"https://research.splunk.com/endpoint/linux_doas_tool_execution/",
+ "https://www.makeuseof.com/how-to-install-and-use-doas/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml"
],
"tags": [
@@ -92625,8 +93314,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md",
"https://github.com/sleventyeleven/linuxprivchecker/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml"
],
"tags": [
@@ -92795,9 +93484,9 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
"https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
+ "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml"
],
"tags": [
@@ -92830,10 +93519,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
+ "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
"https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection",
"https://blogs.jpcert.or.jp/en/2023/05/gobrat.html",
- "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/",
+ "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml"
],
"tags": "No established tags"
@@ -92966,5 +93655,5 @@
"value": "Security Software Discovery - Linux"
}
],
- "version": 20230715
+ "version": 20230728
}