From c0fdfb0e997cef645507b9c8239395ed5b47e41d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 12 Jan 2023 13:46:31 +0100 Subject: [PATCH] chg: [sigma] updated with latest version + new relationship script --- clusters/sigma-rules.json | 22614 ++++++++++++++++++++++++++++++++---- 1 file changed, 20669 insertions(+), 1945 deletions(-) diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index ffc3f22..9954344 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -9,6 +9,37 @@ "type": "sigma-rules", "uuid": "9cf7cd2e-d5f1-48c4-9909-7896ba1c96b2", "values": [ + { + "description": "Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.", + "meta": { + "author": "Tim Brown", + "creation_date": "2023/01/09", + "falsepositive": [ + "Unlikely. Except due to misconfigurations" + ], + "filename": "juniper_bgp_missing_md5.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "juniper", + "refs": [ + "https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml" + ], + "tags": [ + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.credential_access", + "attack.collection", + "attack.t1078", + "attack.t1110", + "attack.t1557" + ] + }, + "uuid": "a7c0ae48-8df8-42bf-91bd-2ea57e2f9d43", + "value": "Juniper BGP Missing MD5" + }, { "description": "Detects many failed connection attempts to different ports or hosts", "meta": { @@ -55,6 +86,22 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "51186749-7415-46be-90e5-6914865c825a", "value": "High DNS Requests Rate - Firewall" }, @@ -102,6 +149,15 @@ "attack.t1048.003" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3b6e327d-8649-4102-993f-d25786481589", "value": "High DNS Bytes Out - Firewall" }, @@ -118,8 +174,8 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml" ], @@ -141,8 +197,8 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195", "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", + "https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml" ], "tags": [ @@ -151,6 +207,15 @@ "attack.t1041" ] }, + "related": [ + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "881834a4-6659-4773-821e-1c151789d873", "value": "Equation Group C2 Communication" }, @@ -167,10 +232,10 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", - "https://core.telegram.org/bots/faq", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://core.telegram.org/bots/faq", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" ], "tags": [ @@ -178,6 +243,15 @@ "attack.t1102.002" ] }, + "related": [ + { + "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c64c5175-5189-431b-a55e-6d9882158251", "value": "Telegram Bot API Request" }, @@ -204,6 +278,22 @@ "attack.t1595.002" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aff715fa-4dd5-497a-8db3-910bea555566", "value": "DNS Query to External Service Interaction Domains" }, @@ -229,6 +319,15 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2975af79-28c4-4d2f-a951-9095f229df29", "value": "Cobalt Strike DNS Beaconing" }, @@ -252,6 +351,15 @@ "attack.t1048.003" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0f6c1bf5-70a5-4963-aef9-aab1eefb50bd", "value": "High DNS Bytes Out" }, @@ -277,6 +385,22 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "44ae5117-9c44-40cf-9c7c-7edad385ca70", "value": "High NULL Records Requests Rate" }, @@ -293,8 +417,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://zeltser.com/c2-dns-tunneling/", "https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/", + "https://zeltser.com/c2-dns-tunneling/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_c2_detection.yml" ], "tags": [ @@ -304,6 +428,22 @@ "attack.t1048.003" ] }, + "related": [ + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ec4b281-aa65-46a2-bdae-5fd830ed914e", "value": "Possible DNS Tunneling" }, @@ -329,6 +469,15 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8ae51330-899c-4641-8125-e39f2e07da72", "value": "DNS TXT Answer with Possible Execution Strings" }, @@ -354,6 +503,22 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f0a8cedc-1d22-4453-9c44-8d9f4ebd5d35", "value": "High TXT Records Requests Rate" }, @@ -380,6 +545,22 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4153a907-2451-4e4f-a578-c52bb6881432", "value": "Suspicious DNS Query with B64 Encoded String" }, @@ -405,6 +586,22 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b4163085-4001-46a3-a79a-55d8bbbc7a3a", "value": "High DNS Requests Rate" }, @@ -429,6 +626,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3eaf6218-3bed-4d8a-8707-274096f12a18", "value": "Wannacry Killswitch Domain" }, @@ -454,6 +660,22 @@ "attack.t1567" ] }, + "related": [ + { + "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b593fd50-7335-4682-a36c-4edcb68e4641", "value": "Monero Crypto Coin Mining Pool Lookup" }, @@ -485,6 +707,22 @@ "attack.t1124" ] }, + "related": [ + { + "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9705a6a1-6db6-4a16-a987-15b7151e299b", "value": "Cisco Discovery" }, @@ -512,6 +750,29 @@ "attack.t1053" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d456de47-a16f-4e46-8980-e67478a12dcb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "671ffc77-50a7-464f-9e3d-9ea2b493b26b", "value": "Cisco Modify Configuration" }, @@ -538,6 +799,29 @@ "attack.t1561.002" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "fb640c43-aa6b-431e-a961-a279010424ac", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "71d65515-c436-43c0-841b-236b1f32c21e", "value": "Cisco File Deletion" }, @@ -566,6 +850,29 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59", "value": "Cisco Stage Data" }, @@ -589,6 +896,15 @@ "attack.t1552.003" ] }, + "related": [ + { + "dest-uuid": "8187bd2a-866f-4457-9009-86b0ddedffa3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b", "value": "Cisco Show Commands Input" }, @@ -616,6 +932,22 @@ "attack.t1005" ] }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd072b25-a418-4f98-8ebc-5093fb38fe1a", "value": "Cisco Collect Data" }, @@ -664,6 +996,29 @@ "attack.t1565.001" ] }, + "related": [ + { + "dest-uuid": "f5bb433e-bdf6-4781-84bc-35e97e43be89", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d94a35f0-7a29-45f6-90a0-80df6159967c", "value": "Cisco Denial of Service" }, @@ -712,6 +1067,22 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6d844f0f-1c18-41af-8f19-33e7654edfc3", "value": "Cisco Local Accounts" }, @@ -737,6 +1108,15 @@ "attack.t1552.004" ] }, + "related": [ + { + "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1f978c6a-4415-47fb-aca5-736a44d7ca3d", "value": "Cisco Crypto Commands" }, @@ -760,9 +1140,111 @@ "attack.t1070.003" ] }, + "related": [ + { + "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ceb407f6-8277-439b-951f-e4210e3ed956", "value": "Cisco Clear Logs" }, + { + "description": "Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels", + "meta": { + "author": "Tim Brown", + "creation_date": "2023/01/09", + "falsepositive": [ + "Unlikely. Except due to misconfigurations" + ], + "filename": "cisco_ldp_md5_auth_failed.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "cisco", + "refs": [ + "https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml" + ], + "tags": [ + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.credential_access", + "attack.collection", + "attack.t1078", + "attack.t1110", + "attack.t1557" + ] + }, + "uuid": "50e606bf-04ce-4ca7-9d54-3449494bbd4b", + "value": "Cisco LDP Authentication Failures" + }, + { + "description": "Detects BGP failures which may be indicative of brute force attacks to manipulate routing", + "meta": { + "author": "Tim Brown", + "creation_date": "2023/01/09", + "falsepositive": [ + "Unlikely. Except due to misconfigurations" + ], + "filename": "cisco_bgp_md5_auth_failed.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "cisco", + "refs": [ + "https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml" + ], + "tags": [ + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.credential_access", + "attack.collection", + "attack.t1078", + "attack.t1110", + "attack.t1557" + ] + }, + "uuid": "56fa3cd6-f8d6-4520-a8c7-607292971886", + "value": "Cisco BGP Authentication Failures" + }, + { + "description": "Detects BGP failures which may be indicative of brute force attacks to manipulate routing.", + "meta": { + "author": "Tim Brown", + "creation_date": "2023/01/09", + "falsepositive": [ + "Unlikely. Except due to misconfigurations" + ], + "filename": "huawei_bgp_auth_failed.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "huawei", + "refs": [ + "https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml" + ], + "tags": [ + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.credential_access", + "attack.collection", + "attack.t1078", + "attack.t1110", + "attack.t1557" + ] + }, + "uuid": "a557ffe6-ac54-43d2-ae69-158027082350", + "value": "Huawei BGP Authentication Failures" + }, { "description": "Detects the presence of default Cobalt Strike certificate in the HTTPS traffic", "meta": { @@ -847,10 +1329,10 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", - "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", "https://threatpost.com/microsoft-petitpotam-poc/168163/", + "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", + "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" ], "tags": [ @@ -858,6 +1340,22 @@ "attack.t1187" ] }, + "related": [ + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4096842a-8f9f-4d36-92b4-d0b2a62f9b2a", "value": "Potential PetitPotam Attack Via EFS RPC Calls" }, @@ -882,6 +1380,15 @@ "attack.t1048.003" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "705072a5-bb6f-4ced-95b6-ecfa6602090b", "value": "WebDav Put Request" }, @@ -909,6 +1416,15 @@ "attack.t1053.002" ] }, + "related": [ + { + "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dde85b37-40cd-4a94-b00c-0b8794f956b5", "value": "Remote Task Creation via ATSVC Named Pipe - Zeek" }, @@ -934,6 +1450,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aac2fd97-bcba-491b-ad66-a6edf89c71bf", "value": "Executable from Webdav" }, @@ -957,6 +1482,15 @@ "attack.t1048" ] }, + "related": [ + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a8322756-015c-42e7-afb1-436e85ed3ff5", "value": "DNS TOR Proxies" }, @@ -990,6 +1524,43 @@ "attack.t1210" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ab6b1a39-a9ee-4ab4-b075-e83acf6e346b", "value": "OMIGOD HTTP No Authentication RCE" }, @@ -1017,6 +1588,29 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b640c0b8-87f8-4daa-aef8-95a24261dd1d", "value": "MITRE BZAR Indicators for Execution" }, @@ -1043,6 +1637,29 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "92dae1ed-1c9d-4eff-a567-33acbd95b00e", "value": "Possible Impacket SecretDump Remote Activity - Zeek" }, @@ -1083,8 +1700,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/nknorg/nkn-sdk-go", "https://github.com/Maka8ka/NGLite", + "https://github.com/nknorg/nkn-sdk-go", "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" ], @@ -1160,8 +1777,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/37", "https://github.com/OTRF/detection-hackathon-apt29", + "https://github.com/OTRF/detection-hackathon-apt29/issues/37", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml" ], "tags": [ @@ -1194,6 +1811,22 @@ "attack.t1496" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bf74135c-18e8-4a72-a926-0e4f47888c19", "value": "DNS Events Related To Mining Pools" }, @@ -1210,12 +1843,12 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", - "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", "https://github.com/corelight/CVE-2021-1675", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" ], "tags": [ @@ -1298,6 +1931,29 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2e69f167-47b5-4ae7-a390-47764529eff5", "value": "Transferring Files with Credential Data via Network Shares - Zeek" }, @@ -1315,10 +1971,10 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", "https://tools.ietf.org/html/rfc2929#section-2.1", - "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", "https://twitter.com/neu5ron/status/1346245602502443009", + "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", + "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" ], "tags": [ @@ -1327,6 +1983,22 @@ "attack.command_and_control" ] }, + "related": [ + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ede05abc-2c9e-4624-9944-9ff17fdc0bf5", "value": "Suspicious DNS Z Flag Bit Set" }, @@ -1352,221 +2024,18 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fd435618-981e-4a7c-81f8-f78ce480d616", "value": "Django Framework Exceptions" }, - { - "description": "Detects a highly relevant Antivirus alert that reports a password dumper", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/09/09", - "falsepositive": [ - "Unlikely" - ], - "filename": "av_password_dumper.yml", - "level": "critical", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/", - "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_password_dumper.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1558", - "attack.t1003.001", - "attack.t1003.002" - ] - }, - "uuid": "78cc2dd2-7d20-4d32-93ff-057084c38b93", - "value": "Antivirus Password Dumper Detection" - }, - { - "description": "Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .", - "meta": { - "author": "Sittikorn S, Nuttakorn T, Tim Shelton", - "creation_date": "2021/07/01", - "falsepositive": [ - "Unlikely, or pending PSP analysis" - ], - "filename": "av_printernightmare_cve_2021_34527.yml", - "level": "critical", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://twitter.com/mvelazco/status/1410291741241102338", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_printernightmare_cve_2021_34527.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1055" - ] - }, - "uuid": "6fe1719e-ecdf-4caf-bffe-4f501cb0a561", - "value": "Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection" - }, - { - "description": "Detects an Antivirus alert in a highly relevant file path or with a relevant file name", - "meta": { - "author": "Florian Roth, Arnim Rupp", - "creation_date": "2018/09/09", - "falsepositive": [ - "Unlikely" - ], - "filename": "av_relevant_files.yml", - "level": "high", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_relevant_files.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1588" - ] - }, - "uuid": "c9a88268-0047-4824-ba6e-4d81ce0b907c", - "value": "Antivirus Relevant File Paths Alerts" - }, - { - "description": "Detects a highly relevant Antivirus alert that reports an exploitation framework", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/09/09", - "falsepositive": [ - "Unlikely" - ], - "filename": "av_exploiting.yml", - "level": "critical", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_exploiting.yml" - ], - "tags": [ - "attack.execution", - "attack.t1203", - "attack.command_and_control", - "attack.t1219" - ] - }, - "uuid": "238527ad-3c2c-4e4f-a1f6-92fd63adb864", - "value": "Antivirus Exploitation Framework Detection" - }, - { - "description": "Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/08/16", - "falsepositive": [ - "Unlikely" - ], - "filename": "av_hacktool.yml", - "level": "high", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_hacktool.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204" - ] - }, - "uuid": "fa0c05b6-8ad3-468d-8231-c1cbccb64fba", - "value": "Antivirus Hacktool Detection" - }, - { - "description": "Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches.", - "meta": { - "author": "Florian Roth, Arnim Rupp", - "creation_date": "2018/09/09", - "falsepositive": [ - "Unlikely" - ], - "filename": "av_webshell.yml", - "level": "high", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", - "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", - "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", - "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", - "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", - "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", - "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", - "https://github.com/tennc/webshell", - "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_webshell.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ] - }, - "uuid": "fdf135a2-9241-4f96-a114-bb404948f736", - "value": "Antivirus Web Shell Detection" - }, - { - "description": "Detects a highly relevant Antivirus alert that reports ransomware", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/05/12", - "falsepositive": [ - "Unlikely" - ], - "filename": "av_ransomware.yml", - "level": "critical", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://www.nextron-systems.com/?s=antivirus", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_ransomware.yml" - ], - "tags": [ - "attack.t1486" - ] - }, - "uuid": "4c6ca276-d4d0-4a8c-9e4c-d69832f8671f", - "value": "Antivirus Ransomware Detection" - }, - { - "description": "Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields", - "meta": { - "author": "@juju4", - "creation_date": "2022/12/27", - "falsepositive": [ - "Inventory and monitoring activity", - "Vulnerability scanners", - "Legitimate applications" - ], - "filename": "db_anomalous_query.yml", - "level": "medium", - "logsource.category": "database", - "logsource.product": "No established product", - "refs": [ - "https://github.com/sqlmapproject/sqlmap", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/database/db_anomalous_query.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.initial_access", - "attack.privilege_escalation", - "attack.t1190", - "attack.t1505.001" - ] - }, - "uuid": "d84c0ded-edd7-4123-80ed-348bb3ccc4d5", - "value": "Suspicious SQL Query" - }, { "description": "Detects suspicious Spring framework exceptions that could indicate exploitation attempts", "meta": { @@ -1588,6 +2057,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ae48ab93-45f7-4051-9dfe-5d30a3f78e33", "value": "Spring Framework Exceptions" }, @@ -1612,6 +2090,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "19aefed0-ffd4-47dc-a7fc-f8b1425e84f9", "value": "Python SQL Exceptions" }, @@ -1636,6 +2123,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8a670c6d-7189-4b1c-8017-a417ca84a086", "value": "Suspicious SQL Error Messages" }, @@ -1653,9 +2149,9 @@ "logsource.product": "ruby_on_rails", "refs": [ "http://guides.rubyonrails.org/action_controller_overview.html", + "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", "http://edgeguides.rubyonrails.org/security.html", "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", - "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" ], "tags": [ @@ -1663,6 +2159,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a", "value": "Ruby on Rails Framework Exceptions" }, @@ -1679,15 +2184,15 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://attack.mitre.org/techniques/T1087/", - "https://github.com/zeronetworks/rpcfirewall", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" ], "tags": [ - "attack.t1087" + "attack.t1087", + "attack.discovery" ] }, "uuid": "65f77b1e-8e79-45bf-bb67-5988a8ce45a5", @@ -1706,14 +2211,15 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://attack.mitre.org/tactics/TA0007/", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://github.com/zeronetworks/rpcfirewall", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" ], - "tags": "No established tags" + "tags": [ + "attack.discovery" + ] }, "uuid": "d8ffe17e-04be-4886-beb9-c1dd1944b9a8", "value": "Remote Registry Recon" @@ -1731,14 +2237,15 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://attack.mitre.org/tactics/TA0007/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" ], - "tags": "No established tags" + "tags": [ + "attack.discovery" + ] }, "uuid": "7f7c49eb-2977-4ac8-8ab0-ab1bae14730e", "value": "Remote Schedule Task Recon via ITaskSchedulerService" @@ -1756,12 +2263,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://attack.mitre.org/tactics/TA0008/", - "https://attack.mitre.org/techniques/T1569/002/", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" ], "tags": [ @@ -1769,6 +2274,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "10018e73-06ec-46ec-8107-9172f1e04ff2", "value": "Remote Server Service Abuse for Lateral Movement" }, @@ -1785,12 +2299,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://attack.mitre.org/tactics/TA0008/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://attack.mitre.org/techniques/T1053/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" ], "tags": [ @@ -1799,6 +2311,15 @@ "attack.t1053.002" ] }, + "related": [ + { + "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0fcd1c79-4eeb-4746-aba9-1b458f7a79cb", "value": "Remote Schedule Task Lateral Movement via ATSvc" }, @@ -1815,15 +2336,15 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://attack.mitre.org/techniques/T1033/", - "https://github.com/zeronetworks/rpcfirewall", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" ], "tags": [ - "attack.t1033" + "attack.t1033", + "attack.discovery" ] }, "uuid": "56fda488-113e-4ce9-8076-afc2457922c3", @@ -1842,12 +2363,13 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", - "https://attack.mitre.org/tactics/TA0007/", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml" ], - "tags": "No established tags" + "tags": [ + "attack.discovery" + ] }, "uuid": "2053961f-44c7-4a64-b62d-f6e72800af0d", "value": "Remote Event Log Recon" @@ -1865,12 +2387,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://attack.mitre.org/tactics/TA0008/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://attack.mitre.org/techniques/T1053/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" ], "tags": [ @@ -1879,6 +2399,15 @@ "attack.t1053.002" ] }, + "related": [ + { + "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d", "value": "Remote Schedule Task Lateral Movement via ITaskSchedulerService" }, @@ -1895,12 +2424,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://attack.mitre.org/tactics/TA0008/", - "https://github.com/zeronetworks/rpcfirewall", - "https://attack.mitre.org/techniques/T1021/003/", - "https://attack.mitre.org/techniques/T1047/", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" ], "tags": [ @@ -1909,6 +2435,22 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "68050b10-e477-4377-a99b-3721b422d6ef", "value": "Remote DCOM/WMI Lateral Movement" }, @@ -1925,12 +2467,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://attack.mitre.org/tactics/TA0008/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://attack.mitre.org/techniques/T1053/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" ], "tags": [ @@ -1939,6 +2479,15 @@ "attack.t1053.002" ] }, + "related": [ + { + "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aff229ab-f8cd-447b-b215-084d11e79eb0", "value": "Remote Schedule Task Lateral Movement via SASec" }, @@ -1955,13 +2504,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", - "https://attack.mitre.org/tactics/TA0008/", - "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" ], "tags": [ @@ -1984,11 +2532,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", - "https://attack.mitre.org/techniques/T1033/", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" ], "tags": [ @@ -2011,11 +2558,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://attack.mitre.org/tactics/TA0008/", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], "tags": [ @@ -2038,14 +2584,15 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://attack.mitre.org/tactics/TA0007/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" ], - "tags": "No established tags" + "tags": [ + "attack.discovery" + ] }, "uuid": "0a3ff354-93fc-4273-8a03-1078782de5b7", "value": "Recon Activity via SASec" @@ -2063,16 +2610,15 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://attack.mitre.org/tactics/TA0008/", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://github.com/zeronetworks/rpcfirewall", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://attack.mitre.org/techniques/T1112/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" ], "tags": [ - "attack.lateral_movement" + "attack.lateral_movement", + "attack.t1112" ] }, "uuid": "35c55673-84ca-4e99-8d09-e334f3c29539", @@ -2091,11 +2637,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://attack.mitre.org/tactics/TA0008/", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" ], "tags": [ @@ -2118,14 +2663,15 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://attack.mitre.org/tactics/TA0007/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" ], - "tags": "No established tags" + "tags": [ + "attack.discovery" + ] }, "uuid": "f177f2bc-5f3e-4453-b599-57eefce9a59c", "value": "Remote Schedule Task Recon via AtScv" @@ -2151,6 +2697,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0f920ebe-7aea-4c54-b202-9aa0c609cfe5", "value": "Potential Credential Dumping Attempt Via PowerShell" }, @@ -2167,10 +2722,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml" ], @@ -2180,6 +2735,15 @@ "attack.s0002" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fa34b441-961a-42fa-a100-ecc28c886725", "value": "LSASS Access from Program in Suspicious Folder" }, @@ -2196,8 +2760,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/shantanukhande/status/1229348874298388484", "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/shantanukhande/status/1229348874298388484", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml" ], "tags": [ @@ -2205,6 +2769,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a49fa4d5-11db-418c-8473-1e014a8dd462", "value": "Lsass Memory Dump via Comsvcs DLL" }, @@ -2234,6 +2807,22 @@ "car.2019-04-001" ] }, + "related": [ + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3b4b232a-af90-427c-a22f-30b0c0837b95", "value": "CMSTP Execution Process Access" }, @@ -2260,6 +2849,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fb3722e4-1a06-46b6-b772-253e2e7db933", "value": "Load Undocumented Autoelevated COM Interface" }, @@ -2284,6 +2882,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7186e989-4ed7-4f4e-a656-4674b9e3e48b", "value": "Credential Dumping by Pypykatz" }, @@ -2300,8 +2907,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/timbmsft/status/900724491076214784", "https://github.com/hlldz/Invoke-Phant0m", + "https://twitter.com/timbmsft/status/900724491076214784", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_invoke_phantom.yml" ], "tags": [ @@ -2309,6 +2916,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", "value": "Suspect Svchost Memory Asccess" }, @@ -2325,9 +2941,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ + "https://twitter.com/mrd0x/status/1460597833917251595", "https://twitter.com/_xpn_/status/1491557187168178176", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", - "https://twitter.com/mrd0x/status/1460597833917251595", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml" ], "tags": [ @@ -2336,6 +2952,15 @@ "attack.s0002" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4be8b654-0c01-4c9d-a10c-6b28467fc651", "value": "LSASS Access from White-Listed Processes" }, @@ -2365,6 +2990,29 @@ "attack.s0002" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aa35a627-33fb-4d04-a165-d33b4afca3e8", "value": "Mimikatz through Windows Remote Management" }, @@ -2391,6 +3039,15 @@ "attack.s0002" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e5b33f7d-eb93-48b6-9851-09e1e610b6d7", "value": "WerFault Accassing LSASS" }, @@ -2441,6 +3098,15 @@ "attack.s0349" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4b9a8556-99c4-470b-a40c-9c8d02c77ed0", "value": "Credential Dumping by LaZagne" }, @@ -2463,6 +3129,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "174afcfa-6e40-4ae9-af64-496546389294", "value": "SVCHOST Credential Dump" }, @@ -2488,6 +3163,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4f6c43e2-f989-4ea5-bcd8-843b49a0317c", "value": "UAC Bypass Using WOW64 Logger DLL Hijack" }, @@ -2504,10 +3188,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", - "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", + "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" ], "tags": [ @@ -2516,6 +3200,15 @@ "attack.s0002" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", "value": "LSASS Memory Dump" }, @@ -2532,9 +3225,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml" ], @@ -2545,6 +3238,15 @@ "car.2019-04-004" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "32d0d3e2-e58d-4d41-926b-18b520b2b32d", "value": "Credential Dumping Tools Accessing LSASS Memory" }, @@ -2561,10 +3263,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml" ], @@ -2574,6 +3276,15 @@ "attack.s0002" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "678dfc63-fefb-47a5-a04c-26bcf8cc9f65", "value": "Rare GrantedAccess Flags on LSASS Access" }, @@ -2590,10 +3301,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml" ], @@ -2603,6 +3314,15 @@ "attack.s0002" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a18dd26b-6450-46de-8c91-9659150cf088", "value": "Suspicious GrantedAccess Flags on LSASS Access" }, @@ -2627,6 +3347,15 @@ "attack.t1106" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3f3f3506-1895-401b-9cc3-e86b16e630d0", "value": "Direct Syscall of NtOpenProcess" }, @@ -2654,6 +3383,40 @@ "uuid": "250ae82f-736e-4844-a68b-0b5e8cc887da", "value": "Potential Shellcode Injection" }, + { + "description": "Detects potential NT API stub patching as seen used by the project PatchingAPI", + "meta": { + "author": "frack113", + "creation_date": "2023/01/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_invoke_patchingapi.yml", + "level": "medium", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://github.com/D1rkMtr/UnhookingPatch", + "https://twitter.com/D1rkMtr/status/1611471891193298944?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b916cba1-b38a-42da-9223-17114d846fd6", + "value": "Potential NT API Stub Patching" + }, { "description": "Detects the process injection of a LittleCorporal generated Maldoc.", "meta": { @@ -2676,6 +3439,22 @@ "attack.t1055.003" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7bdde3bf-2a42-4c39-aa31-a92b3e17afac", "value": "LittleCorporal Generated Maldoc Injection" }, @@ -2702,6 +3481,22 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", "value": "HandleKatz Duplicating LSASS Handle" }, @@ -2728,6 +3523,15 @@ "attack.s0002" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", "value": "LSASS Memory Access by Tool Named Dump" }, @@ -2744,9 +3548,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", - "https://github.com/codewhitesec/SysmonEnte/", "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", + "https://github.com/codewhitesec/SysmonEnte/", + "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hack_sysmonente.yml" ], "tags": [ @@ -2754,6 +3558,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", "value": "SysmonEnte Usage" }, @@ -2781,6 +3594,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "09706624-b7f6-455d-9d02-adee024cee1d", "value": "CobaltStrike BOF Injection Pattern" }, @@ -2797,9 +3619,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ + "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", "https://twitter.com/SBousseaden/status/1541920424635912196", "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", - "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_seclogon.yml" ], "tags": [ @@ -2807,6 +3629,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "472159c5-31b9-4f56-b794-b766faa8b0a7", "value": "Suspicious LSASS Access Via MalSecLogon" }, @@ -2879,6 +3710,15 @@ "attack.t1055.012" ] }, + "related": [ + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c4b890e5-8d8c-4496-8c66-c805753817cd", "value": "Sysmon Process Hollowing Detection" }, @@ -2895,8 +3735,8 @@ "logsource.category": "sysmon_error", "logsource.product": "windows", "refs": [ - "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_error.yml" ], "tags": [ @@ -2904,6 +3744,15 @@ "attack.t1564" ] }, + "related": [ + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "815cd91b-7dbc-4247-841a-d7dd1392b0a8", "value": "Sysmon Configuration Error" }, @@ -2920,8 +3769,8 @@ "logsource.category": "sysmon_status", "logsource.product": "windows", "refs": [ - "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml" ], "tags": [ @@ -2929,6 +3778,15 @@ "attack.t1564" ] }, + "related": [ + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1f2b5353-573f-4880-8e33-7d04dcf97744", "value": "Sysmon Configuration Modification" }, @@ -2945,8 +3803,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", + "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml" ], "tags": [ @@ -2971,8 +3829,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", + "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml" ], "tags": [ @@ -3008,6 +3866,36 @@ "attack.t1003.005" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "961d0ba2-3eea-4303-a930-2cf78bbfcc5e", "value": "Cred Dump-Tools Named Pipes" }, @@ -3024,11 +3912,11 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/issues/253", - "https://twitter.com/d4rksystem/status/1357010969264873472", - "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", + "https://github.com/SigmaHQ/sigma/issues/253", + "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", + "https://twitter.com/d4rksystem/status/1357010969264873472", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml" ], "tags": [ @@ -3063,6 +3951,15 @@ "attack.t1106" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "739915e4-1e70-4778-8b8a-17db02f66db1", "value": "Turla Group Named Pipes" }, @@ -3087,6 +3984,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "58cb02d5-78ce-4692-b3e1-dce850aae41a", "value": "Alternate PowerShell Hosts Pipe" }, @@ -3134,6 +4040,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f6451de4-df0a-41fa-8d72-b39f54a08db5", "value": "PAExec Default Named Pipe" }, @@ -3158,6 +4073,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb", "value": "WMI Event Consumer Created Named Pipe" }, @@ -3182,6 +4106,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ac7102b4-9e1e-4802-9b4f-17c5524c015c", "value": "PowerShell Execution Via Named Pipe" }, @@ -3208,6 +4141,15 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "41504465-5e3a-4a5b-a5b4-2a0baadd4463", "value": "PsExec Tool Execution From Suspicious Locations - PipeName" }, @@ -3260,6 +4202,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9e77ed63-2ecf-4c7b-b09d-640834882028", "value": "PsExec Pipes Artifacts" }, @@ -3276,18 +4227,18 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://www.us-cert.gov/ncas/alerts/TA17-117A", - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", + "https://www.us-cert.gov/ncas/alerts/TA17-117A", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", + "https://securelist.com/faq-the-projectsauron-apt/75533/", + "https://github.com/RiccardoAncarani/LiquidSnake", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", + "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", - "https://securelist.com/faq-the-projectsauron-apt/75533/", - "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", - "https://github.com/RiccardoAncarani/LiquidSnake", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml" ], "tags": [ @@ -3322,6 +4273,15 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f3f3a972-f982-40ad-b63c-bca6afdfad7c", "value": "PsExec Default Named Pipe" }, @@ -3338,9 +4298,9 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://o365blog.com/post/adfs/", "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", "https://github.com/Azure/SimuLand", + "https://o365blog.com/post/adfs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml" ], "tags": [ @@ -3348,6 +4308,15 @@ "attack.t1005" ] }, + "related": [ + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3", "value": "ADFS Database Named Pipe Connection" }, @@ -3374,6 +4343,22 @@ "attack.t1134.001" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0adc67e0-a68f-4ffd-9c43-28905aad5d6a", "value": "Koh Default Named Pipes" }, @@ -3407,6 +4392,36 @@ "attack.t1003.006" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "06d71506-7beb-4f22-8888-e2e5e2ca7fd8", "value": "Mimikatz Use" }, @@ -3546,6 +4561,15 @@ "attack.t1136.001" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "66b6be3d-55d0-4f47-9855-d69df21740ea", "value": "Local User Creation" }, @@ -3572,6 +4596,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7a922f1b-2635-4d6c-91ef-af228b198ad3", "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security" }, @@ -3622,6 +4655,15 @@ "attack.t1134.005" ] }, + "related": [ + { + "dest-uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2632954e-db1c-49cb-9936-67d1ef1d17d2", "value": "Addition of SID History to Active Directory Object" }, @@ -3678,6 +4720,15 @@ "car.2016-04-002" ] }, + "related": [ + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", "value": "Security Eventlog Cleared" }, @@ -3695,8 +4746,8 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", - "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://twitter.com/MsftSecIntel/status/1257324139515269121", + "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" ], "tags": [ @@ -3729,6 +4780,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c8b00925-926c-47e3-beea-298fd563728e", "value": "Remote Access Tool Services Have Been Installed - Security" }, @@ -3755,6 +4815,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a", "value": "Invoke-Obfuscation Via Use MSHTA - Security" }, @@ -3771,8 +4840,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml" ], "tags": [ @@ -3781,6 +4850,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", "value": "Generic Password Dumper Activity on LSASS" }, @@ -3797,8 +4875,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_device_installation_blocked.yml" ], "tags": "No established tags" @@ -3843,8 +4921,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_logon.yml" ], @@ -3895,8 +4973,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/software/S0359/", "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm", + "https://attack.mitre.org/software/S0359/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lolbas_execution_of_nltest.yml" ], "tags": [ @@ -3906,6 +4984,15 @@ "attack.t1016" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eeb66bbb-3dde-4582-815a-584aee9fe6d1", "value": "Correct Execution of Nltest.exe" }, @@ -3947,8 +5034,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://twitter.com/mattifestation/status/899646620148539397", + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml" ], "tags": [ @@ -3957,6 +5044,15 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f033f3f3-fd24-4995-97d8-a3bb17550a88", "value": "WMI Persistence - Security" }, @@ -3994,8 +5090,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/menasec1/status/1106899890377052160", "https://www.secureworks.com/blog/ransomware-as-a-distraction", + "https://twitter.com/menasec1/status/1106899890377052160", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml" ], "tags": [ @@ -4004,6 +5100,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a8f29a7b-b137-4446-80a0-b804272f3da2", "value": "Persistence and Execution at Scale via GPO Scheduled Task" }, @@ -4123,10 +5228,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", - "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", - "https://github.com/sensepost/ruler", "https://github.com/sensepost/ruler/issues/47", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", + "https://github.com/sensepost/ruler", + "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" ], @@ -4139,6 +5244,22 @@ "attack.t1550.002" ] }, + "related": [ + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "24549159-ac1b-479c-8175-d42aea947cae", "value": "Hacktool Ruler" }, @@ -4162,6 +5283,15 @@ "attack.t1070.001" ] }, + "related": [ + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a122ac13-daf8-4175-83a2-72c387be339d", "value": "Security Event Log Cleared" }, @@ -4179,8 +5309,8 @@ "logsource.product": "windows", "refs": [ "https://awakesecurity.com/blog/threat-hunting-for-paexec/", - "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", + "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml" ], "tags": [ @@ -4192,6 +5322,22 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cb062102-587e-4414-8efa-dbe3c7bf19c6", "value": "Malicious Service Installations" }, @@ -4292,6 +5438,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd0f7229-d16f-42de-8fe3-fba365fbcb3a", "value": "Invoke-Obfuscation Via Use Rundll32 - Security" }, @@ -4308,9 +5463,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" ], "tags": "No established tags" @@ -4378,9 +5533,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", + "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_pass_the_hash_2.yml" ], "tags": [ @@ -4404,9 +5559,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", - "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" ], "tags": [ @@ -4419,6 +5574,36 @@ "attack.s0195" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "39a80702-d7ca-4a83-b776-525b1f86a36d", "value": "Secure Deletion with SDelete" }, @@ -4507,8 +5692,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1207671369963646976", "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", + "https://twitter.com/SBousseaden/status/1207671369963646976", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_wocao.yml" ], "tags": [ @@ -4522,6 +5707,29 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "74ad4314-482e-4c3e-b237-3f7ed3b9ca8d", "value": "Operation Wocao Activity - Security" }, @@ -4574,6 +5782,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "80b708f3-d034-40e4-a6c8-d23b7a7db3d1", "value": "Invoke-Obfuscation Via Stdin - Security" }, @@ -4601,6 +5818,22 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6fb63b40-e02a-403e-9ffd-3bcc1d749442", "value": "Metasploit Or Impacket Service Installation Via SMB PsExec" }, @@ -4625,6 +5858,15 @@ "attack.t1222.001" ] }, + "related": [ + { + "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "028c7842-4243-41cd-be6f-12f3cf1a26c7", "value": "AD Object WriteDAC Access" }, @@ -4648,6 +5890,15 @@ "attack.t1212" ] }, + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f7644214-0eb0-4ace-9455-331ec4c09253", "value": "Kerberos Manipulation" }, @@ -4713,14 +5964,14 @@ "logsource.product": "windows", "refs": [ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_group_modification_logging.yml" ], "tags": "No established tags" @@ -4751,6 +6002,29 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "910ab938-668b-401b-b08c-b596e80fdca5", "value": "Transferring Files with Credential Data via Network Shares" }, @@ -4767,8 +6041,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", + "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_krbrelayup.yml" ], "tags": [ @@ -4800,6 +6074,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "13acf386-b8c6-4fe0-9a6e-c4756b974698", "value": "Remote PowerShell Sessions Network Connections (WinRM)" }, @@ -4816,9 +6099,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", - "https://github.com/fox-it/LDAPFragger", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", + "https://github.com/fox-it/LDAPFragger", + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" ], "tags": [ @@ -4826,6 +6109,15 @@ "attack.command_and_control" ] }, + "related": [ + { + "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d00a9a72-2c09-4459-ad03-5e0a23351e36", "value": "Suspicious LDAP-Attributes Used" }, @@ -4878,6 +6170,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", "value": "LSASS Access from Non System Account" }, @@ -4904,6 +6205,29 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "252902e3-5830-4cf6-bf21-c22083dfd5cf", "value": "Possible Impacket SecretDump Remote Activity" }, @@ -4946,9 +6270,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", - "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://twitter.com/gentilkiwi/status/1003236624925413376", + "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" ], "tags": [ @@ -4956,6 +6280,15 @@ "attack.t1207" ] }, + "related": [ + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "32e19d25-4aed-4860-a55a-be99cb0bf7ed", "value": "Possible DC Shadow Attack" }, @@ -4980,6 +6313,15 @@ "attack.t1003.004" ] }, + "related": [ + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4ac1f50b-3bd0-4968-902d-868b4647937e", "value": "DPAPI Domain Backup Key Extraction" }, @@ -5007,6 +6349,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4f86b304-3e02-40e3-aa5d-e88a167c9617", "value": "Scheduled Task Deletion" }, @@ -5033,6 +6384,15 @@ "attack.t1021.002" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f6c68d5f-e101-4b86-8c84-7d96851fd65c", "value": "T1047 Wmiprvse Wbemcomn DLL Hijack" }, @@ -5050,8 +6410,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", - "Live environment caused by malware", "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", + "Live environment caused by malware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" ], "tags": [ @@ -5059,6 +6419,15 @@ "attack.t1070.006" ] }, + "related": [ + { + "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "faa031b5-21ed-4e02-8881-2591f98d82ed", "value": "Unauthorized System Time Modification" }, @@ -5111,6 +6480,15 @@ "attack.t1133" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f88e112a-21aa-44bd-9b01-6ee2a2bbbed1", "value": "Failed Logon From Public IP" }, @@ -5135,6 +6513,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e9faba72-4974-4ab2-a4c5-46e25ad59e9b", "value": "VSSAudit Security Event Source Registration" }, @@ -5184,6 +6571,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", "value": "Password Change on Directory Service Restore Mode (DSRM) Account" }, @@ -5205,6 +6601,15 @@ "attack.t1212" ] }, + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7818b381-5eb1-4641-bea5-ef9e4cfb5951", "value": "Possible Remote Password Change Through SAMR" }, @@ -5229,6 +6634,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5af54681-df95-4c26-854f-2565e13cfab0", "value": "Login with WMI" }, @@ -5260,6 +6674,22 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c0580559-a6bd-4ef6-b9b7-83703d98b561", "value": "Chafer Activity - Security" }, @@ -5286,6 +6716,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", "value": "Invoke-Obfuscation STDIN+ Launcher - Security" }, @@ -5311,6 +6750,15 @@ "attack.t1486" ] }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "97919310-06a7-482c-9639-92b67ed63cf8", "value": "Suspicious Multiple File Rename Or Delete Occurred" }, @@ -5327,9 +6775,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation", "https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html", - "https://attack.mitre.org/techniques/T1134/001/", + "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_access_token_abuse.yml" ], "tags": [ @@ -5338,6 +6785,15 @@ "attack.t1134.001" ] }, + "related": [ + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "02f7c9c1-1ae8-4c6a-8add-04693807f92f", "value": "Access Token Abuse" }, @@ -5386,6 +6842,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2c99737c-585d-4431-b61a-c911d86ff32f", "value": "Powerview Add-DomainObjectAcl DCSync AD Extend Right" }, @@ -5460,6 +6925,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4edf51e1-cb83-4e1a-bc39-800e396068e3", "value": "Invoke-Obfuscation CLIP+ Launcher - Security" }, @@ -5514,6 +6988,15 @@ "attack.s0039" ] }, + "related": [ + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "968eef52-9cff-4454-8992-1e74b9cbad6c", "value": "Reconnaissance Activity" }, @@ -5540,6 +7023,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a0a2ff1-611b-4dac-8216-8a7b47c618a6", "value": "Invoke-Obfuscation Via Use Clip - Security" }, @@ -5567,6 +7059,15 @@ "attack.t1053.002" ] }, + "related": [ + { + "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f6de6525-4509-495a-8a82-1f8b0ed73a00", "value": "Remote Task Creation via ATSVC Named Pipe" }, @@ -5605,10 +7106,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SecurityJosh/status/1283027365770276866", "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", - "https://twitter.com/Flangvik/status/1283054508084473861", "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", + "https://twitter.com/Flangvik/status/1283054508084473861", + "https://twitter.com/SecurityJosh/status/1283027365770276866", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" ], "tags": [ @@ -5647,6 +7148,50 @@ "attack.s0005" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f0d1feba-4344-4ca9-8121-a6c97bd6df52", "value": "Credential Dumping Tools Service Execution - Security" }, @@ -5671,6 +7216,15 @@ "attack.t1003.004" ] }, + "related": [ + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "39a94fd1-8c9a-4ff6-bf22-c058762f8014", "value": "DPAPI Domain Master Key Backup Attempt" }, @@ -5695,6 +7249,15 @@ "attack.t1010" ] }, + "related": [ + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "13addce7-47b2-4ca0-a98f-1de964d1d669", "value": "SCM Database Handle Failure" }, @@ -5721,6 +7284,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4c54ba8f-73d2-4d40-8890-d9cf1dca3d30", "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security" }, @@ -5791,6 +7363,15 @@ "attack.t1048" ] }, + "related": [ + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9c8afa4d-0022-48f0-9456-3712466f9701", "value": "Tap Driver Installation - Security" }, @@ -5807,9 +7388,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/topotam/PetitPotam", "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", - "https://github.com/topotam/PetitPotam", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" ], "tags": [ @@ -5817,16 +7398,25 @@ "attack.t1187" ] }, + "related": [ + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6a53d871-682d-40b6-83e0-b7c1a6c4e3a5", "value": "PetitPotam Suspicious Kerberos TGT Request" }, { - "description": "Detects the loading of drivers via 'SeLoadDriverPrivilege' required to load or unload a device driver.\nWith this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.\nThis user right does not apply to Plug and Play device drivers.\nIf you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.\nThis will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools.\nSo you have to work with a whitelist to find the bad stuff.\n", + "description": "Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.\nWith this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.\nThis user right does not apply to Plug and Play device drivers.\nIf you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.\nThis will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.\n", "meta": { "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", "creation_date": "2019/04/08", "falsepositive": [ - "Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers." + "Other legimate tools loading drivers. Including but not limited to, Sysinternals, CPU-Z, AVs etc. A baseline needs to be created according to the used products and allowed tools. A good thing to do is to try and exclude users who are allowed to load drivers." ], "filename": "win_security_user_driver_loaded.yml", "level": "medium", @@ -5843,7 +7433,7 @@ ] }, "uuid": "f63508a0-c809-4435-b3be-ed819394d612", - "value": "Suspicious Driver Loaded By User" + "value": "Potential Privileged System Service Operation - SeLoadDriverPrivilege" }, { "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", @@ -5868,6 +7458,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dcf2db1f-f091-425b-a821-c05875b8925a", "value": "Invoke-Obfuscation VAR+ Launcher - Security" }, @@ -5894,6 +7493,22 @@ "attack.t1134.002" ] }, + "related": [ + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", "value": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security" }, @@ -5919,6 +7534,15 @@ "attack.t1557.001" ] }, + "related": [ + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", "value": "RottenPotato Like Attack Pattern" }, @@ -5936,8 +7560,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=3458", "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity", + "https://adsecurity.org/?p=3458", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml" ], "tags": [ @@ -5971,6 +7595,15 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9599c180-e3a8-4743-8f92-7fb96d3be648", "value": "Remote WMI ActiveScriptEventConsumers" }, @@ -6044,6 +7677,15 @@ "attack.initial_access" ] }, + "related": [ + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f69a87ea-955e-4fb4-adb2-bb9fd6685632", "value": "External Disk Drive Or USB Storage Device" }, @@ -6060,8 +7702,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml" ], @@ -6091,6 +7733,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dae8171c-5ec6-4396-b210-8466585b53e9", "value": "SCM Database Privileged Operation" }, @@ -6116,6 +7767,22 @@ "attack.t1136.002" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7610cada-1499-41a4-b3dd-46467b68d177", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1bbf25b9-8038-4154-a50b-118f2a32be27", "value": "Suspicious Windows ANONYMOUS LOGON Local Account Created" }, @@ -6132,8 +7799,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml" ], "tags": [ @@ -6143,6 +7810,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", "value": "Important Scheduled Task Deleted/Disabled" }, @@ -6170,6 +7846,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b0d77106-7bb0-41fe-bd94-d1752164d066", "value": "Rare Schtasks Creations" }, @@ -6218,6 +7903,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2a926e6a-4b81-4011-8a96-e36cc8c04302", "value": "PowerShell Scripts Installed as Services - Security" }, @@ -6244,6 +7938,15 @@ "car.2013-07-002" ] }, + "related": [ + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8400629e-79a9-4737-b387-5db940ab2367", "value": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln" }, @@ -6292,6 +7995,15 @@ "attack.t1554" ] }, + "related": [ + { + "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", "value": "HybridConnectionManager Service Installation" }, @@ -6345,6 +8057,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca", "value": "Invoke-Obfuscation RUNDLL LAUNCHER - Security" }, @@ -6393,6 +8114,15 @@ "attack.t1003.006" ] }, + "related": [ + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "17d619c1-e020-4347-957e-1d1207455c93", "value": "Active Directory Replication from Non Machine Account" }, @@ -6430,9 +8160,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml" ], @@ -6483,16 +8213,16 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://twitter.com/_xpn_/status/1268712093928378368", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" ], "tags": [ @@ -6501,6 +8231,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a4c90ea1-2634-4ca0-adbb-35eae169b6fc", "value": "ETW Logging Disabled In .NET Processes - Registry" }, @@ -6527,6 +8266,15 @@ "attack.t1552.002" ] }, + "related": [ + { + "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f8748f2c-89dc-4d95-afb0-5a2dfdbad332", "value": "SAM Registry Hive Handle Request" }, @@ -6577,6 +8325,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3a734d25-df5c-4b99-8034-af1ddb5883a4", "value": "Suspicious Scheduled Task Creation" }, @@ -6607,6 +8364,22 @@ "car.2013-07-002" ] }, + "related": [ + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", "value": "RDP over Reverse SSH Tunnel WFP" }, @@ -6656,6 +8429,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", "value": "Password Dumper Activity on LSASS" }, @@ -6681,6 +8463,15 @@ "attack.t1528" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "25cde13e-8e20-4c29-b949-4e795b76f16f", "value": "Suspicious Teams Application Related ObjectAcess Event" }, @@ -6731,6 +8522,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c265cf08-3f99-46c1-8d59-328247057d57", "value": "User Added to Local Administrators" }, @@ -6755,6 +8555,15 @@ "attack.t1136.001" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b449a5e-1db5-4dd0-a2dc-4e3a67282538", "value": "Hidden Local User Creation" }, @@ -6817,8 +8626,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/duzvik/status/1269671601852813320", "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", + "https://twitter.com/duzvik/status/1269671601852813320", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_camera_microphone_access.yml" ], "tags": [ @@ -6842,8 +8651,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml", "https://github.com/topotam/PetitPotam", + "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_network_share.yml" ], "tags": [ @@ -6851,6 +8660,15 @@ "attack.t1187" ] }, + "related": [ + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ce8c8a3-2723-48ed-8246-906ac91061a6", "value": "Possible PetitPotam Coerce Authentication Attempt" }, @@ -6875,6 +8693,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "69aeb277-f15f-4d2d-b32a-55e883609563", "value": "Disabling Windows Event Auditing" }, @@ -6891,9 +8718,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", - "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" ], "tags": [ @@ -6918,8 +8745,8 @@ "logsource.product": "windows", "refs": [ "https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/", - "https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://adsecurity.org/?p=3466", + "https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" ], "tags": [ @@ -6927,6 +8754,15 @@ "attack.persistence" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "300bac00-e041-4ee2-9c36-e262656a6ecc", "value": "Active Directory User Backdoors" }, @@ -6968,9 +8804,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", - "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" ], "tags": [ @@ -6978,6 +8814,15 @@ "attack.t1556" ] }, + "related": [ + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f598ea0c-c25a-4f72-a219-50c44411c791", "value": "Possible Shadow Credentials Added" }, @@ -7004,6 +8849,15 @@ "attack.s0005" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1de68c67-af5c-4097-9c85-fe5578e09e67", "value": "WCE wceaux.dll Access" }, @@ -7020,9 +8874,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://www.sans.org/webcasts/119395", + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" ], "tags": [ @@ -7034,6 +8888,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6", "value": "CobaltStrike Service Installations - Security" }, @@ -7078,6 +8941,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0255a820-e564-4e40-af2b-6ac61160335c", "value": "Addition of Domain Trusts" }, @@ -7095,10 +8967,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", - "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", + "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" ], "tags": [ @@ -7107,6 +8979,15 @@ "attack.t1003.006" ] }, + "related": [ + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "611eab06-a145-4dfa-a295-3ccc5c20f59a", "value": "Mimikatz DC Sync" }, @@ -7180,8 +9061,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1101431884540710913", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", + "https://twitter.com/SBousseaden/status/1101431884540710913", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml" ], "tags": [ @@ -7208,8 +9089,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1490608838701166596", "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", + "https://twitter.com/SBousseaden/status/1490608838701166596", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml" ], "tags": [ @@ -7217,6 +9098,15 @@ "attack.t1543" ] }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c4e92a97-a9ff-4392-9d2d-7a4c642768ca", "value": "Service Installed By Unusual Client - Security" }, @@ -7241,6 +9131,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", "value": "Enabled User Right in AD to Control User Objects" }, @@ -7258,8 +9157,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", - "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", "https://twitter.com/malmoeb/status/1511760068743766026", + "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" ], "tags": [ @@ -7296,6 +9195,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "614cf376-6651-47c4-9dcc-6b9527f749f4", "value": "Suspicious Scheduled Task Update" }, @@ -7323,6 +9231,15 @@ "car.2016-04-005" ] }, + "related": [ + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0f63e1ef-1eb9-4226-9d54-8927ca08520a", "value": "Admin User Remote Logon" }, @@ -7349,6 +9266,15 @@ "cve.2021.34527" ] }, + "related": [ + { + "dest-uuid": "d157f9d2-d09a-4efa-bb2a-64963f94e253", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8fe1c584-ee61-444b-be21-e9054b229694", "value": "CVE-2021-1675 Print Spooler Exploitation IPC Access" }, @@ -7374,6 +9300,15 @@ "attack.t1021.003" ] }, + "related": [ + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c39f0c81-7348-4965-ab27-2fde35a1b641", "value": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security" }, @@ -7449,6 +9384,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ce5678bb-b9aa-4fb5-be4b-e57f686256ad", "value": "Potential Remote Desktop Connection to Non-Domain Host" }, @@ -7465,8 +9409,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/", "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/", + "https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_vul_cve_2020_0688.yml" ], "tags": [ @@ -7474,6 +9418,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d6266bf5-935e-4661-b477-78772735a7cb", "value": "CVE-2020-0688 Exploitation via Eventlog" }, @@ -7497,6 +9450,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "87261fb2-69d0-42fe-b9de-88c6b5f65a43", "value": "Atera Agent Installation" }, @@ -7522,6 +9484,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9703792d-fd9a-456d-a672-ff92efe4806a", "value": "Backup Catalog Deleted" }, @@ -7546,6 +9517,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8", "value": "LPE InstallerFileTakeOver PoC CVE-2021-41379" }, @@ -7594,6 +9574,22 @@ "attack.t1218.007" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5594e67a-7f92-4a04-b65d-1a42fd824a60", "value": "MSI Installation From Web" }, @@ -7634,8 +9630,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", + "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_av_relevant_match.yml" ], @@ -7644,6 +9640,15 @@ "attack.t1588" ] }, + "related": [ + { + "dest-uuid": "ce0687a0-e692-4b77-964a-0784a8e54ff1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "78bc5783-81d9-4d73-ac97-59f6db4f72a8", "value": "Relevant Anti-Virus Event" }, @@ -7715,6 +9720,15 @@ "attack.t1489" ] }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "570ae5ec-33dc-427c-b815-db86228ad43e", "value": "Application Uninstalled" }, @@ -7731,8 +9745,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", "https://technet.microsoft.com/en-us/library/security/4022344", + "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_susp_msmpeng_crash.yml" ], "tags": [ @@ -7741,6 +9755,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6c82cf5c-090d-4d57-9188-533577631108", "value": "Microsoft Malware Protection Engine Crash" }, @@ -7758,8 +9781,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml" ], "tags": [ @@ -7783,8 +9806,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml" ], "tags": [ @@ -7792,6 +9815,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a18e0862-127b-43ca-be12-1a542c75c7c5", "value": "Potential Credential Dumping Via WER - Application" }, @@ -7811,8 +9843,8 @@ "https://twitter.com/DidierStevens/status/1217533958096924676", "https://nullsec.us/windows-event-log-audit-cve/", "https://twitter.com/VM_vivisector/status/1217190929330655232", - "https://www.youtube.com/watch?v=ebmW42YYveI", "https://twitter.com/FlemmingRiis/status/1217147415482060800", + "https://www.youtube.com/watch?v=ebmW42YYveI", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_audit_cve.yml" ], "tags": [ @@ -7830,6 +9862,50 @@ "attack.t1499.004" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2bee5ffb-7a7a-4119-b1f2-158151b19ac0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "48d91a3a-2363-43ba-a456-ca71ac3da5c2", "value": "Audit CVE Event" }, @@ -7854,6 +9930,15 @@ "attack.t1546" ] }, + "related": [ + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "711ab2fe-c9ba-4746-8840-5228a58c3cb8", "value": "MSSQL Extended Stored Procedure Backdoor Maggie" }, @@ -7870,8 +9955,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_xp_cmdshell_audit_log.yml" ], "tags": [ @@ -7918,8 +10003,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_disable_audit_settings.yml" ], "tags": [ @@ -7950,6 +10035,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b20f6158-9438-41be-83da-a5a16ac90c2b", "value": "Rare Scheduled Task Creations" }, @@ -7973,6 +10067,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "424273ea-7cf8-43a6-b712-375f925e481f", "value": "Suspicious Scheduled Tasks Locations" }, @@ -7989,8 +10092,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/", + "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml" ], "tags": [ @@ -8014,8 +10117,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/j00sean/status/1537750439701225472", "https://twitter.com/nas_bench/status/1539679555908141061", + "https://twitter.com/j00sean/status/1537750439701225472", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml" ], "tags": [ @@ -8071,6 +10174,15 @@ "attack.t1543" ] }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e4be5675-4a53-426a-8c81-a8bb2387e947", "value": "Code Integrity Blocked Driver Load" }, @@ -8095,6 +10207,15 @@ "attack.t1543" ] }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9b72b82d-f1c5-4632-b589-187159bc6ec1", "value": "Block Load Of Revoked Driver" }, @@ -8112,8 +10233,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/moti_b/status/1032645458634653697", "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5", + "https://twitter.com/moti_b/status/1032645458634653697", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml" ], "tags": [ @@ -8137,9 +10258,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", - "https://twitter.com/KevTheHermit/status/1410203844064301056", "https://github.com/afwu/PrintNightmare", + "https://twitter.com/KevTheHermit/status/1410203844064301056", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml" ], "tags": [ @@ -8186,11 +10307,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", - "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", "https://winaero.com/enable-openssh-server-windows-10/", + "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", + "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", + "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" ], "tags": [ @@ -8214,9 +10335,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/afwu/PrintNightmare", "https://github.com/hhlxf/PrintNightmare", "https://twitter.com/fuzzyf10w/status/1410202370835898371", - "https://github.com/afwu/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml" ], "tags": [ @@ -8225,6 +10346,15 @@ "cve.2021.1675" ] }, + "related": [ + { + "dest-uuid": "d157f9d2-d09a-4efa-bb2a-64963f94e253", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4e64668a-4da1-49f5-a8df-9e2d5b866718", "value": "Possible CVE-2021-1675 Print Spooler Exploitation" }, @@ -8250,6 +10380,15 @@ "cve.2021.1675" ] }, + "related": [ + { + "dest-uuid": "d157f9d2-d09a-4efa-bb2a-64963f94e253", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f34d942d-c8c4-4f1f-b196-22471aecf10a", "value": "CVE-2021-1675 Print Spooler Exploitation" }, @@ -8325,6 +10464,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", "value": "LSASS Access Detected via Attack Surface Reduction" }, @@ -8341,8 +10489,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands", "https://twitter.com/duff22b/status/1280166329660497920", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_psexec_wmi_asr.yml" ], "tags": [ @@ -8352,6 +10500,22 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "97b9ce1e-c5ab-11ea-87d0-0242ac130003", "value": "PSExec and WMI Process Creations Block" }, @@ -8392,8 +10556,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus", "https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_history_delete.yml" ], "tags": [ @@ -8448,6 +10612,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ea9bf0fa-edec-4fb8-8b78-b119f2528186", "value": "Windows Defender AMSI Trigger Detected" }, @@ -8472,6 +10645,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "57b649ef-ff42-4fb0-8bf6-62da243a1708", "value": "Windows Defender Threat Detected" }, @@ -8488,8 +10670,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml" ], "tags": [ @@ -8524,6 +10706,43 @@ "uuid": "bc92ca75-cd42-4d61-9a37-9d5aa259c88b", "value": "Win Defender Restored Quarantine File" }, + { + "description": "Detects a suspicious download using the BITS client from a direct IP. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "win_bits_client_direct_ip_access.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_direct_ip_access.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" + ] + }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "90f138c1-f578-4ac3-8c49-eecfd847c8b7", + "value": "Suspicious Download with BITS from Direct IP" + }, { "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", "meta": { @@ -8546,6 +10765,15 @@ "attack.t1197" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b85e5894-9b19-4d86-8c87-a2f3b81f0521", "value": "Suspicious Download File Extension with BITS" }, @@ -8571,6 +10799,15 @@ "attack.t1197" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fe3a2d49-f255-4d10-935c-bda7391108eb", "value": "Suspicious Task Added by Powershell" }, @@ -8596,6 +10833,15 @@ "attack.t1197" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ff315dc-2a3a-4b71-8dde-873818d25d39", "value": "Suspicious Task Added by Bitsadmin" }, @@ -8621,6 +10867,15 @@ "attack.t1197" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f8a56cb7-a363-44ed-a82f-5926bb44cd05", "value": "Download with BITS to Suspicious Folder" }, @@ -8637,9 +10892,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://twitter.com/malmoeb/status/1535142803075960832", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml" ], "tags": [ @@ -8648,6 +10903,15 @@ "attack.t1197" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d635249d-86b5-4dad-a8c7-d7272b788586", "value": "Suspicious Download with BITS from Suspicious TLD" }, @@ -8664,8 +10928,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://twitter.com/malmoeb/status/1535142803075960832", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml" ], "tags": [ @@ -8674,6 +10938,15 @@ "attack.t1197" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6d44fb93-e7d2-475c-9d3d-54c9c1e33427", "value": "Suspicious Uncommon Download with BITS from Suspicious TLD" }, @@ -8690,8 +10963,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://ngrok.com/", + "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml" ], "tags": [ @@ -8699,6 +10972,15 @@ "attack.t1090" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "64d51a51-32a6-49f0-9f3d-17e34d640272", "value": "Ngrok Usage with Remote Desktop Service" }, @@ -8710,15 +10992,15 @@ "falsepositive": [ "Unknown" ], - "filename": "win_susp_dns_config.yml", + "filename": "win_dns_server_susp_dns_config.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", - "https://twitter.com/gentilkiwi/status/861641945944391680", "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_susp_dns_config.yml" + "https://twitter.com/gentilkiwi/status/861641945944391680", + "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_dns_config.yml" ], "tags": [ "attack.defense_evasion", @@ -8751,6 +11033,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "52a85084-6989-40c3-8f32-091e12e13f09", "value": "smbexec.py Service Installation" }, @@ -8777,6 +11068,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "487c7524-f892-4054-b263-8a0ace63fc25", "value": "Invoke-Obfuscation Via Stdin - System" }, @@ -8803,6 +11103,22 @@ "attack.t1134.002" ] }, + "related": [ + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "843544a7-56e0-4dcc-a44f-5cc266dd97d6", "value": "Meterpreter or Cobalt Strike Getsystem Service Installation - System" }, @@ -8877,6 +11193,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a31b18a-f00c-4061-9900-f735b96c99fc", "value": "Remote Access Tool Services Have Been Installed - System" }, @@ -8971,6 +11296,15 @@ "attack.t1584" ] }, + "related": [ + { + "dest-uuid": "7e3beebd-8bfe-4e7b-a892-e44ab06a75f9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "13cfeb75-9e33-4d04-b0f7-ab8faaa95a59", "value": "Windows Update Error" }, @@ -9021,6 +11355,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "de7ce410-b3fb-4e8a-b38c-3b999e2c3420", "value": "PAExec Service Installation" }, @@ -9047,6 +11390,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "11b52f18-aaec-4d60-9143-5dd8cc4706b9", "value": "Invoke-Obfuscation RUNDLL LAUNCHER - System" }, @@ -9073,6 +11425,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "641a4bfb-c017-44f7-800c-2aee0184ce9b", "value": "Invoke-Obfuscation Via Use Rundll32 - System" }, @@ -9097,6 +11458,15 @@ "attack.t1543" ] }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "71c276aa-49cd-43d2-b920-2dcd3e6962d5", "value": "Service Installed By Unusual Client - System" }, @@ -9121,6 +11491,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a2e5019d-a658-4c6a-92bf-7197b54e2cae", "value": "PowerShell Scripts Installed as Services" }, @@ -9137,9 +11516,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://www.sans.org/webcasts/119395", + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_cobaltstrike_service_installs.yml" ], "tags": [ @@ -9151,6 +11530,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5a105d34-05fc-401e-8553-272b45c1522d", "value": "CobaltStrike Service Installations - System" }, @@ -9174,6 +11562,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "839dd1e8-eda8-4834-8145-01beeee33acd", "value": "SAM Dump to AppData" }, @@ -9190,9 +11587,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config.yml" ], "tags": [ @@ -9226,6 +11623,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "175997c5-803c-4b08-8bb0-70b099f47595", "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - System" }, @@ -9251,6 +11657,15 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d26ce60c-2151-403c-9a42-49420d87b5e4", "value": "Hacktool Service Registration or Execution" }, @@ -9267,8 +11682,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/zerosum0x0/CVE-2019-0708", "https://github.com/Ekultek/BlueKeep", + "https://github.com/zerosum0x0/CVE-2019-0708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_rdp_potential_cve_2019_0708.yml" ], "tags": [ @@ -9277,6 +11692,15 @@ "car.2013-07-002" ] }, + "related": [ + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aaa5b30d-f418-420b-83a0-299cb6024885", "value": "Potential RDP Exploit CVE-2019-0708" }, @@ -9300,6 +11724,15 @@ "attack.lateral_movement" ] }, + "related": [ + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18f37338-b9bd-4117-a039-280c81f7a596", "value": "Zerologon Exploitation Using Well-known Tools" }, @@ -9326,6 +11759,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "72862bf2-0eb1-11eb-adc1-0242ac120002", "value": "Invoke-Obfuscation STDIN+ Launcher - System" }, @@ -9375,6 +11817,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e0d1ad53-c7eb-48ec-a87a-72393cc6cedc", "value": "Mesh Agent Service Installation" }, @@ -9402,6 +11853,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "31c51af6-e7aa-4da7-84d4-8f32cc580af2", "value": "Sliver C2 Default Service Installation" }, @@ -9452,6 +11912,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8ca7004b-e620-4ecb-870e-86129b5b8e75", "value": "Invoke-Obfuscation VAR+ Launcher - System" }, @@ -9549,6 +12018,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4d7f1827-1637-4def-8d8a-fd254f9454df", "value": "Sysmon Crash" }, @@ -9575,6 +12053,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "14bcba49-a428-42d9-b943-e2ce0f0f7ae6", "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System" }, @@ -9625,6 +12112,15 @@ "car.2016-04-002" ] }, + "related": [ + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a62b37e0-45d3-48d9-a517-90c1a1b0186b", "value": "Eventlog Cleared" }, @@ -9697,6 +12193,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "39f919f3-980b-4e6f-a975-8af7e507ef2b", "value": "QuarksPwDump Clearing Access History" }, @@ -9723,6 +12228,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9", "value": "ProcessHacker Privilege Elevation" }, @@ -9826,6 +12340,15 @@ "car.2016-04-002" ] }, + "related": [ + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "100ef69e-3327-481c-8e5c-6d80d9507556", "value": "System Eventlog Cleared" }, @@ -9842,9 +12365,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config_failed.yml" ], "tags": [ @@ -9924,6 +12447,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f512acbf-e662-4903-843e-97ce4652b740", "value": "Volume Shadow Copy Mount" }, @@ -9973,6 +12505,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4bb79b62-ef12-4861-981d-2aab43fab642", "value": "TacticalRMM Service Installation" }, @@ -10029,6 +12570,50 @@ "attack.s0005" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", "value": "Credential Dumping Tools Service Execution - System" }, @@ -10052,6 +12637,15 @@ "attack.t1048" ] }, + "related": [ + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8e4cf0e5-aa5d-4dc3-beff-dc26917744a9", "value": "Tap Driver Installation" }, @@ -10083,6 +12677,22 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "53ba33fd-3a50-4468-a5ef-c583635cfa92", "value": "Chafer Activity - System" }, @@ -10107,6 +12717,15 @@ "attack.t1543" ] }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e97d9903-53b2-41fc-8cb9-889ed4093e80", "value": "KrbRelayUp Service Installation" }, @@ -10133,6 +12752,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4", "value": "Invoke-Obfuscation Via Use MSHTA - System" }, @@ -10159,6 +12787,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "63e3365d-4824-42d8-8b82-e56810fefa0c", "value": "Invoke-Obfuscation Via Use Clip - System" }, @@ -10185,6 +12822,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f7385ee2-0e0c-11eb-adc1-0242ac120002", "value": "Invoke-Obfuscation CLIP+ Launcher - System" }, @@ -10209,6 +12855,15 @@ "attack.t1557.001" ] }, + "related": [ + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bc2e25ed-b92b-4daa-b074-b502bdd1982b", "value": "Local Privilege Escalation Indicator TabTip" }, @@ -10233,6 +12888,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a0cb7110-edf0-47a4-9177-541a4083128a", "value": "Vulnerable Netlogon Secure Channel Connection Allowed" }, @@ -10259,6 +12923,15 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "42c575ea-e41e-41f1-b248-8093c3e82a28", "value": "PsExec Service Installation" }, @@ -10355,6 +13028,15 @@ "attack.t1554" ] }, + "related": [ + { + "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b55d23e5-6821-44ff-8a6e-67218891e49f", "value": "HybridConnectionManager Service Running" }, @@ -10429,6 +13111,15 @@ "attack.t1071" ] }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3db10f25-2527-4b79-8d4b-471eb900ee29", "value": "GALLIUM Artefacts - Builtin" }, @@ -10445,8 +13136,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://twitter.com/mattifestation/status/899646620148539397", + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml" ], "tags": [ @@ -10455,6 +13146,15 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0b7889b4-5577-4521-a60a-3376ee7f9f7b", "value": "WMI Persistence" }, @@ -10471,9 +13171,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" ], "tags": [ @@ -10486,6 +13186,50 @@ "attack.t1059.007" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "401e5d00-b944-11ea-8f9a-00163ecd60ae", "value": "File Was Not Allowed To Run" }, @@ -10500,11 +13244,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", - "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", + "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", + "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], "tags": [ @@ -10514,9 +13258,154 @@ "attack.t1482" ] }, + "related": [ + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "31d68132-4038-47c7-8f8e-635a39a7c174", "value": "Potential Active Directory Reconnaissance/Enumeration Via LDAP" }, + { + "description": "Detects an appx package installation with the error code \"0x80073cff\". Whihc indicates that the package didn't meet the sgining requirements and could be suspicious", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/11", + "falsepositive": [ + "Legitimate AppX packages not signed by MS used part of an enterprise" + ], + "filename": "appxdeployment_server_susp_appx_package_installation.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "Internal Research", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_appx_package_installation.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "898d5fc9-fbc3-43de-93ad-38e97237c344", + "value": "Suspicious AppX Package Installation Attempt" + }, + { + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in suspicious locations", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "appxdeployment_server_susp_package_locations.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "Internal Research", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_package_locations.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "5cdeaf3d-1489-477c-95ab-c318559fc051", + "value": "Suspicious AppX Package Locations" + }, + { + "description": "Detects installation of known malicious appx packages", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/11", + "falsepositive": [ + "Rare occasions where a malicious package uses the exact same name and version as a legtimate application" + ], + "filename": "appxdeployment_server_mal_appx_names.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "09d3b48b-be17-47f5-bf4e-94e7e75d09ce", + "value": "Malicious AppX Package Installed" + }, + { + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is downloaded from a suspicious domain", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "appxdeployment_server_susp_domains.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "Internal Research", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_domains.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "8b48ad89-10d8-4382-a546-50588c410f0d", + "value": "Suspicious Remote AppX Package Locations" + }, + { + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in uncommon locations", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "appxdeployment_server_uncommon_package_locations.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "Internal Research", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "c977cb50-3dff-4a9f-b873-9290f56132f1", + "value": "Uncommon AppX Package Locations" + }, { "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", "meta": { @@ -10562,6 +13451,15 @@ "attack.t1210" ] }, + "related": [ + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c92f1896-d1d2-43c3-92d5-7a5b35c217bb", "value": "Possible Exploitation of Exchange RCE CVE-2021-42321" }, @@ -10610,6 +13508,15 @@ "attack.t1505.002" ] }, + "related": [ + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa", "value": "Failed MSExchange Transport Agent Installation" }, @@ -10634,6 +13541,15 @@ "attack.resource_development" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "550d3350-bb8a-4ff3-9533-2ba533f4a1c0", "value": "ProxyLogon MSExchange OabVirtualDirectory" }, @@ -10706,6 +13622,15 @@ "attack.t1505.002" ] }, + "related": [ + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6", "value": "MSExchange Transport Agent Installation - Builtin" }, @@ -10722,8 +13647,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml" ], "tags": [ @@ -10731,6 +13656,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0d7a9363-af70-4e7b-a3b7-1a176b7fbe84", "value": "Exports Registry Key To an Alternate Data Stream" }, @@ -10747,8 +13681,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml" ], "tags": [ @@ -10757,6 +13691,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "52182dfb-afb7-41db-b4bc-5336cb29b464", "value": "Suspicious File Download from File Sharing Domain" }, @@ -10773,8 +13716,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml" ], "tags": [ @@ -10783,6 +13726,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ae02ed70-11aa-4a22-b397-c0d0e8f6ea99", "value": "Unusual File Download from File Sharing Domain" }, @@ -10831,6 +13783,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "025bd229-fd1f-4fdb-97ab-20006e1a5368", "value": "Unusual File Download from Direct IP Address" }, @@ -10856,6 +13817,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "19b041f6-e583-40dc-b842-d6fa8011493f", "value": "Hacktool Download" }, @@ -10881,6 +13851,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b69888d4-380c-45ce-9cf9-d9ce46e67821", "value": "Executable in ADS" }, @@ -10897,7 +13876,7 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/techniques/T1137/002/", + "https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_test_regadd.yml" ], "tags": [ @@ -10905,6 +13884,15 @@ "attack.t1137.002" ] }, + "related": [ + { + "dest-uuid": "ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3d27f6dd-1c74-4687-b4fa-ca849d128d1c", "value": "Office Application Startup - Office Test" }, @@ -10971,9 +13959,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.dfirnotes.net/portproxy_detection/", "https://adepts.of0x.cc/netsh-portproxy-code/", "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://www.dfirnotes.net/portproxy_detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" ], "tags": [ @@ -10983,6 +13971,15 @@ "attack.t1090" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a54f842a-3713-4b45-8c84-5f136fdebd3c", "value": "PortProxy Registry Key" }, @@ -11000,8 +13997,8 @@ "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", - "https://persistence-info.github.io/Data/recyclebin.html", "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", + "https://persistence-info.github.io/Data/recyclebin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml" ], "tags": [ @@ -11025,8 +14022,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://blog.xpnsec.com/exploring-mimikatz-part-1/", "https://twitter.com/SBousseaden/status/1183745981189427200", + "https://blog.xpnsec.com/exploring-mimikatz-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml" ], "tags": [ @@ -11035,6 +14032,15 @@ "attack.t1547.008" ] }, + "related": [ + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b3503044-60ce-4bf4-bbcb-e3db98788823", "value": "DLL Load via LSASS" }, @@ -11061,6 +14067,15 @@ "attack.t1546.002" ] }, + "related": [ + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "67a6c006-3fbe-46a7-9074-2ba3b82c3000", "value": "Path To Screensaver Binary Modified" }, @@ -11077,9 +14092,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", + "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" ], "tags": [ @@ -11089,6 +14104,15 @@ "cve.2021.34527" ] }, + "related": [ + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ba6b9e43-1d45-4d3c-a504-1043a64c8469", "value": "PrinterNightmare Mimimkatz Driver Name" }, @@ -11154,8 +14178,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html", + "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml" ], "tags": [ @@ -11163,6 +14187,15 @@ "attack.t1546.009" ] }, + "related": [ + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6aa1d992-5925-4e9f-a49b-845e51d1de01", "value": "New DLL Added to AppCertDlls Registry Key" }, @@ -11212,6 +14245,15 @@ "attack.t1136.001" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "460479f3-80b7-42da-9c43-2cc1d54dbccd", "value": "Creation of a Local Hidden User Account by Registry" }, @@ -11237,6 +14279,15 @@ "attack.s0005" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a6b33c02-8305-488f-8585-03cb2a7763f2", "value": "Windows Credential Editor Registry" }, @@ -11261,6 +14312,15 @@ "attack.t1547.005" ] }, + "related": [ + { + "dest-uuid": "5095a853-299c-4876-abd7-ac0050fb5462", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", "value": "Security Support Provider (SSP) Added to LSA Configuration" }, @@ -11299,8 +14359,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", "https://github.com/eset/malware-ioc/tree/master/oceanlotus", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml" ], "tags": [ @@ -11334,6 +14394,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6ea3bf32-9680-422d-9f50-e90716b12a66", "value": "UAC Bypass Via Wsreset" }, @@ -11375,8 +14444,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml" ], "tags": [ @@ -11411,6 +14480,15 @@ "attack.t1546.010" ] }, + "related": [ + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4f84b697-c9ed-4420-8ab5-e09af5b2345d", "value": "New DLL Added to AppInit_DLLs Registry Key" }, @@ -11486,6 +14564,15 @@ "car.2019-04-001" ] }, + "related": [ + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b6d235fc-1d38-4b12-adbe-325f06728f37", "value": "CMSTP Execution Registry Event" }, @@ -11502,8 +14589,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", + "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_trust_record_modification.yml" ], "tags": [ @@ -11527,8 +14614,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", + "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml" ], "tags": [ @@ -11538,6 +14625,15 @@ "attack.t1547" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9577edbb-851f-4243-8c91-1d5b50c1a39b", "value": "Atbroker Registry Change" }, @@ -11610,6 +14706,15 @@ "attack.t1608" ] }, + "related": [ + { + "dest-uuid": "84771bc3-f6a0-403e-b144-01af70e5fda0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ac8866c7-ce44-46fd-8c17-b24acff96ca8", "value": "HybridConnectionManager Service Installation - Registry" }, @@ -11634,6 +14739,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5aad0995-46ab-41bd-a9ff-724f41114971", "value": "Esentutl Volume Shadow Copy Service Keys" }, @@ -11650,10 +14764,10 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", - "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", + "https://github.com/hfiref0x/UACME", "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", + "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" ], "tags": [ @@ -11663,6 +14777,15 @@ "attack.t1546.001" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", "value": "Shell Open Registry Keys Manipulation" }, @@ -11712,6 +14835,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "55e29995-75e7-451a-bef0-6225e2f13597", "value": "Potential Credential Dumping Via LSASS SilentProcessExit Technique" }, @@ -11736,6 +14868,15 @@ "attack.t1491.001" ] }, + "related": [ + { + "dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8b9606c9-28be-4a38-b146-0e313cc232c1", "value": "Potential Ransomware Activity Using LegalNotice Message" }, @@ -11767,6 +14908,22 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", "value": "Chafer Activity - Registry" }, @@ -11792,6 +14949,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "47e0852a-cf81-4494-a8e6-31864f8c86ed", "value": "Pandemic Registry Key" }, @@ -11816,6 +14982,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "526cc8bc-1cdc-48ad-8b26-f19bff969cec", "value": "Removal Of Index Value to Hide Schedule Task" }, @@ -11866,6 +15041,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "acd74772-5f88-45c7-956b-6a7b36c294d2", "value": "Removal Of SD Value to Hide Schedule Task" }, @@ -11931,11 +15115,11 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", - "https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html", - "https://github.com/OTRF/detection-hackathon-apt29/issues/7", - "https://docs.microsoft.com/en-us/windows/win32/shell/launch", "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", + "https://docs.microsoft.com/en-us/windows/win32/shell/launch", + "https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html", + "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://github.com/OTRF/detection-hackathon-apt29/issues/7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" ], "tags": [ @@ -11967,6 +15151,15 @@ "attack.t1546.015" ] }, + "related": [ + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9b0f8a61-91b2-464f-aceb-0527e0a45020", "value": "Windows Registry Persistence COM Key Linking" }, @@ -11983,8 +15176,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/", "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml" ], "tags": [ @@ -12017,6 +15210,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9841b233-8df8-4ad7-9133-b0b4402a9014", "value": "Sysinternals SDelete Registry Keys" }, @@ -12041,6 +15243,15 @@ "attack.t1588.002" ] }, + "related": [ + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c7da8edc-49ae-45a2-9e61-9fd860e4e73d", "value": "Usage of Suspicious Sysinternals Tools" }, @@ -12057,8 +15268,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", "https://persistence-info.github.io/Data/diskcleanuphandler.html", + "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml" ], "tags": [ @@ -12089,6 +15300,15 @@ "attack.t1588.002" ] }, + "related": [ + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f50f3c09-557d-492d-81db-9064a8d4e211", "value": "Usage of Renamed Sysinternals Tools" }, @@ -12106,10 +15326,10 @@ "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", - "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", + "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_netwire.yml" ], "tags": [ @@ -12166,6 +15386,15 @@ "attack.t1588.002" ] }, + "related": [ + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "25ffa65d-76d8-4da5-a832-3f2b0136e133", "value": "Usage of Sysinternals Tools - Registry" }, @@ -12183,7 +15412,6 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md", - "https://attack.mitre.org/techniques/T1037/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml" ], "tags": [ @@ -12192,6 +15420,15 @@ "attack.lateral_movement" ] }, + "related": [ + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9ace0707-b560-49b8-b6ca-5148b42f39fb", "value": "Logon Scripts Creation in UserInitMprLogonScript Registry" }, @@ -12208,9 +15445,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", - "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", "https://twitter.com/Hexacorn/status/991447379864932352", + "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", + "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml" ], "tags": [ @@ -12218,9 +15455,52 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fc014922-5def-4da9-a0fc-28c973f41bfb", "value": "Execution DLL of Choice Using WAB.EXE" }, + { + "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/10", + "falsepositive": [ + "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" + ], + "filename": "registry_set_persistence_app_paths.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", + "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.012" + ] + }, + "related": [ + { + "dest-uuid": "6d4a7fb3-5a24-42be-ae61-6728a2b581f6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "707e097c-e20f-4f67-8807-1f72ff4500d6", + "value": "Potential Persistence Via App Paths Default Property" + }, { "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", "meta": { @@ -12234,8 +15514,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", + "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" ], "tags": [ @@ -12246,6 +15526,15 @@ "cve.2021.31979" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "32b5db62-cb5f-4266-9639-0fa48376ac00", "value": "CVE-2021-31979 CVE-2021-33771 Exploits" }, @@ -12274,28 +15563,28 @@ "value": "Activate Suppression of Windows Security Center Notifications" }, { - "description": "Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute", + "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", "meta": { - "author": "frack113", - "creation_date": "2022/08/20", + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", "falsepositive": [ - "Legitimate use of the dll." + "Unknown" ], - "filename": "registry_set_scrobj_dll_persistence.yml", - "level": "medium", + "filename": "registry_set_persistence_chm.yml", + "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scrobj_dll_persistence.yml" + "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", + "https://persistence-info.github.io/Data/htmlhelpauthor.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_chm.yml" ], "tags": [ - "attack.persistence", - "attack.t1546.015" + "attack.persistence" ] }, - "uuid": "fe20dda1-6f37-4379-bbe0-a98d400cae90", - "value": "Scrobj.dll COM Hijacking" + "uuid": "976dd1f2-a484-45ec-aa1d-0e87e882262b", + "value": "Potential Persistence Via CHM Helper DLL" }, { "description": "Detects potential persistence using Appx DebugPath", @@ -12319,8 +15608,17 @@ "attack.t1546.015" ] }, + "related": [ + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "df4dc653-1029-47ba-8231-3c44238cc0ae", - "value": "Windows Registry Persistence DebugPath" + "value": "Potential Persistence Using DebugPath" }, { "description": "Detects disabling the CrashDump per registry (as used by HermeticWiper)", @@ -12343,6 +15641,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2ff692c2-4594-41ec-8fcb-46587de769e0", "value": "CrashControl CrashDump Disabled" }, @@ -12368,6 +15675,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "48437c39-9e5f-47fb-af95-3d663c3f2919", "value": "Disable UAC Using Registry" }, @@ -12384,8 +15700,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", + "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml" ], "tags": [ @@ -12420,34 +15736,6 @@ "uuid": "1c3121ed-041b-4d97-a075-07f54f20fb4a", "value": "Registry Explorer Policy Modification" }, - { - "description": "Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys", - "meta": { - "author": "Karneades, Jonhnathan Ribeiro, Florian Roth", - "creation_date": "2018/04/11", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_globalflags_persistence.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", - "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.defense_evasion", - "attack.t1546.012", - "car.2013-01-002" - ] - }, - "uuid": "36803969-5421-41ec-b92f-8500f79c23b0", - "value": "Potential GlobalFlags Registry Persistence Attempt" - }, { "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", "meta": { @@ -12470,7 +15758,7 @@ ] }, "uuid": "a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", - "value": "Modify Attachment Manager Settings - Associations" + "value": "Potential Attachment Manager Settings Associations Tamper" }, { "description": "Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)", @@ -12512,8 +15800,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" ], "tags": [ @@ -12537,13 +15825,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" ], "tags": [ @@ -12555,30 +15843,6 @@ "uuid": "a2863fbc-d5cb-48d5-83fb-d976d4b1743b", "value": "RDP Sensitive Settings Changed to Zero" }, - { - "description": "Detects the modification of the registry settings used for Internet Explorer and other Windows components that use these settings", - "meta": { - "author": "frack113", - "creation_date": "2022/01/22", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_ie_persistence.yml", - "level": "low", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ie_persistence.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "d88d0ab2-e696-4d40-a2ed-9790064e66b3", - "value": "Modification of IE Registry Settings" - }, { "description": "Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability", "meta": { @@ -12618,8 +15882,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" ], "tags": [ @@ -12628,6 +15892,15 @@ "attack.t1546.009" ] }, + "related": [ + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "046218bd-e0d8-4113-a3c3-895a12b2b298", "value": "Session Manager Autorun Keys Modification" }, @@ -12655,6 +15928,29 @@ "uuid": "833ef470-fa01-4631-a79b-6f291c9ac498", "value": "Add Debugger Entry To Hangs Key For Persistence" }, + { + "description": "Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_powershell_execution_policy.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "fad91067-08c5-4d1a-8d8c-d96a21b37814", + "value": "Potential PowerShell Execution Policy Tampering" + }, { "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", "meta": { @@ -12678,6 +15974,22 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "07743f65-7ec9-404a-a519-913db7118a8d", "value": "COM Hijack via Sdclt" }, @@ -12718,8 +16030,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", + "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml" ], "tags": [ @@ -12743,9 +16055,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://twitter.com/inversecos/status/1494174785621819397", - "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_security.yml" ], "tags": [ @@ -12781,6 +16093,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", "value": "CobaltStrike Service Installations in Registry" }, @@ -12808,6 +16129,40 @@ "uuid": "b64a026b-8deb-4c1d-92fd-98893209dff1", "value": "Running Chrome VPN Extensions via the Registry 2 VPN Extension" }, + { + "description": "Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/01/10", + "falsepositive": [ + "Legitimate Addin Installation" + ], + "filename": "registry_set_persistence_office_vsto.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/_vivami/status/1347925307643355138", + "https://vanmieghem.io/stealth-outlook-persistence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml" + ], + "tags": [ + "attack.t1137.006", + "attack.persistence" + ] + }, + "related": [ + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9d15044a-7cfe-4d23-8085-6ebc11df7685", + "value": "Potential Persistence Via Visual Studio Tools for Office" + }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { @@ -12822,10 +16177,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" ], "tags": [ @@ -12849,8 +16204,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index", + "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml" ], "tags": [ @@ -12858,6 +16213,15 @@ "attack.t1588.002" ] }, + "related": [ + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "34aa0252-6039-40ff-951f-939fd6ce47d8", "value": "Suspicious Keyboard Layout Load" }, @@ -12885,31 +16249,6 @@ "uuid": "93d298a1-d28f-47f1-a468-d971e7796679", "value": "Disable Tamper Protection on Windows Defender" }, - { - "description": "Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/01/10", - "falsepositive": [ - "Legitimate Addin Installation" - ], - "filename": "registry_set_office_vsto_persistence.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://vanmieghem.io/stealth-outlook-persistence/", - "https://twitter.com/_vivami/status/1347925307643355138", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml" - ], - "tags": [ - "attack.t1137.006", - "attack.persistence" - ] - }, - "uuid": "9d15044a-7cfe-4d23-8085-6ebc11df7685", - "value": "Stealthy VSTO Persistence" - }, { "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", "meta": { @@ -12948,8 +16287,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", "https://twitter.com/dottor_morte/status/1544652325570191361", + "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml" ], "tags": [ @@ -12982,6 +16321,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4f281b83-0200-4b34-bf35-d24687ea57c2", "value": "ETW Logging Disabled For SCM" }, @@ -13022,8 +16370,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/codesigning.html", "https://github.com/gtworek/PSBits/tree/master/SIP", + "https://persistence-info.github.io/Data/codesigning.html", "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" ], @@ -13033,6 +16381,15 @@ "attack.t1553.003" ] }, + "related": [ + { + "dest-uuid": "543fceb5-cb92-40cb-aacf-6913d4db58bc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5a2b21ee-6aaa-4234-ac9d-59a59edf90a1", "value": "Persistence Via New SIP Provider" }, @@ -13051,8 +16408,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" ], "tags": [ @@ -13108,6 +16465,15 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "974515da-6cc5-4c95-ae65-f97f9150ec7f", "value": "Disable Microsoft Defender Firewall via Registry" }, @@ -13133,6 +16499,15 @@ "attack.t1574" ] }, + "related": [ + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9827ae57-3802-418f-994b-d5ecf5cd974b", "value": "Potential Registry Persistence Attempt Via DbgManagedDebugger" }, @@ -13181,6 +16556,15 @@ "attack.t1588.002" ] }, + "related": [ + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8023f872-3f1d-4301-a384-801889917ab4", "value": "Usage of Renamed Sysinternals Tools - RegistrySet" }, @@ -13197,8 +16581,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", "https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml" ], "tags": [ @@ -13206,6 +16590,15 @@ "attack.t1546.015" ] }, + "related": [ + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dc5c24af-6995-49b2-86eb-a9ff62199e82", "value": "COM Hijacking via TreatAs" }, @@ -13254,34 +16647,18 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2f78da12-f7c7-430b-8b19-a28f269b77a3", "value": "Disable Winevt Event Logging Via Registry" }, - { - "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/10", - "falsepositive": [ - "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" - ], - "filename": "registry_set_susp_app_paths_persistence.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN", - "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.012" - ] - }, - "uuid": "707e097c-e20f-4f67-8807-1f72ff4500d6", - "value": "Suspicious Values In App Paths Default Property" - }, { "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", "meta": { @@ -13295,8 +16672,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml" ], "tags": [ @@ -13304,6 +16681,15 @@ "attack.t1564.001" ] }, + "related": [ + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1547e27c-3974-43e2-a7d7-7f484fb928ec", "value": "Registry Persitence via Service in Safe Mode" }, @@ -13320,8 +16706,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://labs.f-secure.com/blog/scheduled-task-tampering/", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml" ], "tags": [ @@ -13330,24 +16716,33 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", "value": "Scheduled TaskCache Change by Uncommon Program" }, { - "description": "Adds a RUN key that contains a powershell keyword", + "description": "Detects potential PowerShell commands or code within registry run keys", "meta": { "author": "frack113, Florian Roth", "creation_date": "2022/03/17", "falsepositive": [ - "Legitimate admin or third party scripts" + "Legitimate admin or third party scripts. Baseline according to your environnement" ], "filename": "registry_set_powershell_in_run_keys.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml" ], "tags": [ @@ -13356,7 +16751,7 @@ ] }, "uuid": "8d85cf08-bf97-4260-ba49-986a2a65129c", - "value": "Powershell in Windows Run Keys" + "value": "Suspicious Powershell In Registry Run Keys" }, { "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", @@ -13382,6 +16777,43 @@ "uuid": "b7916c2a-fa2f-4795-9477-32b731f70f11", "value": "Registry Persistence via Explorer Run Key" }, + { + "description": "Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys", + "meta": { + "author": "Karneades, Jonhnathan Ribeiro, Florian Roth", + "creation_date": "2018/04/11", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_persistence_globalflags.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", + "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.persistence", + "attack.defense_evasion", + "attack.t1546.012", + "car.2013-01-002" + ] + }, + "related": [ + { + "dest-uuid": "6d4a7fb3-5a24-42be-ae61-6728a2b581f6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "36803969-5421-41ec-b92f-8500f79c23b0", + "value": "Potential Persistence Via GlobalFlags" + }, { "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.\nThe disk cleanup manager is part of the operating system.\nIt displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", "meta": { @@ -13395,8 +16827,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", "https://persistence-info.github.io/Data/diskcleanuphandler.html", + "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml" ], "tags": [ @@ -13427,7 +16859,41 @@ ] }, "uuid": "8fbe98a8-8f9d-44f8-aa71-8c572e29ef06", - "value": "Persistence Via MyComputer Key and SubKeys" + "value": "Potential Persistence Via MyComputer Registry Keys" + }, + { + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/30", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_persistence_shim_databases.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_databases.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.011" + ] + }, + "related": [ + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "dfb5b4e8-91d0-4291-b40a-e3b0d3942c45", + "value": "Potential Persistence Via Shim Database Modification" }, { "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", @@ -13474,6 +16940,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7530b96f-ad8e-431d-a04d-ac85cc461fdc", "value": "Custom File Open Handler Executes PowerShell" }, @@ -13538,8 +17013,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", + "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_security.yml" ], "tags": [ @@ -13547,6 +17022,15 @@ "attack.t1137" ] }, + "related": [ + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c3cefdf4-6703-4e1c-bad8-bf422fc5015a", "value": "Change Outlook Security Setting in Registry" }, @@ -13565,9 +17049,9 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://persistence-info.github.io/Data/userinitmprlogonscript.html", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://persistence-info.github.io/Data/userinitmprlogonscript.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" ], "tags": [ @@ -13600,32 +17084,50 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "90f342e1-1aaa-4e43-b092-39fda57ed11e", "value": "ETW Logging Disabled For rpcrt4.dll" }, { - "description": "Detects when a new custom protocole handler is registered", + "description": "Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute", "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/05/30", + "author": "frack113", + "creation_date": "2022/08/20", "falsepositive": [ - "Legitimate applications registering a new custom protocol handler" + "Legitimate use of the dll." ], - "filename": "registry_set_register_custom_protocol_handler.yml", + "filename": "registry_set_persistence_scrobj_dll.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_register_custom_protocol_handler.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.persistence", + "attack.t1546.015" ] }, - "uuid": "fdbf0b9d-0182-4c43-893b-a1eaab92d085", - "value": "Newly Registered Protocol Handler" + "related": [ + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "fe20dda1-6f37-4379-bbe0-a98d400cae90", + "value": "Potential Persistence Via Scrobj.dll COM Hijacking" }, { "description": "Detect enable rdp feature to allow specific user to rdp connect on the targeted machine", @@ -13651,30 +17153,6 @@ "uuid": "37b437cf-3fc5-4c8e-9c94-1d7c9aff842b", "value": "Allow RDP Remote Assistance Feature" }, - { - "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/21", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_natural_language_persistence.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://persistence-info.github.io/Data/naturallanguage6.html", - "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_natural_language_persistence.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", - "value": "Add DLLPathOverride Entry For Persistence" - }, { "description": "Detects tampering to RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", "meta": { @@ -13688,13 +17166,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" ], "tags": [ @@ -13727,33 +17205,18 @@ "attack.t1547.010" ] }, + "related": [ + { + "dest-uuid": "43881e51-ac74-445b-b4c6-f9f9e9bf23fe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", "value": "Add Port Monitor Persistence in Registry" }, - { - "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/21", - "falsepositive": [ - "Unlikely" - ], - "filename": "registry_set_lsa_extension_persistence.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/0gtweet/status/1476286368385019906", - "https://persistence-info.github.io/Data/lsaaextension.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsa_extension_persistence.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "41f6531d-af6e-4c6e-918f-b946f2b85a36", - "value": "Persistence Via LSA Extensions" - }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { @@ -13769,8 +17232,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" ], "tags": [ @@ -13796,8 +17259,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" ], "tags": [ @@ -13854,6 +17317,15 @@ "attack.t1221" ] }, + "related": [ + { + "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", "value": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)" }, @@ -13871,7 +17343,6 @@ "logsource.product": "windows", "refs": [ "https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/", - "https://attack.mitre.org/techniques/T1546/015/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml" ], "tags": [ @@ -13879,8 +17350,17 @@ "attack.t1546.015" ] }, + "related": [ + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12", - "value": "Windows Registry Persistence COM Search Order Hijacking" + "value": "Potential Persistence Via COM Search Order Hijacking" }, { "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", @@ -13904,6 +17384,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6597be7b-ac61-4ac8-bef4-d3ec88174853", "value": "UAC Bypass Abusing Winsat Path Parsing - Registry" }, @@ -13929,6 +17418,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5f9db380-ea57-4d1e-beab-8a2d33397e93", "value": "UAC Bypass Using Windows Media Player - Registry" }, @@ -13954,7 +17452,7 @@ ] }, "uuid": "ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a", - "value": "Modify Attachment Manager Settings - Attachments" + "value": "Potential Attachment Manager Settings Attachments Tamper" }, { "description": "Detects the Setting of Windows Defender Exclusions", @@ -14003,6 +17501,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7d9263bd-dc47-4a58-bc92-5474abab390c", "value": "Change Winevt Event Access Permission Via Registry" }, @@ -14021,8 +17528,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" ], "tags": [ @@ -14078,9 +17585,42 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e78c408a-e2ea-43cd-b5ea-51975cf358c0", "value": "Disable Windows Firewall by Registry" }, + { + "description": "Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/05/30", + "falsepositive": [ + "Legitimate applications registering a new custom protocol handler" + ], + "filename": "registry_set_persistence_custom_protocol_handler.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "fdbf0b9d-0182-4c43-893b-a1eaab92d085", + "value": "Potential Persistence Via Custom Protocol Handler" + }, { "description": "Detect modification for a specific user to prevent that user from being listed on the logon screen", "meta": { @@ -14102,6 +17642,15 @@ "attack.t1564.002" ] }, + "related": [ + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8a58209c-7ae6-4027-afb0-307a78e4589a", "value": "User Account Hidden By Registry" }, @@ -14127,6 +17676,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "92b0b372-a939-44ed-a11b-5136cf680e27", "value": "Blue Mockingbird - Registry" }, @@ -14175,6 +17733,15 @@ "attack.t1547.010" ] }, + "related": [ + { + "dest-uuid": "43881e51-ac74-445b-b4c6-f9f9e9bf23fe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "509e84b9-a71a-40e0-834f-05470369bd1e", "value": "Changing RDP Port to Non Standard Number" }, @@ -14191,10 +17758,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" ], "tags": [ @@ -14218,8 +17785,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml" ], "tags": [ @@ -14227,6 +17794,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d223b46b-5621-4037-88fe-fda32eead684", "value": "New Root or CA or AuthRoot Certificate to Store" }, @@ -14243,8 +17819,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml" ], "tags": [ @@ -14254,6 +17830,15 @@ "car.2019-04-001" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5b872a46-3b90-45c1-8419-f675db8053aa", "value": "UAC Bypass via Sdclt" }, @@ -14270,8 +17855,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/hhctrl.html", "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", + "https://persistence-info.github.io/Data/hhctrl.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml" ], "tags": [ @@ -14302,6 +17887,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5de03871-5d46-4539-a82d-3aa992a69a83", "value": "Registry Disable System Restore" }, @@ -14326,6 +17920,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "73a883d0-0348-4be4-a8d8-51031c2564f8", "value": "Potential Registry Persistence Attempt Via Windows Telemetry" }, @@ -14353,11 +17956,34 @@ "attack.t1546" ] }, + "related": [ + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", "value": "Outlook C2 Registry Key" }, { - "description": "Detects the modification of the registry of the currently logged in user to disable PowerShell module logging, script block logging or transcription and script execution logging", + "description": "Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging", "meta": { "author": "frack113", "creation_date": "2022/04/02", @@ -14365,7 +17991,7 @@ "Unknown" ], "filename": "registry_set_powershell_logging_disabled.yml", - "level": "medium", + "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ @@ -14377,8 +18003,17 @@ "attack.t1564.001" ] }, + "related": [ + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7", - "value": "PowerShell Logging Disabled" + "value": "PowerShell Logging Disabled Via Registry Key Tampering" }, { "description": "Detects when the 'AllowMultipleTSSessions' value is enabled.\nWhich allows for multiple Remote Desktop connection sessions to be opened at once.\nThis is often used by attacker as a way to connect to an RDP session without disconnecting the other users\n", @@ -14440,8 +18075,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", + "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_security_zones.yml" ], "tags": [ @@ -14449,9 +18084,42 @@ "attack.t1137" ] }, + "related": [ + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "45e112d0-7759-4c2a-aa36-9f8fb79d3393", "value": "IE Change Domain Zone" }, + { + "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_persistence_natural_language.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", + "https://persistence-info.github.io/Data/naturallanguage6.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", + "value": "Potential Persistence Via DLLPathOverride" + }, { "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\n", "meta": { @@ -14473,6 +18141,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d", "value": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download" }, @@ -14489,8 +18166,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml" ], "tags": [ @@ -14500,6 +18177,15 @@ "car.2019-04-001" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7c81fec3-1c1d-43b0-996a-46753041b1b6", "value": "UAC Bypass via Event Viewer - Registry Set" }, @@ -14518,8 +18204,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" ], "tags": [ @@ -14530,6 +18216,30 @@ "uuid": "480421f9-417f-4d3b-9552-fd2728443ec8", "value": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification" }, + { + "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" + ], + "filename": "registry_set_persistence_mpnotify.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://persistence-info.github.io/Data/mpnotify.html", + "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "92772523-d9c1-4c93-9547-b0ca500baba3", + "value": "Potential Persistence Via Mpnotify" + }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { @@ -14545,8 +18255,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" ], "tags": [ @@ -14578,6 +18288,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0cb8d736-995d-4ce7-a31e-1e8d452a1459", "value": "Potential EventLog File Location Tampering" }, @@ -14644,8 +18363,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" ], "tags": [ @@ -14669,9 +18388,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml" ], "tags": [ @@ -14679,6 +18398,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "33efc23c-6ea2-4503-8cfe-bdf82ce8f719", "value": "Lsass Full Dump Request Via DumpType Registry Settings" }, @@ -14695,9 +18423,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" ], "tags": [ @@ -14730,6 +18458,15 @@ "attack.t1564.002" ] }, + "related": [ + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", "value": "Hide User Account Via Special Accounts Reg Key" }, @@ -14746,9 +18483,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml" ], "tags": [ @@ -14757,9 +18494,43 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "46dd5308-4572-4d12-aa43-8938f0184d4f", "value": "Bypass UAC Using DelegateExecute" }, + { + "description": "Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence", + "meta": { + "author": "frack113", + "creation_date": "2022/01/22", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_persistence_ie.yml", + "level": "low", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ie.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "d88d0ab2-e696-4d40-a2ed-9790064e66b3", + "value": "Modification of IE Registry Settings" + }, { "description": "Detects that a powershell code is written to the registry as a service.", "meta": { @@ -14781,6 +18552,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4a5f5a5e-ac01-474b-9b4e-d61298c9df1d", "value": "PowerShell as a Service in Registry" }, @@ -14807,6 +18587,15 @@ "attack.t1574.012" ] }, + "related": [ + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ad89044a-8f49-4673-9a55-cbd88a1b374f", "value": "Enabling COR Profiler Environment Variables" }, @@ -14856,6 +18645,15 @@ "cve.2021.1675" ] }, + "related": [ + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e0813366-0407-449a-9869-a2db1119dc41", "value": "Suspicious Printer Driver Empty Manufacturer" }, @@ -14881,6 +18679,15 @@ "attack.t1547.003" ] }, + "related": [ + { + "dest-uuid": "61afc315-860c-4364-825d-0d62b2e91edc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", "value": "Set TimeProviders DllName" }, @@ -14921,8 +18728,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", "https://twitter.com/dottor_morte/status/1544652325570191361", + "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml" ], "tags": [ @@ -14954,33 +18761,18 @@ "attack.t1070.005" ] }, + "related": [ + { + "dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e", "value": "Disable Administrative Share Creation at Startup" }, - { - "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/21", - "falsepositive": [ - "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" - ], - "filename": "registry_set_mpnotify_persistence.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", - "https://persistence-info.github.io/Data/mpnotify.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "92772523-d9c1-4c93-9547-b0ca500baba3", - "value": "Persistence Via Mpnotify" - }, { "description": "Detects disabling Windows Defender Exploit Guard Network Protection", "meta": { @@ -15005,6 +18797,30 @@ "uuid": "bf9e1387-b040-4393-9851-1598f8ecfae9", "value": "Disable Exploit Guard Network Protection on Windows Defender" }, + { + "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_persistence_lsa_extension.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1476286368385019906", + "https://persistence-info.github.io/Data/lsaaextension.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "41f6531d-af6e-4c6e-918f-b946f2b85a36", + "value": "Potential Persistence Via LSA Extensions" + }, { "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", "meta": { @@ -15018,8 +18834,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml" ], "tags": [ @@ -15027,6 +18843,15 @@ "attack.t1547.010" ] }, + "related": [ + { + "dest-uuid": "43881e51-ac74-445b-b4c6-f9f9e9bf23fe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "674202d0-b22a-4af4-ae5f-2eda1f3da1af", "value": "Bypass UAC Using Event Viewer" }, @@ -15077,6 +18902,15 @@ "attack.t1559.002" ] }, + "related": [ + { + "dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "63647769-326d-4dde-a419-b925cc0caf42", "value": "Enable Microsoft Dynamic Data Exchange" }, @@ -15104,6 +18938,15 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "60936b49-fca0-4f32-993d-7415edcf9a5d", "value": "New Application in AppCompat" }, @@ -15120,8 +18963,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml" ], "tags": [ @@ -15145,8 +18988,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://twitter.com/pabraeken/status/998627081360695297", + "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://twitter.com/VakninHai/status/1517027824984547329", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" ], @@ -15155,6 +18998,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "40b6e656-4e11-4c0c-8772-c1cc6dae34ce", "value": "ScreenSaver Registry Key Set" }, @@ -15171,8 +19023,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/", "https://persistence-info.github.io/Data/autodialdll.html", + "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml" ], "tags": [ @@ -15180,7 +19032,7 @@ ] }, "uuid": "e6fe26ee-d063-4f5b-b007-39e90aaf50e3", - "value": "Persistence Via AutodialDLL" + "value": "Potential Persistence Via AutodialDLL" }, { "description": "Detect modification of the startup key to a path where a payload could be stored to be launched during startup", @@ -15246,10 +19098,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" ], "tags": [ @@ -15281,6 +19133,15 @@ "attack.t1564.001" ] }, + "related": [ + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5a5152f1-463f-436b-b2f5-8eceb3964b42", "value": "Modification of Explorer Hidden Keys" }, @@ -15307,6 +19168,15 @@ "attack.t1137" ] }, + "related": [ + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5df86130-4e95-4a54-90f7-26541b40aec2", "value": "Registry Modification to Hidden File Extension" }, @@ -15321,8 +19191,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mal_adwind.yml" ], "tags": [ @@ -15331,6 +19201,22 @@ "attack.t1059.007" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "42f0e038-767e-4b85-9d96-2c6335bad0b5", "value": "Adwind RAT / JRAT - Registry" }, @@ -15357,6 +19243,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "724ea201-6514-4f38-9739-e5973c34f49a", "value": "Bypass UAC Using SilentCleanup Task" }, @@ -15373,9 +19268,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml" ], "tags": [ @@ -15423,9 +19318,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", + "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" ], "tags": [ @@ -15448,10 +19343,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", - "https://github.com/elastic/detection-rules/issues/1371", - "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", + "https://github.com/elastic/detection-rules/issues/1371", + "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", + "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" ], "tags": [ @@ -15460,33 +19355,18 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "04b45a8a-d11d-49e4-9acc-4a1b524407a5", "value": "DNS-over-HTTPS Enabled by Registry" }, - { - "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/21", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_chm_persistence.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://persistence-info.github.io/Data/htmlhelpauthor.html", - "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_chm_persistence.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "976dd1f2-a484-45ec-aa1d-0e87e882262b", - "value": "CHM Helper DLL Persistence" - }, { "description": "Detect set UseActionCenterExperience to 0 to disable the windows security center notification", "meta": { @@ -15532,6 +19412,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5b16df71-8615-4f7f-ac9b-6c43c0509e61", "value": "Hide Schedule Task Via Index Value Tamper" }, @@ -15548,9 +19437,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" ], "tags": [ @@ -15573,17 +19462,17 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://twitter.com/_xpn_/status/1268712093928378368", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" ], "tags": [ @@ -15592,34 +19481,18 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bf4fc428-dcc3-4bbd-99fe-2422aeee2544", "value": "ETW Logging Disabled In .NET Processes - Sysmon Registry" }, - { - "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/30", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_shim_databases_persistence.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_shim_databases_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.011" - ] - }, - "uuid": "dfb5b4e8-91d0-4291-b40a-e3b0d3942c45", - "value": "Registry Key Creation or Modification for Shim DataBase" - }, { "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a supsicious or unsuale location", "meta": { @@ -15641,8 +19514,17 @@ "attack.t1546.015" ] }, + "related": [ + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3d968d17-ffa4-4bc0-bfdc-f139de76ce77", - "value": "COM Hijacking For Persistence With Suspicious Locations" + "value": "Potential Persistence Via COM Hijacking From Suspicious Locations" }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", @@ -15659,8 +19541,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" ], "tags": [ @@ -15693,6 +19575,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0442defa-b4a2-41c9-ae2c-ea7042fc4701", "value": "New Network Provider - Registry" }, @@ -15709,8 +19600,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" ], @@ -15755,16 +19646,16 @@ "falsepositive": [ "Legitimate registration of IFilters by the OS or software" ], - "filename": "registry_set_ifilter_persistence.yml", + "filename": "registry_set_persistence_ifilter.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1468548924600459267", - "https://persistence-info.github.io/Data/ifilters.html", "https://github.com/gtworek/PSBits/tree/master/IFilter", + "https://persistence-info.github.io/Data/ifilters.html", "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ifilter_persistence.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml" ], "tags": [ "attack.persistence" @@ -15810,8 +19701,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://forensafe.com/blogs/typedpaths.html", "https://twitter.com/dez_/status/1560101453150257154", + "https://forensafe.com/blogs/typedpaths.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml" ], "tags": [ @@ -15819,7 +19710,7 @@ ] }, "uuid": "086ae989-9ca6-4fe7-895a-759c5544f247", - "value": "Persistence Via TypedPaths" + "value": "Potential Persistence Via TypedPaths" }, { "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.", @@ -15835,8 +19726,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", + "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml" ], "tags": [ @@ -15894,6 +19785,15 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ff0f2b05-09db-4095-b96d-1b75ca24894a", "value": "dotNET DLL Loaded Via Office Applications" }, @@ -15912,9 +19812,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html", "https://twitter.com/dez_/status/986614411711442944", "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", - "https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" ], "tags": [ @@ -15922,6 +19822,15 @@ "attack.t1220" ] }, + "related": [ + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "06ce37c2-61ab-4f05-9ff5-b1a96d18ae32", "value": "WMIC Loading Scripting Libraries" }, @@ -15947,6 +19856,15 @@ "attack.t1055" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0fa66f66-e3f6-4a9c-93f8-4f2610b00171", "value": "Potential DLL Sideloading Using Coregen.exe" }, @@ -15971,6 +19889,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "49329257-089d-46e6-af37-4afce4290685", "value": "SharpEvtMute Imphash EvtMuteHook Load" }, @@ -15987,8 +19914,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/binderlabs/DirCreate2System", "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", + "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_comctl32.yml" ], "tags": [ @@ -16016,9 +19943,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/bohops/WSMan-WinRM", - "https://twitter.com/chadtilbury/status/1275851297770610688", - "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", + "https://twitter.com/chadtilbury/status/1275851297770610688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" ], "tags": [ @@ -16028,6 +19955,22 @@ "attack.t1021.003" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94", "value": "Suspicious WSMAN Provider Image Loads" }, @@ -16052,6 +19995,15 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a2a3b925-7bb0-433b-b508-db9003263cc4", "value": "Active Directory Parsing DLL Loaded Via Office Applications" }, @@ -16078,6 +20030,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", "value": "Image Load of VSS_PS.dll by Uncommon Executable" }, @@ -16105,6 +20066,15 @@ "attack.t1574.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03", "value": "UAC Bypass With Fake DLL" }, @@ -16121,8 +20091,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/tifkin_/status/1321916444557365248", "https://twitter.com/rbmaslen/status/1321859647091970051", + "https://twitter.com/tifkin_/status/1321916444557365248", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_pcre_net_load.yml" ], "tags": [ @@ -16130,6 +20100,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "84b0a8f3-680b-4096-a45b-e9a89221727c", "value": "PCRE.NET Package Image Load" }, @@ -16154,6 +20133,15 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "90217a70-13fc-48e4-b3db-0d836c5824ac", "value": "GAC DLL Loaded Via Office Applications" }, @@ -16180,6 +20168,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9ed5959a-c43c-4c59-84e3-d28628429456", "value": "UAC Bypass Using Iscsicpl - ImageLoad" }, @@ -16204,6 +20201,15 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d13c43f0-f66b-4279-8b2c-5912077c1780", "value": "CLR DLL Loaded Via Office Applications" }, @@ -16256,6 +20262,15 @@ "car.2019-04-004" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c0478ead-5336-46c2-bd5e-b4c84bc3a36e", "value": "Mimikatz In-Memory" }, @@ -16280,6 +20295,15 @@ "attack.persistence" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", "value": "WMI Persistence - Command Line Event Consumer" }, @@ -16323,12 +20347,12 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/Wh04m1001/SysmonEoP", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://github.com/Wh04m1001/SysmonEoP", + "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" ], "tags": [ @@ -16340,7 +20364,7 @@ ] }, "uuid": "6b98b92b-4f00-4f62-b4fe-4d1920215771", - "value": "Sideloading Of Non-Existent DLLs From System Folders" + "value": "Potential DLL Sideloading Of Non-Existent DLLs From System Folders" }, { "description": "Detects DLL sideloading of DLLs that are part of web browsers", @@ -16418,6 +20442,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", "value": "Image Load of VSS Dll by Uncommon Executable" }, @@ -16434,8 +20467,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", + "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml" ], "tags": [ @@ -16470,6 +20503,15 @@ "attack.t1071" ] }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", "value": "SILENTTRINITY Stager Execution - DLL" }, @@ -16511,10 +20553,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", - "https://hijacklibs.net/", "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", + "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", + "https://hijacklibs.net/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" ], "tags": [ @@ -16526,7 +20568,7 @@ ] }, "uuid": "4fc0deee-0057-4998-ab31-d24e46e0aba4", - "value": "System DLL Sideloading From Non System Locations" + "value": "Potential System DLL Sideloading From Non System Locations" }, { "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", @@ -16549,6 +20591,15 @@ "attack.t1218.003" ] }, + "related": [ + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "75e508f7-932d-4ebc-af77-269237a84ce1", "value": "Cmstp Suspicious DLL Load" }, @@ -16573,6 +20624,15 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7417e29e-c2e7-4cf6-a2e8-767228c64837", "value": "Active Directory Kerberos DLL Loaded Via Office Applications" }, @@ -16589,9 +20649,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", - "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", + "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", + "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml" ], "tags": [ @@ -16599,6 +20659,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0e277796-5f23-4e49-a490-483131d4f6e1", "value": "Load of dbghelp/dbgcore DLL from Suspicious Process" }, @@ -16680,6 +20749,15 @@ "attack.t1021.003" ] }, + "related": [ + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f354eba5-623b-450f-b073-0b5b2773b6aa", "value": "Potential DCOM InternetExplorer.Application DLL Hijack - Image Load" }, @@ -16710,7 +20788,7 @@ "value": "Python Py2Exe Image Load" }, { - "description": "Detects CLR DLL being loaded by an scripting applications", + "description": "Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript", "meta": { "author": "omkar72, oscd.community", "creation_date": "2020/10/14", @@ -16723,6 +20801,7 @@ "logsource.product": "windows", "refs": [ "https://github.com/tyranid/DotNetToJScript", + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://thewover.github.io/Introducing-Donut/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" @@ -16783,6 +20862,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fe6e002f-f244-4278-9263-20e4b593827f", "value": "Alternate PowerShell Hosts - Image" }, @@ -16835,6 +20923,15 @@ "attack.t1587" ] }, + "related": [ + { + "dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "640dc51c-7713-4faa-8a0e-e7c0d9d4654c", "value": "FoggyWeb Backdoor DLL Loading" }, @@ -16914,6 +21011,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "671bb7e3-a020-4824-a00e-2ee5b55f385e", "value": "WMI Modules Loaded" }, @@ -16939,6 +21045,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8cde342c-ba48-4b74-b615-172c330f2e93", "value": "Rundll32 Loading Renamed Comsvcs DLL" }, @@ -16964,6 +21079,15 @@ "cve.2022.30190" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ec8c4047-fad9-416a-8c81-0f479353d7f6", "value": "MSDT.exe Loading Diagnostic Library" }, @@ -17012,11 +21136,20 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "857c8db3-c89b-42fb-882b-f681c7cf4da2", "value": "Unsigned Image Loaded Into LSASS Process" }, { - "description": "Detects DLL's Loaded Via Word Containing VBA Macros", + "description": "Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.", "meta": { "author": "Antonlovesdnb", "creation_date": "2020/02/19", @@ -17036,8 +21169,17 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", - "value": "VBA DLL Loaded Via Microsoft Word" + "value": "VBA DLL Loaded Via Office Application" }, { "description": "Detects when a system process (ie located in system32, syswow64...etc) loads a DLL from a suspicious location such as %temp%", @@ -17127,8 +21269,8 @@ "logsource.product": "windows", "refs": [ "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", - "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html", "https://twitter.com/HunterPlaybook/status/1301207718355759107", + "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml" ], "tags": [ @@ -17138,6 +21280,15 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b439f47d-ef52-4b29-9a2f-57d8a96cb6b8", "value": "WMI Script Host Process Image Loaded" }, @@ -17164,6 +21315,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "092bc4b9-3d1d-43b4-a6b4-8c8acd83522f", "value": "In-memory PowerShell" }, @@ -17190,6 +21350,15 @@ "attack.t1021.002" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7707a579-e0d8-4886-a853-ce47e4575aaa", "value": "Wmiprvse Wbemcomn DLL Hijack" }, @@ -17269,6 +21438,15 @@ "cve.2021.34527" ] }, + "related": [ + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "02fb90de-c321-4e63-a6b9-25f4b03dfd14", "value": "Windows Spooler Service Suspicious Binary Load" }, @@ -17312,8 +21490,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html", "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", + "https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml" ], @@ -17339,9 +21517,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://twitter.com/oulusoyum/status/1191329746069655553", "https://twitter.com/mattifestation/status/1196390321783025666", - "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_tttracer_mod_load.yml" ], "tags": [ @@ -17351,6 +21529,22 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e76c8240-d68f-4773-8880-5c6f63595aaf", "value": "Time Travel Debugging Utility Usage - Image" }, @@ -17401,6 +21595,22 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "83844185-1c5b-45bc-bcf3-b5bf3084ca5b", "value": "Suspicious Encoded Scripts in a WMI Consumer" }, @@ -17424,6 +21634,15 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0f06a3a5-6a09-413f-8743-e6cf35561297", "value": "WMI Event Subscription" }, @@ -17440,9 +21659,9 @@ "logsource.category": "wmi_event", "logsource.product": "windows", "refs": [ - "https://github.com/RiccardoAncarani/LiquidSnake", - "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", + "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", + "https://github.com/RiccardoAncarani/LiquidSnake", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" ], "tags": [ @@ -17450,6 +21669,15 @@ "attack.t1059.005" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", "value": "Suspicious Scripting in a WMI Consumer" }, @@ -17466,8 +21694,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://github.com/besimorhino/powercat", "https://nmap.org/ncat/", + "https://github.com/besimorhino/powercat", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" ], @@ -17476,6 +21704,15 @@ "attack.t1095" ] }, + "related": [ + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c5b20776-639a-49bf-94c7-84f912b91c15", "value": "Netcat The Powershell Version" }, @@ -17493,8 +21730,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/bohops/WSMan-WinRM", - "https://twitter.com/chadtilbury/status/1275851297770610688", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://twitter.com/chadtilbury/status/1275851297770610688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" ], "tags": [ @@ -17504,6 +21741,22 @@ "attack.t1021.003" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "df9a0e0e-fedb-4d6c-8668-d765dfc92aa7", "value": "Suspicious Non PowerShell WSMAN COM Provider" }, @@ -17528,6 +21781,15 @@ "attack.t1049" ] }, + "related": [ + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b366adb4-d63d-422d-8a2c-186463b5ded0", "value": "Use Get-NetTCPConnection" }, @@ -17554,6 +21816,22 @@ "attack.t1021.006" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "60167e5c-84b2-4c95-a7ac-86281f27c445", "value": "Remote PowerShell Session (PS Classic)" }, @@ -17579,6 +21857,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c70e019b-1479-4b65-b0cc-cd0c6093a599", "value": "PowerShell Called from an Executable Version Mismatch" }, @@ -17604,6 +21891,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f65e22f9-819e-4f96-9c7b-498364ae7a25", "value": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell" }, @@ -17630,6 +21926,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d7326048-328b-4d5e-98af-86e84b17c765", "value": "Alternate PowerShell Hosts" }, @@ -17655,6 +21960,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6331d09b-4785-4c13-980f-f96661356249", "value": "PowerShell Downgrade Attack - PowerShell" }, @@ -17680,6 +21994,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "87df9ee1-5416-453a-8a08-e8d4a51e9ce1", "value": "Delete Volume Shadow Copies Via WMI With PowerShell" }, @@ -17704,6 +22027,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "812837bb-b17f-45e9-8bd0-0ec35d2e3bd6", "value": "Suspicious XOR Encoded PowerShell Command Line - PowerShell" }, @@ -17728,6 +22060,15 @@ "attack.t1074.001" ] }, + "related": [ + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "71ff406e-b633-4989-96ec-bc49d825a412", "value": "Zip A Folder With PowerShell For Staging In Temp - PowerShell" }, @@ -17752,6 +22093,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3236fcd0-b7e3-4433-b4f8-86ad61a9af2d", "value": "Suspicious PowerShell Download" }, @@ -17776,6 +22126,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "30a8cb77-8eb3-4cfb-8e79-ad457c5a4592", "value": "Renamed Powershell Under Powershell Channel" }, @@ -17824,6 +22183,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "999bff6d-dc15-44c9-9f5c-e1051bfc86e1", "value": "Nslookup PowerShell Download Cradle" }, @@ -17850,6 +22218,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "64e8e417-c19a-475a-8d19-98ea705394cc", "value": "Alternate PowerShell Hosts - PowerShell Module" }, @@ -17876,6 +22253,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9ac8b09b-45de-4a07-9da1-0de8c09304a3", "value": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module" }, @@ -17892,9 +22278,9 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", "https://www.mdeditor.tw/pl/pgRt", "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", + "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml" ], "tags": [ @@ -17902,6 +22288,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8d31a8ce-46b5-4dd6-bdc3-680931f1db86", "value": "Bad Opsec Powershell Code Artifacts" }, @@ -17952,6 +22347,15 @@ "attack.t1140" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ddc1472-8e52-4f7d-9f11-eab14fc171f5", "value": "PowerShell Decompress Commands" }, @@ -17976,6 +22380,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "815bfc17-7fc6-4908-a55e-2f37b98cedb4", "value": "AD Groups Or Users Enumeration Using PowerShell - PoshModule" }, @@ -18002,6 +22415,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ebdf49d8-b89c-46c9-8fdf-2c308406f6bd", "value": "Invoke-Obfuscation Via Use Clip - PowerShell Module" }, @@ -18028,6 +22450,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6", "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module" }, @@ -18052,6 +22483,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cef24b90-dddc-4ae1-a09a-8764872f69fc", "value": "Suspicious Get Local Groups Information" }, @@ -18077,6 +22517,15 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b140afd9-474b-4072-958e-2ebb435abd68", "value": "Suspicious Get-ADDBAccount Usage" }, @@ -18093,8 +22542,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/besimorhino/powercat", "https://nmap.org/ncat/", + "https://github.com/besimorhino/powercat", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_powercat.yml" ], @@ -18103,6 +22552,15 @@ "attack.t1095" ] }, + "related": [ + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2", "value": "Netcat The Powershell Version - PowerShell Module" }, @@ -18127,6 +22585,15 @@ "attack.t1070.003" ] }, + "related": [ + { + "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f99276ad-d122-4989-a09a-d00904a5f9d2", "value": "Clear PowerShell History - PowerShell Module" }, @@ -18153,6 +22620,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2f211361-7dce-442d-b78a-c04039677378", "value": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module" }, @@ -18179,6 +22655,22 @@ "attack.t1021.006" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "96b9f619-aa91-478f-bacb-c3e50f8df575", "value": "Remote PowerShell Session (PS Module)" }, @@ -18203,6 +22695,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6942bd25-5970-40ab-af49-944247103358", "value": "Suspicious Get Information for SMB Share - PowerShell Module" }, @@ -18229,6 +22730,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb", "value": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module" }, @@ -18255,6 +22765,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7034cbbb-cc55-4dc2-8dad-36c0b942e8f1", "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module" }, @@ -18278,6 +22797,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "de41232e-12e8-49fa-86bc-c05c7e722df9", "value": "Suspicious PowerShell Download - PowerShell Module" }, @@ -18304,6 +22832,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c72aca44-8d52-45ad-8f81-f96c4d3c755e", "value": "Invoke-Obfuscation Via Stdin - PowerShell Module" }, @@ -18330,6 +22867,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a136cde0-61ad-4a61-9b82-8dc490e60dd2", "value": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module" }, @@ -18353,6 +22899,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bbb80e91-5746-4fbe-8898-122e2cafdbf4", "value": "Suspicious PowerShell Invocations - Generic - PowerShell Module" }, @@ -18377,6 +22932,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fe5ce7eb-dad8-467c-84a9-31ec23bd644a", "value": "SyncAppvPublishingServer Bypass Powershell Restriction - PS Module" }, @@ -18403,6 +22967,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a23791fe-8846-485a-b16b-ca691e1b03d4", "value": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module" }, @@ -18429,6 +23002,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e", "value": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module" }, @@ -18452,6 +23034,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090", "value": "Suspicious PowerShell Invocations - Specific - PowerShell Module" }, @@ -18502,6 +23093,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "38a7625e-b2cb-485d-b83d-aff137d859f4", "value": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell Module" }, @@ -18526,6 +23126,15 @@ "attack.t1049" ] }, + "related": [ + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aff815cc-e400-4bf0-a47a-5d8a2407d4e1", "value": "Use Get-NetTCPConnection - PowerShell Module" }, @@ -18552,6 +23161,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "88a22f69-62f9-4b8a-aa00-6b0212f2f05a", "value": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module" }, @@ -18576,6 +23194,15 @@ "attack.t1074.001" ] }, + "related": [ + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "daf7eb81-35fd-410d-9d7a-657837e602bb", "value": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Module" }, @@ -18600,6 +23227,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d4488827-73af-4f8d-9244-7b7662ef046e", "value": "Change User Agents with WebRequest" }, @@ -18624,6 +23260,15 @@ "attack.t1027.009" ] }, + "related": [ + { + "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f3a98ce4-6164-4dd4-867c-4d83de7eca51", "value": "Powershell Token Obfuscation - Powershell" }, @@ -18649,11 +23294,20 @@ "attack.t1546" ] }, + "related": [ + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0332a266-b584-47b4-933d-a00b103e1b37", "value": "Suspicious Get-WmiObject" }, { - "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell logs", + "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs", "meta": { "author": "James Pemberton / @4A616D6573", "creation_date": "2019/10/24", @@ -18674,8 +23328,17 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1139d2e2-84b1-4226-b445-354492eba8ba", - "value": "Usage Of Web Request Commands And Cmdlets - PowerShell" + "value": "Usage Of Web Request Commands And Cmdlets - ScriptBlock" }, { "description": "Uses PowerShell to install/copy a a file into a system directory such as \"System32\" or \"SysWOW64\"", @@ -18698,6 +23361,15 @@ "attack.t1556.002" ] }, + "related": [ + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "63bf8794-9917-45bc-88dd-e1b5abc0ecfd", "value": "Powershell Install a DLL in System Directory" }, @@ -18722,6 +23394,15 @@ "attack.t1218.007" ] }, + "related": [ + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "91109523-17f0-4248-a800-f81d9e7c081d", "value": "PowerShell WMI Win32_Product Install MSI" }, @@ -18748,6 +23429,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "779c8c12-0eb1-11eb-adc1-0242ac120002", "value": "Invoke-Obfuscation STDIN+ Launcher - Powershell" }, @@ -18773,6 +23463,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a0edd39f-a0c6-4c17-8141-261f958e8d8f", "value": "PowerShell Remote Session Creation" }, @@ -18821,6 +23520,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e17121b4-ef2a-4418-8a59-12fb1631fa9e", "value": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script" }, @@ -18845,6 +23553,15 @@ "attack.t1564.003" ] }, + "related": [ + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "313fbb0a-a341-4682-848d-6d6f8c4fab7c", "value": "Suspicious PowerShell WindowStyle Option" }, @@ -18861,8 +23578,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" ], @@ -18871,6 +23588,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "78aa1347-1517-4454-9982-b338d6df8343", "value": "Powershell MsXml COM Object" }, @@ -18896,6 +23622,15 @@ "attack.t1497.001" ] }, + "related": [ + { + "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d93129cd-1ee0-479f-bc03-ca6f129882e3", "value": "Powershell Detect Virtualization Environment" }, @@ -18922,9 +23657,53 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "20e5497e-331c-4cd5-8d36-935f6e2a9a07", "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell" }, + { + "description": "Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/09", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_alias_obfscuation.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1027", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e8314f79-564d-4f79-bc13-fbc0bf2660d8", + "value": "Potential PowerShell Obfuscation Using Character Join" + }, { "description": "Detects Commandlet names from PowerView of PowerSploit exploitation framework.", "meta": { @@ -18938,10 +23717,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/10/08/ryuks-return", + "https://adsecurity.org/?p=2277", "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", "https://powersploit.readthedocs.io/en/stable/Recon/README", - "https://adsecurity.org/?p=2277", + "https://thedfirreport.com/2020/10/08/ryuks-return", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" ], "tags": [ @@ -18949,6 +23728,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dcd74b95-3f36-4ed9-9598-0490951643aa", "value": "Malicious PowerView PowerShell Commandlets" }, @@ -18975,6 +23763,22 @@ "attack.t1136.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "243de76f-4725-4f2e-8225-a8a69b15ad61", "value": "PowerShell Create Local User" }, @@ -18991,8 +23795,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/948061991012327424", "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", + "https://twitter.com/bohops/status/948061991012327424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml" ], "tags": [ @@ -19000,6 +23804,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4cd29327-685a-460e-9dac-c3ab96e549dc", "value": "Execution via CL_Invocation.ps1 - Powershell" }, @@ -19024,6 +23837,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "afd3df04-948d-46f6-ae44-25966c44b97f", "value": "PSAsyncShell - Asynchronous TCP Reverse Shell" }, @@ -19040,9 +23862,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2", "https://www.ietf.org/rfc/rfc2821.txt", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml" ], "tags": [ @@ -19050,6 +23872,15 @@ "attack.t1048.003" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9a7afa56-4762-43eb-807d-c3dc9ffe211b", "value": "Powershell Exfiltration Over SMTP" }, @@ -19067,8 +23898,8 @@ "logsource.product": "windows", "refs": [ "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -19093,8 +23924,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml" ], "tags": [ @@ -19151,6 +23982,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ed965133-513f-41d9-a441-e38076a0798f", "value": "Suspicious PowerShell Invocations - Generic" }, @@ -19175,6 +24015,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dddfebae-c46f-439c-af7a-fdb6bde90218", "value": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" }, @@ -19199,6 +24048,15 @@ "attack.t1119" ] }, + "related": [ + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c1dda054-d638-4c16-afc8-53e007f3fbc5", "value": "Automated Collection Command PowerShell" }, @@ -19215,11 +24073,11 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", - "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", - "http://woshub.com/manage-windows-firewall-powershell/", + "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", + "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", + "http://woshub.com/manage-windows-firewall-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" ], "tags": [ @@ -19227,6 +24085,15 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "488b44e7-3781-4a71-888d-c95abfacf44d", "value": "Windows Firewall Profile Disabled" }, @@ -19252,6 +24119,15 @@ "attack.t1136.002" ] }, + "related": [ + { + "dest-uuid": "7610cada-1499-41a4-b3dd-46467b68d177", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b29a93fb-087c-4b5b-a84d-ee3309e69d08", "value": "Manipulation of User Computer or Group Security Principals Across AD" }, @@ -19276,6 +24152,15 @@ "attack.t1070.003" ] }, + "related": [ + { + "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "602f5669-6927-4688-84db-0d4b7afb2150", "value": "Disable Powershell Command History" }, @@ -19325,6 +24210,15 @@ "attack.t1555.003" ] }, + "related": [ + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fc028194-969d-4122-8abe-0470d5b8f12f", "value": "Access to Browser Login Data" }, @@ -19342,9 +24236,9 @@ "logsource.product": "windows", "refs": [ "https://youtu.be/5mqid-7zp8k?t=2481", - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" ], "tags": [ @@ -19375,6 +24269,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "21f9162c-5f5d-4b01-89a8-b705bd7d10ab", "value": "Import PowerShell Modules From Suspicious Directories" }, @@ -19423,6 +24326,15 @@ "attack.t1555" ] }, + "related": [ + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "99c49d9c-34ea-45f7-84a7-4751ae6b2cbc", "value": "Dump Credentials from Windows Credential Manager With PowerShell" }, @@ -19448,6 +24360,15 @@ "attack.t1573" ] }, + "related": [ + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "195626f3-5f1b-4403-93b7-e6cfd4d6a078", "value": "Suspicious SSL Connection" }, @@ -19473,7 +24394,7 @@ "value": "Potential In-Memory Execution Using Reflection.Assembly" }, { - "description": "Detecting use WinAPI Functions in PowerShell", + "description": "Detects use of WinAPI Functions in PowerShell scripts", "meta": { "author": "Nikita Nazarov, oscd.community, Tim Shelton", "creation_date": "2020/10/06", @@ -19494,8 +24415,24 @@ "attack.t1106" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "03d83090-8cba-44a0-b02f-0b756a050306", - "value": "Accessing WinAPI in PowerShell" + "value": "Potential WinAPI Calls Via PowerShell Scripts" }, { "description": "The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.\nThese include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\n", @@ -19510,8 +24447,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", "https://www.powershellgallery.com/packages/DSInternals", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml" ], "tags": [ @@ -19519,6 +24456,15 @@ "attack.t1003.006" ] }, + "related": [ + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "060c3ef1-fd0a-4091-bf46-e7d625f60b73", "value": "Suspicious Get-ADReplAccount" }, @@ -19561,8 +24507,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://adsecurity.org/?p=2604", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" ], @@ -19571,6 +24517,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "61d0475c-173f-4844-86f7-f3eebae1c66b", "value": "Change PowerShell Policies to an Insecure Level - PowerShell" }, @@ -19611,8 +24566,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml" ], "tags": [ @@ -19620,6 +24575,15 @@ "attack.t1553.005" ] }, + "related": [ + { + "dest-uuid": "7e7c2fba-7cca-486c-9582-4c1bb2851961", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5947497f-1aa4-41dd-9693-c9848d58727d", "value": "Suspicious Unblock-File" }, @@ -19668,6 +24632,15 @@ "attack.t1555" ] }, + "related": [ + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "603c6630-5225-49c1-8047-26c964553e0e", "value": "Enumerate Credentials from Windows Credential Manager With PowerShell" }, @@ -19694,6 +24667,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", "value": "Invoke-Obfuscation Via Use Rundll32 - PowerShell" }, @@ -19710,8 +24692,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml" ], "tags": [ @@ -19743,6 +24725,15 @@ "attack.t1546.013" ] }, + "related": [ + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "05b3e303-faf0-4f4a-9b30-46cc13e69152", "value": "Powershell Trigger Profiles by Add_Content" }, @@ -19791,6 +24782,15 @@ "attack.t1059.003" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b5522a23-82da-44e5-9c8b-e10ed8955f88", "value": "Powershell Execute Batch Script" }, @@ -19817,6 +24817,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1b9dc62e-6e9e-42a3-8990-94d7a10007f7", "value": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell" }, @@ -19842,6 +24851,15 @@ "attack.t1484.001" ] }, + "related": [ + { + "dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b7216a7d-687e-4c8d-82b1-3080b2ad961f", "value": "Modify Group Policy Settings - ScriptBlockLogging" }, @@ -19866,6 +24884,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a699b30e-d010-46c8-bbd1-ee2e26765fe9", "value": "Powershell Store File In Alternate Data Stream" }, @@ -19913,6 +24940,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "403c2cc0-7f6b-4925-9423-bfa573bed7eb", "value": "Suspicious PowerShell Download - Powershell Script" }, @@ -19929,8 +24965,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml" ], "tags": [ @@ -19938,6 +24974,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b8af5f36-1361-4ebe-9e76-e36128d947bf", "value": "Use Remove-Item to Delete File" }, @@ -19964,6 +25009,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ca8b77a9-d499-4095-b793-5d5f330d450e", "value": "PowerShell Credential Prompt" }, @@ -19989,6 +25043,15 @@ "attack.t1021.006" ] }, + "related": [ + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b836d7f-179c-4ba4-90a7-a7e60afb48e6", "value": "Execute Invoke-command on Remote Host" }, @@ -20014,6 +25077,15 @@ "attack.t1565" ] }, + "related": [ + { + "dest-uuid": "ac9e6b22-11bf-45d7-9181-c1cb08360931", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4368354e-1797-463c-bc39-a309effbe8d7", "value": "Powershell Add Name Resolution Policy Table Rule" }, @@ -20038,6 +25110,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f62176f3-8128-4faa-bf6c-83261322e5eb", "value": "Malicious PowerShell Keywords" }, @@ -20064,6 +25145,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0adfbc14-0ed1-11eb-adc1-0242ac120002", "value": "Invoke-Obfuscation VAR+ Launcher - PowerShell" }, @@ -20088,6 +25178,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "88f0884b-331d-403d-a3a1-b668cf035603", "value": "AD Groups Or Users Enumeration Using PowerShell - ScriptBlock" }, @@ -20137,6 +25236,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bf72941a-cba0-41ea-b18c-9aca3925690d", "value": "PowerShell ADRecon Execution" }, @@ -20162,6 +25270,15 @@ "attack.t1615" ] }, + "related": [ + { + "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eb2fd349-ec67-4caa-9143-d79c7fb34441", "value": "Suspicious GPO Discovery With Get-GPO" }, @@ -20187,6 +25304,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4fdc44df-bfe9-4fcc-b041-68f5a2d3031c", "value": "Powershell LocalAccount Manipulation" }, @@ -20211,6 +25337,15 @@ "attack.t1048.003" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4c4af3cd-2115-479c-8193-6b8bfce9001c", "value": "PowerShell ICMP Exfiltration" }, @@ -20242,6 +25377,36 @@ "attack.s0363" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3ceb2083-a27f-449a-be33-14ec1b7cc973", "value": "Silence.EDA Detection" }, @@ -20258,8 +25423,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml" ], "tags": [ @@ -20267,6 +25432,15 @@ "attack.t1571" ] }, + "related": [ + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "adf876b3-f1f8-4aa9-a4e4-a64106feec06", "value": "Testing Usage of Uncommonly Used Port" }, @@ -20306,9 +25480,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml" ], "tags": [ @@ -20340,6 +25514,15 @@ "attack.t1491.001" ] }, + "related": [ + { + "dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c5ac6a1e-9407-45f5-a0ce-ca9a0806a287", "value": "Replace Desktop Wallpaper by Powershell" }, @@ -20387,6 +25570,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd185561-4760-45d6-a63e-a51325112cae", "value": "Live Memory Dump Using Powershell" }, @@ -20441,9 +25633,53 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e6cb92b4-b470-4eb8-8a9d-d63e8583aae0", "value": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell" }, + { + "description": "Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts", + "meta": { + "author": "frack113", + "creation_date": "2023/01/08", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_set_alias.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/1337Rin/Swag-PSO", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1027", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "96cd126d-f970-49c4-848a-da3a09f55c55", + "value": "Potential PowerShell Obfuscation Using Alias Cmdlets" + }, { "description": "Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.", "meta": { @@ -20506,8 +25742,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "http://www.powertheshell.com/ntfsstreams/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", + "http://www.powertheshell.com/ntfsstreams/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml" ], "tags": [ @@ -20517,6 +25753,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8c521530-5169-495d-a199-0a3a881ad24e", "value": "NTFS Alternate Data Stream" }, @@ -20558,8 +25810,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml" ], "tags": [ @@ -20567,6 +25819,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "363eccc0-279a-4ccf-a3ab-24c2e63b11fb", "value": "Powershell Create Scheduled Task" }, @@ -20583,8 +25844,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.offensive-security.com/metasploit-unleashed/timestomp/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", + "https://www.offensive-security.com/metasploit-unleashed/timestomp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml" ], "tags": [ @@ -20592,6 +25853,15 @@ "attack.t1070.006" ] }, + "related": [ + { + "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c6438007-e081-42ce-9483-b067fbef33c3", "value": "Powershell Timestomp" }, @@ -20616,6 +25886,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", "value": "PowerShell PSAttack" }, @@ -20641,6 +25920,15 @@ "attack.t1564.006" ] }, + "related": [ + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "42d36aa1-3240-4db0-8257-e0118dcdd9cd", "value": "Suspicious Hyper-V Cmdlets" }, @@ -20691,6 +25979,15 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "afd12fed-b0ec-45c9-a13d-aa86625dac81", "value": "Create Volume Shadow Copy with Powershell" }, @@ -20716,6 +26013,15 @@ "attack.t1021.006" ] }, + "related": [ + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "991a9744-f2f0-44f2-bd33-9092eba17dc3", "value": "Enable Windows Remote Management" }, @@ -20755,9 +26061,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", - "https://twitter.com/oroneequalsone/status/1568432028361830402", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", + "https://twitter.com/oroneequalsone/status/1568432028361830402", + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" ], "tags": [ @@ -20765,6 +26071,15 @@ "attack.t1070.001" ] }, + "related": [ + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0f017df3-8f5a-414f-ad6b-24aff1128278", "value": "Suspicious Eventlog Clear" }, @@ -20789,6 +26104,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "95f0643a-ed40-467c-806b-aac9542ec5ab", "value": "Suspicious Get Information for SMB Share" }, @@ -20834,6 +26158,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "402e1e1d-ad59-47b6-bf80-1ee44985b3a7", "value": "Malicious ShellIntel PowerShell Commandlets" }, @@ -20851,8 +26184,8 @@ "logsource.product": "windows", "refs": [ "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", + "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" ], "tags": [ @@ -20860,6 +26193,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "09658312-bc27-4a3b-91c5-e49ab9046d1b", "value": "WMIC Unquoted Services Path Lookup - PowerShell" }, @@ -20911,6 +26253,15 @@ "attack.t1553.005" ] }, + "related": [ + { + "dest-uuid": "7e7c2fba-7cca-486c-9582-4c1bb2851961", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "902cedee-0398-4e3a-8183-6f3a89773a96", "value": "Suspicious Invoke-Item From Mount-DiskImage" }, @@ -20935,6 +26286,15 @@ "attack.t1114.001" ] }, + "related": [ + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2837e152-93c8-43d2-85ba-c3cd3c2ae614", "value": "Powershell Local Email Collection" }, @@ -20976,8 +26336,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml" ], "tags": [ @@ -21001,8 +26361,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/948061991012327424", "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", + "https://twitter.com/bohops/status/948061991012327424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml" ], "tags": [ @@ -21010,6 +26370,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f588e69b-0750-46bb-8f87-0e9320d57536", "value": "Execution via CL_Invocation.ps1 (2 Lines)" }, @@ -21034,6 +26403,15 @@ "attack.t1560" ] }, + "related": [ + { + "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6dc5d284-69ea-42cf-9311-fb1c3932a69a", "value": "Data Compressed - PowerShell" }, @@ -21075,8 +26453,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml" ], "tags": [ @@ -21110,6 +26488,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "189e3b02-82b2-4b90-9662-411eb64486d4", "value": "Potential Invoke-Mimikatz PowerShell Script" }, @@ -21135,6 +26522,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "03409c93-a7c7-49ba-9a4c-a00badf2a153", "value": "Troubleshooting Pack Cmdlet Execution" }, @@ -21160,6 +26556,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "39776c99-1c7b-4ba0-b5aa-641525eee1a4", "value": "Execution via CL_Mutexverifiers.ps1" }, @@ -21235,6 +26640,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "db92dd33-a3ad-49cf-8c2c-608c3e30ace0", "value": "Invoke-Obfuscation Via Use Clip - Powershell" }, @@ -21284,6 +26698,15 @@ "attack.t1553.005" ] }, + "related": [ + { + "dest-uuid": "7e7c2fba-7cca-486c-9582-4c1bb2851961", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "29e1c216-6408-489d-8a06-ee9d151ef819", "value": "Suspicious Mount-DiskImage" }, @@ -21300,10 +26723,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", - "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", + "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", + "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" ], "tags": [ @@ -21311,6 +26734,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1f49f2ab-26bc-48b3-96cc-dcffbc93eadf", "value": "Suspicious PowerShell Keywords" }, @@ -21335,6 +26767,15 @@ "attack.t1119" ] }, + "related": [ + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a9723fcc-881c-424c-8709-fd61442ab3c3", "value": "Recon Information for Export with PowerShell" }, @@ -21375,8 +26816,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy", + "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml" ], "tags": [ @@ -21384,6 +26825,15 @@ "attack.t1201" ] }, + "related": [ + { + "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bbb9495b-58fc-4016-b9df-9a3a1b67ca82", "value": "Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy" }, @@ -21400,8 +26850,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml" ], "tags": [ @@ -21409,6 +26859,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0718cd72-f316-4aa2-988f-838ea8533277", "value": "Suspicious Start-Process PassThru" }, @@ -21433,6 +26892,15 @@ "attack.t1531" ] }, + "related": [ + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "48a45d45-8112-416b-8a67-46e03a4b2107", "value": "Remove Account From Domain Admin Group" }, @@ -21457,6 +26925,15 @@ "attack.t1070.005" ] }, + "related": [ + { + "dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "66a4d409-451b-4151-94f4-a55d559c49b0", "value": "PowerShell Deleted Mounted Share" }, @@ -21481,6 +26958,15 @@ "attack.t1090" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bd33d2aa-497e-4651-9893-5c5364646595", "value": "Suspicious TCP Tunnel Via PowerShell Script" }, @@ -21508,6 +26994,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", "value": "PowerShell ShellCode" }, @@ -21533,6 +27028,15 @@ "attack.t1552.004" ] }, + "related": [ + { + "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c", "value": "Suspicious Export-PfxCertificate" }, @@ -21557,6 +27061,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb", "value": "Suspicious Get Local Groups Information - PowerShell" }, @@ -21581,6 +27094,15 @@ "attack.t1074.001" ] }, + "related": [ + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b7a3c9a3-09ea-4934-8864-6a32cacd98d9", "value": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script" }, @@ -21598,8 +27120,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", - "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", + "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml" ], "tags": [ @@ -21622,10 +27144,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", + "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", "https://twitter.com/ScumBots/status/1610626724257046529", - "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", + "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" ], "tags": [ @@ -21650,8 +27172,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml" ], "tags": [ @@ -21683,6 +27205,15 @@ "attack.t1070.003" ] }, + "related": [ + { + "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "26b692dc-1722-49b2-b496-a8258aa6371d", "value": "Clear PowerShell History - PowerShell" }, @@ -21707,6 +27238,15 @@ "attack.t1069.002" ] }, + "related": [ + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8c3a6607-b7dc-4f0d-a646-ef38c00b76ee", "value": "Active Directory Group Enumeration With Get-AdGroup" }, @@ -21754,13 +27294,29 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a6d67db4-6220-436d-8afc-f3842fe05d43", "value": "Dnscat Execution" }, { "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", "meta": { - "author": "Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp), Mustafa Kaan Demir (update), Georg Lauenstein (update), Max Altgelt (update), Tobias Michalski (update), Austin Songer (@austinsonger) (update)", + "author": "Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer", "creation_date": "2017/03/05", "falsepositive": [ "Unknown" @@ -21770,17 +27326,19 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://adsecurity.org/?p=2921", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/calebstewart/CVE-2021-1675", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://adsecurity.org/?p=2921", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/samratashok/nishang", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" ], "tags": [ @@ -21796,6 +27354,43 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", "value": "Malicious PowerShell Commandlets - ScriptBlock" }, @@ -21822,6 +27417,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e54f5149-6ba3-49cf-b153-070d24679126", "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell" }, @@ -21838,9 +27442,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", "https://www.shellhacks.com/clear-history-powershell/", + "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" ], "tags": [ @@ -21849,6 +27453,15 @@ "attack.t1070.003" ] }, + "related": [ + { + "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bde47d4b-9987-405c-94c7-b080410e8ea7", "value": "Clearing Windows Console History" }, @@ -21873,6 +27486,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6c6c6282-7671-4fe9-a0ce-a2dcebdc342b", "value": "Powershell XML Execute Command" }, @@ -21896,6 +27518,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71", "value": "Suspicious PowerShell Invocations - Specific" }, @@ -21922,6 +27553,22 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c1344fa2-323b-4d2e-9176-84b4d4821c88", "value": "Windows Defender Exclusions Added - PowerShell" }, @@ -21938,8 +27585,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml" ], @@ -21969,6 +27616,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f772cee9-b7c2-4cb2-8f07-49870adc02e0", "value": "Malicious Nishang PowerShell Commandlets" }, @@ -21994,6 +27650,15 @@ "attack.t1546.015" ] }, + "related": [ + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8bc063d5-3a3a-4f01-a140-bc15e55e8437", "value": "Suspicious GetTypeFromCLSID ShellExecute" }, @@ -22019,6 +27684,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8028c2c3-e25a-46e3-827f-bbb5abf181d7", "value": "WMImplant Hack Tool" }, @@ -22043,6 +27724,15 @@ "attack.t1574.012" ] }, + "related": [ + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "23590215-4702-4a70-8805-8dc9e58314a2", "value": "Registry-Free Process Scope COR_PROFILER" }, @@ -22068,6 +27758,15 @@ "attack.t1048" ] }, + "related": [ + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d59d7842-9a21-4bc6-ba98-64bfe0091355", "value": "Powershell DNSExfiltration" }, @@ -22094,9 +27793,43 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e55a5195-4724-480e-a77e-3ebe64bd3759", "value": "Invoke-Obfuscation Via Use MSHTA - PowerShell" }, + { + "description": "Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/05", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_ace_tampering.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/HarmJ0y/DAMP", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation" + ] + }, + "uuid": "2f77047c-e6e9-4c11-b088-a3de399524cd", + "value": "Potential Persistence Via Security Descriptors - ScriptBlock" + }, { "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.", "meta": { @@ -22110,8 +27843,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml" ], "tags": [ @@ -22119,6 +27852,15 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9e07f6e7-83aa-45c6-998e-0af26efd0a85", "value": "Powershell WMI Persistence" }, @@ -22145,6 +27887,15 @@ "attack.t1020" ] }, + "related": [ + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb", "value": "Windows PowerShell Upload Web Request" }, @@ -22169,6 +27920,15 @@ "attack.t1137.006" ] }, + "related": [ + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "36fbec91-fa1b-4d5d-8df1-8d8edcb632ad", "value": "Code Executed Via Office Add-in XLL File" }, @@ -22185,8 +27945,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", "https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml" ], "tags": [ @@ -22218,6 +27978,15 @@ "attack.t1217" ] }, + "related": [ + { + "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e0565f5d-d420-4e02-8a68-ac00d864f9cf", "value": "Automated Collection Bookmarks Using Get-ChildItem PowerShell" }, @@ -22234,8 +28003,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml" ], "tags": [ @@ -22243,6 +28012,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c1337eb8-921a-4b59-855b-4ba188ddcc42", "value": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script" }, @@ -22269,6 +28047,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "73e67340-0d25-11eb-adc1-0242ac120002", "value": "Invoke-Obfuscation CLIP+ Launcher - PowerShell" }, @@ -22293,6 +28080,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "84c174ab-d3ef-481f-9c86-a50d0b8e3edb", "value": "PowerShell Get-Process LSASS in ScriptBlock" }, @@ -22317,6 +28113,15 @@ "attack.t1070.003" ] }, + "related": [ + { + "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "70ad982f-67c8-40e0-a955-b920c2fa05cb", "value": "Suspicious IO.FileStream" }, @@ -22343,6 +28148,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7", "value": "Invoke-Obfuscation Via Stdin - Powershell" }, @@ -22392,6 +28206,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6609c444-9670-4eab-9636-fe4755a851ce", "value": "Execution via CL_Mutexverifiers.ps1 (2 Lines)" }, @@ -22416,6 +28239,15 @@ "attack.t1006" ] }, + "related": [ + { + "dest-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "db809f10-56ce-4420-8c86-d6a7d793c79c", "value": "Raw Disk Access Using Illegitimate Tools" }, @@ -22432,8 +28264,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", + "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml" ], "tags": [ @@ -22441,6 +28273,15 @@ "attack.t1055.001" ] }, + "related": [ + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", "value": "CobaltStrike Process Injection" }, @@ -22465,6 +28306,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50", "value": "Accessing WinAPI in PowerShell. Code Injection" }, @@ -22490,6 +28340,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f239b326-2f41-4d6b-9dfa-c846a60ef505", "value": "Password Dumper Remote Thread in LSASS" }, @@ -22516,6 +28375,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "994cac2b-92c2-44bf-8853-14f6ca39fbda", "value": "Bumblebee Remote Thread Creation" }, @@ -22540,6 +28415,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fb656378-f909-47c1-8747-278bf09f4f4f", "value": "Potential Credential Dumping Attempt Via PowerShell Remote Thread" }, @@ -22565,6 +28449,15 @@ "attack.t1055.003" ] }, + "related": [ + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a1a144b7-5c9b-4853-a559-2172be8d4a03", "value": "Remote Thread Creation in Suspicious Targets" }, @@ -22581,9 +28474,9 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://github.com/denandz/KeeFarce", "https://github.com/GhostPack/KeeThief", "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", + "https://github.com/denandz/KeeFarce", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml" ], "tags": [ @@ -22591,6 +28484,15 @@ "attack.t1555.005" ] }, + "related": [ + { + "dest-uuid": "315f51f0-6b03-4c1e-bfb2-84740afb8e21", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "77564cc2-7382-438b-a7f6-395c2ae53b9a", "value": "KeePass Password Dumping" }, @@ -22607,8 +28509,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://github.com/mdsecactivebreach/CACTUSTORCH", "https://twitter.com/SBousseaden/status/1090588499517079552", + "https://github.com/mdsecactivebreach/CACTUSTORCH", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml" ], "tags": [ @@ -22620,6 +28522,36 @@ "attack.t1218.005" ] }, + "related": [ + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2e4e488a-6164-4811-9ea1-f960c7359c40", "value": "CACTUSTORCH Remote Thread Creation" }, @@ -22636,8 +28568,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "Personal research, statistical analysis", "https://lolbas-project.github.io", + "Personal research, statistical analysis", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml" ], "tags": [ @@ -22691,6 +28623,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c15e99a3-c474-48ab-b9a7-84549a7a9d16", "value": "Remote Thread Creation Ttdinject.exe Proxy" }, @@ -22715,6 +28656,15 @@ "attack.t1055.001" ] }, + "related": [ + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "052ec6f6-1adc-41e6-907a-f1c813478bee", "value": "CreateRemoteThread API and LoadLibrary" }, @@ -22741,6 +28691,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "99b97608-3e21-4bfe-8217-2a127c396a0e", "value": "PowerShell Rundll32 Remote Thread Creation" }, @@ -22766,6 +28732,22 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6", "value": "Usage Of Malicious POORTRY Signed Driver" }, @@ -22831,10 +28813,10 @@ "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details", - "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", + "https://github.com/fengjixuchui/gdrv-loader", "https://twitter.com/malmoeb/status/1551449425842786306", "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b", - "https://github.com/fengjixuchui/gdrv-loader", + "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml" ], "tags": [ @@ -22883,18 +28865,18 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala", - "https://github.com/CaledoniaProject/drivers-binaries", - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/namazso/physmem_drivers", "https://github.com/jbaines-r7/dellicious", - "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", - "https://github.com/stong/CVE-2020-15368", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", + "https://github.com/CaledoniaProject/drivers-binaries", + "https://github.com/stong/CVE-2020-15368", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969", + "https://github.com/namazso/physmem_drivers", + "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml" ], "tags": [ @@ -22903,6 +28885,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c316eac1-f3d8-42da-ad1c-66dcec5ca787", "value": "Vulnerable Driver Load By Name" }, @@ -22927,6 +28918,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "46deb5e1-28c9-4905-b2df-51cdcc9e6073", "value": "PowerShell Scripts Run by a Services" }, @@ -22979,6 +28979,22 @@ "attack.t1557.001" ] }, + "related": [ + { + "dest-uuid": "4ffc1794-ec3b-45be-9e52-42dbcb2af2de", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "679085d5-f427-4484-9f58-1dc30a7c426d", "value": "WinDivert Driver Load" }, @@ -22995,22 +29011,22 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", - "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444", - "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", - "https://github.com/CaledoniaProject/drivers-binaries", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/namazso/physmem_drivers", "https://github.com/jbaines-r7/dellicious", - "https://github.com/stong/CVE-2020-15368", - "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", "https://github.com/tandasat/ExploitCapcom", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", + "https://github.com/CaledoniaProject/drivers-binaries", + "https://github.com/stong/CVE-2020-15368", + "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", + "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", + "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", + "https://github.com/namazso/physmem_drivers", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers.yml" ], "tags": [ @@ -23019,6 +29035,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", "value": "Vulnerable Driver Load" }, @@ -23045,6 +29070,22 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "21b23707-60d6-41bb-96e3-0f0481b0fed9", "value": "Vulnerable Dell BIOS Update Driver Load" }, @@ -23076,6 +29117,50 @@ "attack.s0005" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2", "value": "Credential Dumping Tools Service Execution" }, @@ -23092,8 +29177,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://processhacker.sourceforge.io/", "https://systeminformer.sourceforge.io/", + "https://processhacker.sourceforge.io/", "https://github.com/winsiderss/systeminformer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_process_hacker.yml" ], @@ -23103,6 +29188,15 @@ "attack.t1543" ] }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "67add051-9ee7-4ad3-93ba-42935615ae8d", "value": "Process Hacker and System Informer Driver Load" }, @@ -23144,8 +29238,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities", "https://github.com/alfarom256/CVE-2022-3699/", + "https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml" ], "tags": [ @@ -23154,6 +29248,15 @@ "attack.t1543" ] }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ac683a42-877b-4ff8-91ac-69e94b0f70b4", "value": "Vulnerable Lenovo Driver Load" }, @@ -23179,6 +29282,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1f21ec3f-810d-4b0e-8045-322202e22b4b", "value": "PowerShell Network Connections" }, @@ -23197,8 +29309,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", - "https://twitter.com/M_haggis/status/900741347035889665", "https://twitter.com/M_haggis/status/1032799638213066752", + "https://twitter.com/M_haggis/status/900741347035889665", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_github_com.yml" ], "tags": [ @@ -23208,6 +29320,22 @@ "attack.t1567.001" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "635dbb88-67b3-4b41-9ea5-a3af2dd88153", "value": "Microsoft Binary Github Communication" }, @@ -23276,9 +29404,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", "https://content.fireeye.com/apt-41/rpt-apt41", - "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml" ], "tags": [ @@ -23287,6 +29415,22 @@ "attack.t1102.001" ] }, + "related": [ + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", "value": "Dead Drop Resolvers" }, @@ -23311,6 +29455,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "992a6cae-db6a-43c8-9cec-76d7195c96fc", "value": "Script Initiated Connection to Non-Local Network" }, @@ -23350,8 +29503,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", + "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_hh.yml" ], "tags": [ @@ -23359,6 +29512,15 @@ "attack.t1218.001" ] }, + "related": [ + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "468a8cea-2920-4909-a593-0cbe1d96674a", "value": "HH.EXE Network Connections" }, @@ -23383,6 +29545,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c649a6c7-cd8c-4a78-9c04-000fc76df954", "value": "Wuauclt Network Connection" }, @@ -23408,6 +29579,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cdc8da7d-c303-42f8-b08c-b4ab47230263", "value": "Rundll32 Internet Connection" }, @@ -23461,6 +29641,22 @@ "attack.t1218.010" ] }, + "related": [ + { + "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c7e91a02-d771-4a6d-a700-42587e0b1095", "value": "Regsvr32 Network Activity" }, @@ -23488,6 +29684,22 @@ "attack.t1021.006" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c539afac-c12a-46ed-b1bd-5a5567c9f045", "value": "Remote PowerShell Session (Network)" }, @@ -23514,6 +29726,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9f2cc74d-78af-4eb2-bb64-9cd1d292b87b", "value": "Microsoft Sync Center Suspicious Network Connections" }, @@ -23542,6 +29763,15 @@ "car.2013-07-002" ] }, + "related": [ + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", "value": "RDP to HTTP or HTTPS Target Ports" }, @@ -23568,6 +29798,15 @@ "attack.t1203" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84", "value": "Excel Network Connections" }, @@ -23592,6 +29831,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0dba975d-a193-4ed1-a067-424df57570d1", "value": "Certutil Initiated Connection" }, @@ -23608,8 +29856,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://www.ietf.org/rfc/rfc2821.txt", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml" ], "tags": [ @@ -23617,6 +29865,15 @@ "attack.t1048.003" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9976fa64-2804-423c-8a5b-646ade840773", "value": "Suspicious Outbound SMTP Connections" }, @@ -23633,10 +29890,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/M_haggis/status/900741347035889665", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://twitter.com/M_haggis/status/1032799638213066752", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://twitter.com/M_haggis/status/900741347035889665", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_susp_com.yml" ], "tags": [ @@ -23644,6 +29901,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", "value": "Microsoft Binary Suspicious Communication Endpoint" }, @@ -23675,6 +29941,43 @@ "attack.s0508" ] }, + "related": [ + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1d08ac94-400d-4469-a82f-daee9a908849", "value": "Communication To Ngrok Tunneling Service" }, @@ -23699,6 +30002,15 @@ "attack.t1571" ] }, + "related": [ + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4b89abaa-99fe-4232-afdd-8f9aa4d20382", "value": "Suspicious Typical Malware Back Connect Ports" }, @@ -23723,6 +30035,15 @@ "attack.t1127.001" ] }, + "related": [ + { + "dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "50e54b8d-ad73-43f8-96a1-5191685b17a4", "value": "Silenttrinity Stager Msbuild Activity" }, @@ -23770,6 +30091,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "08249dc0-a28d-4555-8ba5-9255a198e08c", "value": "Script Initiated Connection" }, @@ -23820,6 +30150,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b434893-c57d-4f41-908d-6a17bf1ae98f", "value": "Suspicious Program Location with Network Connections" }, @@ -23847,6 +30186,15 @@ "car.2013-07-002" ] }, + "related": [ + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", "value": "RDP Over Reverse SSH Tunnel" }, @@ -23863,8 +30211,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", "https://ngrok.com/", + "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_io.yml" ], "tags": [ @@ -23872,6 +30220,15 @@ "attack.t1567.001" ] }, + "related": [ + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18249279-932f-45e2-b37a-8925f2597670", "value": "Communication To Ngrok.Io" }, @@ -23888,8 +30245,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", + "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_imewdbld.yml" ], "tags": [ @@ -23897,6 +30254,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8d7e392e-9b28-49e1-831d-5949c6281228", "value": "Download a File with IMEWDBLD.exe" }, @@ -23924,6 +30290,22 @@ "attack.t1559.001" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cfed2f44-16df-4bf3-833a-79405198b277", "value": "Dllhost Internet Connection" }, @@ -23948,6 +30330,15 @@ "attack.t1218.003" ] }, + "related": [ + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "efafe0bf-4238-479e-af8f-797bd3490d2d", "value": "Cmstp Making Network Connection" }, @@ -23964,8 +30355,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", "https://twitter.com/forensicitguy/status/1513538712986079238", + "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml" ], "tags": [ @@ -23973,6 +30364,15 @@ "attack.t1203" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a66bc059-c370-472c-a0d7-f8fd1bf9d583", "value": "Equation Editor Network Connection" }, @@ -23989,8 +30389,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb", + "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml" ], "tags": "No established tags" @@ -24011,8 +30411,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://megatools.megous.com/", "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://megatools.megous.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_mega_nz.yml" ], "tags": [ @@ -24020,6 +30420,15 @@ "attack.t1567.001" ] }, + "related": [ + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", "value": "Communication To Mega.nz" }, @@ -24044,6 +30453,15 @@ "attack.t1496" ] }, + "related": [ + { + "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fa5b1358-b040-4403-9868-15f7d9ab6329", "value": "Windows Crypto Mining Pool Connections" }, @@ -24069,6 +30487,15 @@ "attack.t1218.007" ] }, + "related": [ + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8e5e38e4-5350-4c0b-895a-e872ce0dd54f", "value": "Msiexec Initiated Connection" }, @@ -24085,8 +30512,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", "https://adsecurity.org/?p=2398", + "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_ntds_dit.yml" ], "tags": [ @@ -24095,6 +30522,22 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "11b1ed55-154d-4e82-8ad7-83739298f720", "value": "Suspicious Process Writes Ntds.dit" }, @@ -24111,8 +30554,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/binderlabs/DirCreate2System", "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", + "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml" ], "tags": [ @@ -24137,11 +30580,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", - "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://twitter.com/luc4m/status/1073181154126254080", "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://twitter.com/luc4m/status/1073181154126254080", + "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], "tags": [ @@ -24149,6 +30592,15 @@ "attack.t1036.007" ] }, + "related": [ + { + "dest-uuid": "11f29a39-0942-4d62-92b6-fe236cf3066e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3215aa19-f060-4332-86d5-5602511f3ca8", "value": "Suspicious LNK Double Extension Files" }, @@ -24173,6 +30625,15 @@ "attack.t1486" ] }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "caf02a0a-1e1c-4552-9b48-5e070bd88d11", "value": "Suspicious Creation TXT File in User Desktop" }, @@ -24242,6 +30703,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3a3f81ca-652c-482b-adeb-b1c804727f74", "value": "Unidentified Attacker November 2018 - File" }, @@ -24254,7 +30724,7 @@ "Legitimate use of the profile by developers or administrators" ], "filename": "file_event_win_susp_vscode_powershell_profile.yml", - "level": "high", + "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ @@ -24267,6 +30737,15 @@ "attack.t1546.013" ] }, + "related": [ + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3a9fa2ec-30bc-4ebd-b49e-7c9cff225502", "value": "VsCode Powershell Profile Modification" }, @@ -24307,11 +30786,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", - "https://github.com/helpsystems/nanodump", - "https://www.google.com/search?q=procdump+lsass", "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://www.google.com/search?q=procdump+lsass", + "https://github.com/helpsystems/nanodump", + "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_dump.yml" ], "tags": [ @@ -24319,6 +30798,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a5a2d357-1ab8-4675-a967-ef9990a59391", "value": "LSASS Process Memory Dump Files" }, @@ -24344,6 +30832,15 @@ "cve.2021.26858" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b06335b3-55ac-4b41-937e-16b7f5d57dfd", "value": "CVE-2021-26858 Exchange Exploitation" }, @@ -24369,6 +30866,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", "value": "Dumpert Process Dumper Default File" }, @@ -24395,6 +30901,15 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "259e5a6a-b8d2-4c38-86e2-26c5e651361d", "value": "PsExec Service File Creation" }, @@ -24435,11 +30950,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", - "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://twitter.com/luc4m/status/1073181154126254080", "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://twitter.com/luc4m/status/1073181154126254080", + "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], "tags": [ @@ -24447,6 +30962,15 @@ "attack.t1036.007" ] }, + "related": [ + { + "dest-uuid": "11f29a39-0942-4d62-92b6-fe236cf3066e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b4926b47-a9d7-434c-b3a0-adc3fa0bd13e", "value": "Suspicious Double Extension Files" }, @@ -24519,6 +31043,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5d756aee-ad3e-4306-ad95-cb1abec48de2", "value": "GoToAssist Temporary Installation Artefact" }, @@ -24590,6 +31123,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f0540f7e-2db3-4432-b9e0-3965486744bc", "value": "Legitimate Application Dropped Executable" }, @@ -24635,6 +31177,15 @@ "attack.t1137.006" ] }, + "related": [ + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8e1cb247-6cf6-42fa-b440-3f27d57e9936", "value": "Microsoft Office Add-In Loading" }, @@ -24644,7 +31195,7 @@ "author": "@ScoubiMtl", "creation_date": "2021/04/05", "falsepositive": [ - "User genuinly creates a VB Macro for their email" + "User genuinely creates a VB Macro for their email" ], "filename": "file_event_win_outlook_c2_macro_creation.yml", "level": "medium", @@ -24662,6 +31213,29 @@ "attack.t1546" ] }, + "related": [ + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8c31f563-f9a7-450c-bfa8-35f8f32f1f61", "value": "Outlook C2 Macro Creation" }, @@ -24678,8 +31252,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/", "https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae", + "https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml" ], "tags": [ @@ -24687,6 +31261,15 @@ "attack.t1564" ] }, + "related": [ + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "74babdd6-a758-4549-9632-26535279e654", "value": "Suspicious Executable File Creation" }, @@ -24703,9 +31286,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", "https://github.com/cube0x0/CVE-2021-1675", "https://github.com/afwu/PrintNightmare", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml" ], "tags": [ @@ -24716,6 +31299,15 @@ "cve.2021.1675" ] }, + "related": [ + { + "dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2131cfb3-8c12-45e8-8fa0-31f5924e9f07", "value": "CVE-2021-1675 Print Spooler Exploitation Filename Pattern" }, @@ -24740,6 +31332,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "034affe8-6170-11ec-844f-0f78aa0c4d66", "value": "Mimikatz MemSSP Default Log File Creation" }, @@ -24782,8 +31383,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", + "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" ], "tags": [ @@ -24794,6 +31395,15 @@ "cve.2021.31979" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ad7085ac-92e4-4b76-8ce2-276d2c0e68ef", "value": "CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum" }, @@ -24844,6 +31454,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "162ab1e4-6874-4564-853c-53ec3ab8be01", "value": "TeamViewer Remote Session" }, @@ -24874,6 +31493,43 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "02773bed-83bf-469f-b7ff-e676e7d78bab", "value": "BloodHound Collection Files" }, @@ -24924,6 +31580,15 @@ "attack.t1137" ] }, + "related": [ + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0e20c89d-2264-44ae-8238-aeeaba609ece", "value": "Office Template Creation" }, @@ -24948,6 +31613,15 @@ "attack.t1195.001" ] }, + "related": [ + { + "dest-uuid": "191cc6af-1bb2-4344-ab5f-28e496638720", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "805c55d9-31e6-4846-9878-c34c75054fe9", "value": "Octopus Scanner Malware" }, @@ -24974,6 +31648,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", "value": "Inveigh Execution Artefacts" }, @@ -25000,6 +31683,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "409f8a98-4496-4aaa-818a-c931c0a8b832", "value": "Created Files by Microsoft Sync Center" }, @@ -25024,15 +31716,26 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2d367498-5112-4ae5-a06a-96e7bc33a211", "value": "Suspicious Binary Writes Via AnyDesk" }, { - "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.", + "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut.\nIf the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.\nAdditionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.\n", "meta": { "author": "Greg (rule)", "creation_date": "2022/07/21", - "falsepositive": "No established falsepositives", + "falsepositive": [ + "Unknown" + ], "filename": "file_event_win_ripzip_attack.yml", "level": "high", "logsource.category": "file_event", @@ -25042,12 +31745,12 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ripzip_attack.yml" ], "tags": [ - "attack.t1547", - "attack.persistence" + "attack.persistence", + "attack.t1547" ] }, "uuid": "a6976974-ea6f-4e97-818e-ea08625c52cb", - "value": "RipZip Attack on Startup Folder" + "value": "Potential RipZip Attack on Startup Folder" }, { "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", @@ -25062,11 +31765,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" ], "tags": [ @@ -25123,11 +31826,20 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "68578b43-65df-4f81-9a9b-92f32711a951", "value": "UAC Bypass Using Windows Media Player - File" }, { - "description": "Detects the creation of known powershell scripts for exploitation", + "description": "Detects the creation of known offensive powershell scripts used for exploitation", "meta": { "author": "Markus Neis, Nasreddine Bencherchali, Mustafa Kaan Demir, Georg Lauenstein", "creation_date": "2018/04/07", @@ -25139,19 +31851,21 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/AlsidOfficial/WSUSpendu/", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/NetSPI/PowerUpSQL", "https://github.com/CsEnox/EventViewer-UACBypass", "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/NetSPI/PowerUpSQL", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/AlsidOfficial/WSUSpendu/", - "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/samratashok/nishang", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" ], "tags": [ @@ -25159,6 +31873,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", "value": "Malicious PowerShell Commandlets - FileCreation" }, @@ -25175,9 +31898,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" ], "tags": [ @@ -25187,6 +31910,15 @@ "attack.t1505.003" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6b269392-9eba-40b5-acb6-55c882b20ba6", "value": "Suspicious File Drop by Exchange" }, @@ -25213,6 +31945,15 @@ "attack.t1505.003" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7280c9f3-a5af-45d0-916a-bc01cb4151c9", "value": "Suspicious MSExchangeMailboxReplication ASPX Write" }, @@ -25229,8 +31970,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/tifkin_/status/1321916444557365248", "https://twitter.com/rbmaslen/status/1321859647091970051", + "https://twitter.com/tifkin_/status/1321916444557365248", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml" ], "tags": [ @@ -25238,6 +31979,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6e90ae7a-7cd3-473f-a035-4ebb72d961da", "value": "PCRE.NET Package Temp Files" }, @@ -25290,6 +32040,43 @@ "attack.t1003.005" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8fbf3271-1ef6-4e94-8210-03c2317947f6", "value": "Cred Dump Tools Dropped Files" }, @@ -25316,6 +32103,15 @@ "attack.t1546.013" ] }, + "related": [ + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b5b78988-486d-4a80-b991-930eff3ff8bf", "value": "PowerShell Profile Modification" }, @@ -25340,6 +32136,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9711de76-5d4f-4c50-a94f-21e4e8f8384d", "value": "Installation of TeamViewer Desktop" }, @@ -25365,6 +32170,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "93a19907-d4f9-4deb-9f91-aac4692776a6", "value": "UAC Bypass Using .NET Code Profiler on MMC" }, @@ -25381,8 +32195,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py", + "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_44077_poc_default_files.yml" ], "tags": [ @@ -25414,6 +32228,15 @@ "attack.persistence" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", "value": "WMI Persistence - Script Event Consumer File Write" }, @@ -25439,6 +32262,15 @@ "attack.t1021.003" ] }, + "related": [ + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2f7979ae-f82b-45af-ac1d-2b10e93b0baa", "value": "Potential DCOM InternetExplorer.Application DLL Hijack" }, @@ -25491,7 +32323,7 @@ "value": "Drop Binaries Into Spool Drivers Color Folder" }, { - "description": "Detects actions caused by the RedMimicry Winnti playbook", + "description": "Detects files dropped by Winnti as described in RedMimicry Winnti playbook", "meta": { "author": "Alexander Rausch", "creation_date": "2020/06/24", @@ -25503,7 +32335,7 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://redmimicry.com", + "https://redmimicry.com/posts/redmimicry-winnti/#dropper", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml" ], "tags": [ @@ -25512,7 +32344,7 @@ ] }, "uuid": "130c9e58-28ac-4f83-8574-0a4cc913b97e", - "value": "RedMimicry Winnti Playbook Dropped File" + "value": "Potential Winnti Dropper Activity" }, { "description": "A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.", @@ -25527,8 +32359,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/14", + "https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml" ], "tags": [ @@ -25536,6 +32368,15 @@ "attack.t1552.004" ] }, + "related": [ + { + "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dca1b3e8-e043-4ec8-85d7-867f334b5724", "value": "Suspicious PFX File Creation" }, @@ -25553,8 +32394,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/klinix5/InstallerFileTakeOver", "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", + "https://github.com/klinix5/InstallerFileTakeOver", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml" ], "tags": [ @@ -25562,6 +32403,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3be82d5d-09fe-4d6a-a275-0d40d234d324", "value": "InstallerFileTakeOver LPE CVE-2021-41379 File Create Event" }, @@ -25590,20 +32440,22 @@ "value": "Mimikatz Kirbi File Creation" }, { - "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context", + "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.", "meta": { - "author": "frack113", + "author": "frack113, omkar72, oscd.community, Wojciech Lesicki", "creation_date": "2022/11/18", "falsepositive": [ - "Legitimate use" + "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" ], "filename": "file_event_win_net_cli_artefact.yml", - "level": "medium", + "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", + "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", + "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" ], "tags": [ @@ -25611,6 +32463,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e0b06658-7d1d-4cd3-bf15-03467507ff7c", "value": "NET CLR Binary Execution Usage Log Artifact" }, @@ -25627,8 +32488,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", + "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" ], @@ -25653,9 +32514,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" ], "tags": [ @@ -25677,8 +32538,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_adwind.yml" ], "tags": [ @@ -25687,6 +32548,22 @@ "attack.t1059.007" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0bcfabcb-7929-47f4-93d6-b33fb67d34d1", "value": "Adwind RAT / JRAT File Artifact" }, @@ -25711,6 +32588,15 @@ "attack.t1137.003" ] }, + "related": [ + { + "dest-uuid": "a9e2cea0-c805-4bf8-9e31-f5f0513a3634", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c3edc6a5-d9d4-48d8-930e-aab518390917", "value": "Outlook Form Installation" }, @@ -25727,8 +32613,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml" ], "tags": [ @@ -25736,6 +32622,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6902955a-01b7-432c-b32a-6f5f81d8f625", "value": "LSASS Process Dump Artefact In CrashDumps Folder" }, @@ -25761,8 +32656,17 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6e2a900a-ced9-4e4a-a9c2-13e706f9518a", - "value": "Remote Credential Dump" + "value": "Potential Remote Credential Dumping Activity" }, { "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", @@ -25785,6 +32689,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0b9ad457-2554-44c1-82c2-d56a99c42377", "value": "Anydesk Temporary Artefact" }, @@ -25809,6 +32722,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8d5aca11-22b3-4f22-b7ba-90e60533e1fb", "value": "Wmiexec Default Output File" }, @@ -25858,6 +32780,15 @@ "attack.t1546.002" ] }, + "related": [ + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "97aa2e88-555c-450d-85a6-229bcd87efb8", "value": "Suspicious Screensaver Binary File Creation" }, @@ -25900,8 +32831,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_script_creation_by_office_using_file_ext.yml" ], "tags": [ @@ -25909,6 +32840,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", "value": "Created Files by Office Applications" }, @@ -25933,6 +32873,15 @@ "attack.t1027.004" ] }, + "related": [ + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e4a74e34-ecde-4aab-b2fb-9112dd01aed0", "value": "Dynamic C Sharp Compile Artefact" }, @@ -25942,7 +32891,7 @@ "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020/05/02", "falsepositive": [ - "An FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate" + "FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate" ], "filename": "file_event_win_startup_folder_file_write.yml", "level": "medium", @@ -25983,6 +32932,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7fff6773-2baa-46de-a24a-b6eec1aba2d1", "value": "UAC Bypass Using NTFS Reparse Point - File" }, @@ -25999,8 +32957,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit.yml" @@ -26010,6 +32968,15 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4e7050dd-e548-483f-b7d6-527ab4fa784d", "value": "Suspicious NTDS.DIT Creation" }, @@ -26026,9 +32993,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", + "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" ], "tags": [ @@ -26036,6 +33003,15 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", "value": "Suspicious NTDS Exfil Filename Patterns" }, @@ -26061,6 +33037,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e074832a-eada-4fd7-94a1-10642b130e16", "value": "SafetyKatz Default Dump Filename" }, @@ -26077,8 +33062,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", "https://twitter.com/vanitasnk/status/1437329511142420483?s=21", + "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml" ], "tags": [ @@ -26086,6 +33071,15 @@ "attack.t1587" ] }, + "related": [ + { + "dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "60c0a111-787a-4e8a-9262-ee485f3ef9d5", "value": "Suspicious Word Cab File Write CVE-2021-40444" }, @@ -26134,6 +33128,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "48ea844d-19b1-4642-944e-fe39c2cc1fec", "value": "UAC Bypass Using IDiagnostic Profile - File" }, @@ -26159,6 +33162,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fc4f4817-0c53-4683-a4ee-b17a64bc1039", "value": "Suspicious Desktopimgdownldr Target File" }, @@ -26184,6 +33196,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "62ed5b55-f991-406a-85d9-e8e8fdf18789", "value": "UAC Bypass Using Consent and Comctl32 - File" }, @@ -26200,11 +33221,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/cube0x0/CVE-2021-36934", - "https://www.google.com/search?q=%22reg.exe+save%22+sam", "https://github.com/HuskyHacks/ShadowSteal", - "https://github.com/search?q=CVE-2021-36934", "https://github.com/FireFart/hivenightmare", + "https://github.com/cube0x0/CVE-2021-36934", + "https://github.com/search?q=CVE-2021-36934", + "https://www.google.com/search?q=%22reg.exe+save%22+sam", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], "tags": [ @@ -26212,36 +33233,17 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0", - "value": "SAM Dump File Creation" - }, - { - "description": "Detects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly.", - "meta": { - "author": "omkar72, oscd.community, Wojciech Lesicki", - "creation_date": "2020/10/12", - "falsepositive": [ - "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" - ], - "filename": "file_event_win_susp_clr_logs.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", - "https://github.com/olafhartong/sysmon-modular/blob/5e5f6d90819a7f35eec0aba08021d0d201bb9055/11_file_create/include_dotnet.xml", - "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_clr_logs.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1059.001", - "attack.t1218" - ] - }, - "uuid": "e4b63079-6198-405c-abd7-3fe8b0ce3263", - "value": "Suspicious CLR Logs Creation" + "value": "Potential SAM Database Dump" }, { "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", @@ -26290,6 +33292,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "41bb431f-56d8-4691-bb56-ed34e390906f", "value": "UAC Bypass Using MSConfig Token Modification - File" }, @@ -26339,6 +33350,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb", "value": "EVTX Created In Uncommon Location" }, @@ -26355,10 +33375,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/WiredPulse/Invoke-HiveNightmare", - "https://github.com/FireFart/hivenightmare/", - "https://github.com/GossiTheDog/HiveNightmare", "https://twitter.com/cube0x0/status/1418920190759378944", + "https://github.com/GossiTheDog/HiveNightmare", + "https://github.com/FireFart/hivenightmare/", + "https://github.com/WiredPulse/Invoke-HiveNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml" ], "tags": [ @@ -26392,6 +33412,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "155dbf56-e0a4-4dd0-8905-8a98705045e8", "value": "UAC Bypass Abusing Winsat Path Parsing - File" }, @@ -26416,6 +33445,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "847def9e-924d-4e90-b7c4-5f581395a2b4", "value": "QuarksPwDump Dump File" }, @@ -26432,9 +33470,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_vhd_download.yml" ], "tags": [ @@ -26442,6 +33480,15 @@ "attack.t1587.001" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8468111a-ef07-4654-903b-b863a80bbc95", "value": "Suspicious VHD Image Download From Browser" }, @@ -26467,6 +33514,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bdd8157d-8e85-4397-bb82-f06cc9c71dbb", "value": "UAC Bypass Using IEInstal - File" }, @@ -26491,6 +33547,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fec96f39-988b-4586-b746-b93d59fd1922", "value": "ScreenConnect Temporary Installation Artefact" }, @@ -26520,6 +33585,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c", "value": "Potential Initial Access via DLL Search Order Hijacking" }, @@ -26544,6 +33618,15 @@ "attack.t1564" ] }, + "related": [ + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e15b518d-b4ce-4410-a9cd-501f23ce4a18", "value": "Suspicious Creation with Colorcpl" }, @@ -26567,6 +33650,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "52753ea4-b3a0-4365-910d-36cff487b789", "value": "Hijack Legit RDP Session to Move Laterally" }, @@ -26592,7 +33684,7 @@ ] }, "uuid": "54127bd4-f541-4ac3-afdb-ea073f63f692", - "value": "Persistence Via Notepad++ Plugins" + "value": "Potential Persistence Via Notepad++ Plugins" }, { "description": "Detects windows executables that writes files with suspicious extensions", @@ -26637,6 +33729,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5e3d3601-0662-4af0-b1d2-36a05e90c40a", "value": "LSASS Memory Dump File Creation" }, @@ -26653,10 +33754,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" ], "tags": "No established tags" @@ -26686,6 +33787,15 @@ "cve.2022.24527" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e0a41412-c69a-446f-8e6e-0e6d7483dad7", "value": "CVE-2022-24527 Microsoft Connected Cache LPE" }, @@ -26738,6 +33848,15 @@ "attack.t1587.001" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "297afac9-5d02-4138-8c58-b977bac60556", "value": "Creation of an Executable by an Executable" }, @@ -26778,9 +33897,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", - "https://github.com/fox-it/LDAPFragger", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", + "https://github.com/fox-it/LDAPFragger", + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml" ], "tags": [ @@ -26788,6 +33907,15 @@ "attack.command_and_control" ] }, + "related": [ + { + "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", "value": "Suspicious ADSI-Cache Usage By Unknown Tool" }, @@ -26804,8 +33932,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/Sam0x90/status/1552011547974696960", "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", + "https://twitter.com/Sam0x90/status/1552011547974696960", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml" ], "tags": [ @@ -26837,6 +33965,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d353dac0-1b41-46c2-820c-d7d2561fc6ed", "value": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File" }, @@ -26912,6 +34049,15 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", "value": "Suspicious Get-Variable.exe Creation" }, @@ -26936,6 +34082,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", "value": "WerFault LSASS Process Memory Dump" }, @@ -26961,6 +34116,15 @@ "attack.t1528" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6902955a-01b7-432c-b32a-6f5f81d8f624", "value": "Suspicious File Event With Teams Objects" }, @@ -26985,6 +34149,15 @@ "attack.t1546.002" ] }, + "related": [ + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4aafb0fa-bff5-4b9d-b99e-8093e659c65f", "value": "Writing Local Admin Share" }, @@ -27009,6 +34182,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c048f047-7e2a-4888-b302-55f509d4a91d", "value": "SCR File Write Event" }, @@ -27033,6 +34215,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9433ff9c-5d3f-4269-99f8-95fc826ea489", "value": "CrackMapExec File Creation Patterns" }, @@ -27057,6 +34248,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "654fcc6d-840d-4844-9b07-2c3300e54a26", "value": "Legitimate Application Dropped Archive" }, @@ -27073,11 +34273,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/Wh04m1001/SysmonEoP", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://github.com/Wh04m1001/SysmonEoP", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" ], "tags": [ @@ -27114,6 +34314,15 @@ "attack.t1021.002" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "614a7e17-5643-4d89-b6fe-f9df1a79641c", "value": "Wmiprvse Wbemcomn DLL Hijack - File" }, @@ -27138,6 +34347,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7d604714-e071-49ff-8726-edeb95a70679", "value": "Legitimate Application Dropped Script" }, @@ -27155,6 +34373,8 @@ "logsource.product": "windows", "refs": [ "Malware Sandbox https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", + "http://addbalance.com/word/startup.htm", + "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_winword_startup.yml" ], "tags": [ @@ -27162,6 +34382,15 @@ "attack.t1587.001" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d", "value": "Creation In User Word Startup Folder" }, @@ -27211,6 +34440,15 @@ "attack.t1567.002" ] }, + "related": [ + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "34986307-b7f4-49be-92f3-e7a4d01ac5db", "value": "Rclone Config File Creation" }, @@ -27227,8 +34465,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1552932770464292864", "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", + "https://twitter.com/cyb3rops/status/1552932770464292864", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml" ], "tags": [ @@ -27279,8 +34517,8 @@ "logsource.category": "file_rename", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", + "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml" ], "tags": [ @@ -27288,6 +34526,15 @@ "attack.t1486" ] }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e3f673b3-65d1-4d80-9146-466f8b63fa99", "value": "Suspicious Appended Extension" }, @@ -27359,6 +34606,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "06125661-3814-4e03-bfa2-1e4411c60ac3", "value": "Deletes Backup Files" }, @@ -27384,6 +34640,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6ddab845-b1b8-49c2-bbf7-1a11967f64bc", "value": "Sysinternals SDelete File Deletion" }, @@ -27408,6 +34673,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b1decb61-ed83-4339-8e95-53ea51901720", "value": "Delete Log from Application" }, @@ -27431,6 +34705,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0a1f9d29-6465-4776-b091-7f43b26e4c89", "value": "Prefetch File Deletion" }, @@ -27447,8 +34730,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", "https://github.com/cube0x0/CVE-2021-1675", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_printspooler_del.yml" ], "tags": [ @@ -27459,6 +34742,15 @@ "cve.2021.1675" ] }, + "related": [ + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5b2bbc47-dead-4ef7-8908-0cf73fcbecbf", "value": "Windows Spooler Service Suspicious File Deletion" }, @@ -27523,8 +34815,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml" ], "tags": [ @@ -27532,6 +34824,15 @@ "attack.credential_access" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "407aecb1-e762-4acf-8c7b-d087bcff3bb6", "value": "Credential Manager Access" }, @@ -27548,8 +34849,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords", "https://web.archive.org/web/20181130065817/http://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml" ], "tags": [ @@ -27557,6 +34858,15 @@ "attack.t1555.004" ] }, + "related": [ + { + "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "46612ae6-86be-4802-bc07-39b59feb1309", "value": "Suspicious Access To Windows DPAPI Master Keys" }, @@ -27585,6 +34895,15 @@ "attack.credential_access" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "91cb43db-302a-47e3-b3c8-7ede481e27bf", "value": "Browser Credential Store Access" }, @@ -27601,8 +34920,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.passcape.com/windows_password_recovery_dpapi_credhist", "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist", + "https://www.passcape.com/windows_password_recovery_dpapi_credhist", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml" ], "tags": [ @@ -27610,6 +34929,15 @@ "attack.t1555.004" ] }, + "related": [ + { + "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2", "value": "Suspicious Access To Windows Credential History File" }, @@ -27658,9 +34986,52 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "558eebe5-f2ba-4104-b339-36f7902bcc1a", "value": "File Creation Date Changed to Another Year" }, + { + "description": "AppInstaller.exe is spawned by the default handler for the \"ms-appinstaller\" URI. It attempts to load/install a package from the referenced URL", + "meta": { + "author": "frack113", + "creation_date": "2021/11/24", + "falsepositive": [ + "Unknown" + ], + "filename": "dns_query_win_lolbin_appinstaller.yml", + "level": "medium", + "logsource.category": "dns_query", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", + "https://twitter.com/notwhickey/status/1333900137232523264", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7cff77e1-9663-46a3-8260-17f2e1aa9d0a", + "value": "AppX Package Installation Attempts Via AppInstaller" + }, { "description": "Detects Azure Hybrid Connection Manager services querying the Azure service bus service", "meta": { @@ -27682,6 +35053,15 @@ "attack.t1554" ] }, + "related": [ + { + "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", "value": "DNS HybridConnectionManager Service Bus" }, @@ -27706,34 +35086,18 @@ "attack.t1567.002" ] }, + "related": [ + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "065cceea-77ec-4030-9052-fc0affea7110", "value": "DNS Query for Anonfiles.com Domain" }, - { - "description": "AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL", - "meta": { - "author": "frack113", - "creation_date": "2021/11/24", - "falsepositive": [ - "Unknown" - ], - "filename": "dns_query_win_lobas_appinstaller.yml", - "level": "medium", - "logsource.category": "dns_query", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/notwhickey/status/1333900137232523264", - "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "uuid": "7cff77e1-9663-46a3-8260-17f2e1aa9d0a", - "value": "AppInstaller Attempts From URL by DNS" - }, { "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "meta": { @@ -27747,9 +35111,9 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml" ], @@ -27758,6 +35122,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4d07b1f4-cb00-4470-b9f8-b0191d48ff52", "value": "DNS Query To Remote Access Software Domain" }, @@ -27785,6 +35158,22 @@ "attack.t1218.010" ] }, + "related": [ + { + "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "36e037c4-c228-4866-b6a3-48eb292b9955", "value": "Regsvr32 Network Activity - DNS" }, @@ -27809,6 +35198,15 @@ "attack.t1567.002" ] }, + "related": [ + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", "value": "DNS Query for Ufile.io Upload Domain" }, @@ -27833,6 +35231,15 @@ "attack.t1567.002" ] }, + "related": [ + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "613c03ba-0779-4a53-8a1f-47f914a4ded3", "value": "DNS Query for MEGA.io Upload Domain" }, @@ -27858,6 +35265,15 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f356a9c4-effd-4608-bbf8-408afd5cd006", "value": "Suspicious Cobalt Strike DNS Beaconing" }, @@ -27883,6 +35299,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "778ba9a8-45e4-4b80-8e3e-34a419f0b85e", "value": "Suspicious TeamViewer Domain Access" }, @@ -27907,6 +35332,15 @@ "attack.t1090.003" ] }, + "related": [ + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", "value": "Query Tor Onion Address" }, @@ -27931,6 +35365,15 @@ "attack.t1482" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a21bcd7e-38ec-49ad-b69a-9ea17e69509e", "value": "Suspicious LDAP Domain Access" }, @@ -27953,6 +35396,15 @@ "attack.t1189" ] }, + "related": [ + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eb07e747-2552-44cd-af36-b659ae0958e4", "value": "Possible DNS Rebinding" }, @@ -27978,6 +35430,15 @@ "attack.t1590" ] }, + "related": [ + { + "dest-uuid": "9d48cab2-7929-4812-ad22-f536665f0109", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ec82e2a5-81ea-4211-a1f8-37a0286df2c2", "value": "Suspicious DNS Query for IP Lookup Service APIs" }, @@ -28027,6 +35488,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "94771a71-ba41-4b6e-a757-b531372eaab6", "value": "Suspicious Minimized MSEdge Start" }, @@ -28051,6 +35521,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5edc2273-c26f-406c-83f3-f4d948e740dd", "value": "Suspicious Subsystem for Linux Bash Execution" }, @@ -28075,6 +35554,15 @@ "attack.t1218.005" ] }, + "related": [ + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", "value": "MSHTA Spwaned by SVCHOST" }, @@ -28091,8 +35579,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing", "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc20_lateral_movement.yml" ], "tags": [ @@ -28100,6 +35588,15 @@ "attack.t1021.003" ] }, + "related": [ + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", "value": "MMC20 Lateral Movement" }, @@ -28225,6 +35722,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "15bd98ea-55f4-4d37-b09a-e7caa0fa2221", "value": "Rundll32 InstallScreenSaver Execution" }, @@ -28250,6 +35756,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a6fc3c46-23b8-4996-9ea2-573f4c4d88c5", "value": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand" }, @@ -28274,6 +35789,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", "value": "Suspicious Control Panel DLL Load" }, @@ -28319,12 +35843,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1433344116071583746", - "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", "https://twitter.com/eral4m/status/1479106975967240209", - "https://twitter.com/eral4m/status/1479080793003671557", "https://twitter.com/Hexacorn/status/885258886428725250", + "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://twitter.com/nas_bench/status/1433344116071583746", "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", + "https://twitter.com/eral4m/status/1479080793003671557", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml" ], "tags": [ @@ -28332,6 +35856,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e593cf51-88db-4ee1-b920-37e89012a3c9", "value": "Suspicious Rundll32 Activity" }, @@ -28356,6 +35889,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3ede524d-21cc-472d-a3ce-d21b568d8db7", "value": "PsExec Service Start" }, @@ -28380,6 +35922,15 @@ "attack.t1217" ] }, + "related": [ + { + "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7c9340a9-e2ee-4e43-94c5-c54ebbea1006", "value": "Suspicious DIR Execution" }, @@ -28405,6 +35956,15 @@ "attack.t1021" ] }, + "related": [ + { + "dest-uuid": "d157f9d2-d09a-4efa-bb2a-64963f94e253", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "730fc21b-eaff-474b-ad23-90fd265d4988", "value": "Psexec Accepteula Condition" }, @@ -28421,9 +35981,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/", - "https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/", "https://securelist.com/my-name-is-dtrack/93338/", + "https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/", + "https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_dtrack.yml" ], "tags": [ @@ -28431,6 +35991,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f1531fa4-5b84-4342-8f68-9cf3fdbd83d4", "value": "DTRACK Process Creation" }, @@ -28480,6 +36049,15 @@ "attack.t1539" ] }, + "related": [ + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "24c77512-782b-448a-8950-eddb0785fc71", "value": "SQLite Chrome Cookie DB Access" }, @@ -28496,8 +36074,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml" ], "tags": [ @@ -28505,6 +36083,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", "value": "ScreenConnect Backstage Mode Anomaly" }, @@ -28531,6 +36118,29 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c75309a3-59f8-4a8d-9c2c-4c927ad50555", "value": "Exfiltration and Tunneling Tools Execution" }, @@ -28547,8 +36157,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", + "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_loadassembly.yml" ], "tags": [ @@ -28556,6 +36166,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c57872c7-614f-4d7f-a40d-b78c8df2d30d", "value": "CL_LoadAssembly.ps1 Proxy Execution" }, @@ -28572,8 +36191,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html", + "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1350.yml" ], "tags": [ @@ -28583,6 +36202,22 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b5281f31-f9cc-4d0d-95d0-45b91c45b487", "value": "DNS RCE CVE-2020-1350" }, @@ -28600,8 +36235,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml" ], "tags": [ @@ -28609,6 +36244,15 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a58353df-af43-4753-bad0-cd83ef35eef5", "value": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)" }, @@ -28634,6 +36278,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", "value": "XORDump Use" }, @@ -28650,9 +36303,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://twitter.com/frack113/status/1555830623633375232", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml" ], "tags": [ @@ -28660,6 +36313,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a96970af-f126-420d-90e1-d37bf25e50e1", "value": "Use Short Name Path in Image" }, @@ -28682,6 +36344,15 @@ "attack.t1021.003" ] }, + "related": [ + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", "value": "MMC Spawning Windows Shell" }, @@ -28753,6 +36424,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "97dbf6e2-e436-44d8-abee-4261b24d3e41", "value": "Microsoft IIS Connection Strings Decryption" }, @@ -28777,6 +36457,15 @@ "attack.t1090" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d7654f02-e04b-4934-9838-65c46f187ebc", "value": "IOX Tunneling Tool" }, @@ -28793,9 +36482,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", - "https://twitter.com/countuponsec/status/910977826853068800", "https://twitter.com/countuponsec/status/910969424215232518", + "https://twitter.com/countuponsec/status/910977826853068800", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" ], "tags": [ @@ -28803,6 +36492,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "23ceaf5c-b6f1-4a32-8559-f2ff734be516", "value": "Dumping Process via Sqldumper.exe" }, @@ -28851,6 +36549,15 @@ "attack.t1564.001" ] }, + "related": [ + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4ae81040-fc1c-4249-bfa3-938d260214d9", "value": "Use Icacls to Hide File to Everyone" }, @@ -28867,10 +36574,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/techniques/T1036/", + "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", - "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_wrong_parent.yml" ], "tags": [ @@ -28879,6 +36585,15 @@ "attack.t1036.005" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "96036718-71cc-4027-a538-d1587e0006a7", "value": "Windows Processes Suspicious Parent Directory" }, @@ -28951,6 +36666,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fbd7c32d-db2a-4418-b92c-566eb8911133", "value": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code" }, @@ -28977,6 +36701,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0c79148b-118e-472b-bdb7-9b57b444cc19", "value": "Malicious Payload Download via Office Binaries" }, @@ -29001,6 +36734,15 @@ "attack.t1204" ] }, + "related": [ + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5325945e-f1f0-406e-97b8-65104d393fff", "value": "Snatch Ransomware" }, @@ -29017,9 +36759,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/netero1010/TrustedPath-UACBypass-BOF", "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", - "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml" ], "tags": [ @@ -29027,6 +36769,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", "value": "TrustedPath UAC Bypass Pattern" }, @@ -29043,8 +36794,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml" ], "tags": [ @@ -29052,6 +36803,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "49be8799-7b4d-4fda-ad23-cafbefdebbc5", "value": "Use of Wfc.exe" }, @@ -29068,10 +36828,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml" ], "tags": [ @@ -29082,6 +36842,22 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "99c840f2-2012-46fd-9141-c761987550ef", "value": "Bitsadmin Download File from IP" }, @@ -29098,9 +36874,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/1420053502554951689", "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", + "https://twitter.com/Hexacorn/status/1420053502554951689", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml" ], "tags": [ @@ -29109,6 +36885,22 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", "value": "Suspicious LSASS Process Clone" }, @@ -29138,6 +36930,22 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0c92f2e6-f08f-4b73-9216-ecb0ca634689", "value": "Potential PE Metadata Tamper Using Rcedit" }, @@ -29164,6 +36972,15 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "47688f1b-9f51-4656-b013-3cc49a166a36", "value": "Base64 Encoded Listing of Shadowcopy" }, @@ -29180,9 +36997,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/raspberry-robin/", - "https://github.com/SigmaHQ/sigma/issues/1009", "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml" ], "tags": [ @@ -29228,8 +37045,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/", "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/", + "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml" ], "tags": [ @@ -29237,6 +37054,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1e59c230-6670-45bf-83b0-98903780607e", "value": "Gpscript Execution" }, @@ -29253,12 +37079,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/techniques/T1482/", - "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", - "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", - "https://attack.mitre.org/techniques/T1016/", + "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", + "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" ], "tags": [ @@ -29267,6 +37091,15 @@ "attack.t1482" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", "value": "Recon Activity with NLTEST" }, @@ -29291,6 +37124,15 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "01aeb693-138d-49d2-9403-c4f52d7d3d62", "value": "Netsh RDP Port Opening" }, @@ -29315,6 +37157,15 @@ "attack.t1505.002" ] }, + "related": [ + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "83809e84-4475-4b69-bc3e-4aad8568612f", "value": "MSExchange Transport Agent Installation" }, @@ -29342,6 +37193,15 @@ "car.2019-04-001" ] }, + "related": [ + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", "value": "CMSTP Execution Process Creation" }, @@ -29373,6 +37233,36 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "41d40bff-377a-43e2-8e1b-2e543069e079", "value": "WannaCry Ransomware" }, @@ -29397,6 +37287,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "43f487f0-755f-4c2a-bce7-d6d2eec2fcf8", "value": "Suspicious Add Scheduled Task From User AppData Temp" }, @@ -29422,6 +37321,15 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "438025f9-5856-4663-83f7-52f878a70a50", "value": "Microsoft Office Product Spawning Windows Shell" }, @@ -29447,6 +37355,22 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bb780e0c-16cf-4383-8383-1e5471db6cf9", "value": "Suspicious XOR Encoded PowerShell Command Line" }, @@ -29463,8 +37387,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", "https://github.com/mandiant/SharPersist", + "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml" ], "tags": [ @@ -29514,8 +37438,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/SharpHound", "https://github.com/BloodHoundAD/BloodHound", + "https://github.com/BloodHoundAD/SharpHound", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_bloodhound.yml" ], "tags": [ @@ -29529,6 +37453,43 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", "value": "Bloodhound and Sharphound Hack Tool" }, @@ -29545,8 +37506,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", "https://twitter.com/johnlatwc/status/1408062131321270282?s=12", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_eventconsumer_create.yml" ], "tags": [ @@ -29554,6 +37515,15 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ebef4391-1a81-4761-a40a-1db446c0e625", "value": "Suspicious WMIC ActiveScriptEventConsumer Creation" }, @@ -29580,6 +37550,15 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e", "value": "WMI Persistence - Script Event Consumer" }, @@ -29605,6 +37584,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "42333b2c-b425-441c-b70e-99404a17170f", "value": "Sliver C2 Implant Activity Pattern" }, @@ -29653,6 +37641,15 @@ "attack.privilege_escalation" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5cc2cda8-f261-4d88-a2de-e9e193c86716", "value": "Suspicious Processes Spawned by WinRM" }, @@ -29723,6 +37720,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", "value": "F-Secure C3 Load by Rundll32" }, @@ -29739,8 +37745,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/1270633613449723905", "https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/", + "https://twitter.com/Oddvarmoe/status/1270633613449723905", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal.yml" ], "tags": [ @@ -29748,6 +37754,15 @@ "attack.t1059.003" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "087790e3-3287-436c-bccf-cbd0184a7db1", "value": "Cmd.exe CommandLine Path Traversal" }, @@ -29796,6 +37811,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7d4aaec2-08ed-4430-8b96-28420e030e04", "value": "Suspicious Sigverif Execution" }, @@ -29822,6 +37846,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "74403157-20f5-415d-89a7-c505779585cf", "value": "Encoded PowerShell Command Line Usage of ConvertTo-SecureString" }, @@ -29870,6 +37903,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "185d7418-f250-42d0-b72e-0c8b70661e93", "value": "Suspicious Diantz Download and Compress Into a CAB File" }, @@ -29888,9 +37930,9 @@ "refs": [ "https://isc.sans.edu/diary/22264", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml" ], "tags": [ @@ -29901,6 +37943,22 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", "value": "Bitsadmin Download from Suspicious Domain" }, @@ -29917,9 +37975,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1534915321856917506", - "https://twitter.com/nas_bench/status/1534916659676422152", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", + "https://twitter.com/nas_bench/status/1534916659676422152", + "https://twitter.com/nas_bench/status/1534915321856917506", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml" ], "tags": [ @@ -29928,6 +37986,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2f869d59-7f6a-4931-992c-cce556ff2d53", "value": "Use of Adplus.exe" }, @@ -29944,8 +38011,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd.html", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd2.html#using", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nircmd_as_system.yml" ], @@ -29955,6 +38022,15 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d9047477-0359-48c9-b8c7-792cedcdc9c4", "value": "NirCmd Tool Execution As LOCAL SYSTEM" }, @@ -29981,6 +38057,15 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fd6e2919-3936-40c9-99db-0aa922c356f7", "value": "Malicious Base64 Encoded Powershell Invoke Cmdlets" }, @@ -30006,6 +38091,15 @@ "attack.t1059.005" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "966e4016-627f-44f7-8341-f394905c361f", "value": "WMIExec VBS Script" }, @@ -30033,7 +38127,7 @@ "value": "Taskmgr as LOCAL_SYSTEM" }, { - "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", + "description": "Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity", "meta": { "author": "Florian Roth", "creation_date": "2021/04/23", @@ -30053,6 +38147,15 @@ "attack.t1552.004" ] }, + "related": [ + { + "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", "value": "PowerShell Get-Process LSASS" }, @@ -30078,6 +38181,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a85ffc3a-e8fd-4040-93bf-78aff284d801", "value": "Use Of The SFTP.EXE Binary As A LOLBIN" }, @@ -30104,6 +38216,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4cbef972-f347-4170-b62a-8253f6168e6d", "value": "UAC Bypass Using IDiagnostic Profile" }, @@ -30120,8 +38241,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/", "https://twitter.com/harr0ey/status/989617817849876488", + "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pcwutl.yml" ], "tags": [ @@ -30129,6 +38250,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9386d78a-7207-4048-9c9f-a93a7c2d1c05", "value": "Code Execution via Pcwutl.dll" }, @@ -30181,6 +38311,15 @@ "attack.t1059.003" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ee5e119b-1f75-4b34-add8-3be976961e39", "value": "Conhost.exe CommandLine Path Traversal" }, @@ -30206,6 +38345,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", "value": "Renamed jusched.exe" }, @@ -30232,6 +38380,15 @@ "attack.t1222.001" ] }, + "related": [ + { + "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "554601fb-9b71-4bcc-abf4-21a611be4fde", "value": "Suspicious Recursive Takeown" }, @@ -30281,6 +38438,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", "value": "UAC Bypass Using Windows Media Player - Process" }, @@ -30305,6 +38471,15 @@ "attack.t1572" ] }, + "related": [ + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", "value": "Suspicious Plink Usage RDP Tunneling" }, @@ -30353,6 +38528,15 @@ "attack.t1055.001" ] }, + "related": [ + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d1aa3382-abab-446f-96ea-4de52908210b", "value": "TAIDOOR RAT DLL Load" }, @@ -30377,6 +38561,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c01f7bd6-0c1d-47aa-9c61-187b91273a16", "value": "SystemNightmare Exploitation Script Execution" }, @@ -30393,9 +38586,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/wermgr.exe", - "https://github.com/binderlabs/DirCreate2System", "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", + "https://github.com/binderlabs/DirCreate2System", + "https://www.echotrail.io/insights/search/wermgr.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml" ], "tags": "No established tags" @@ -30425,6 +38618,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6bba49bf-7f8c-47d6-a1bb-6b4dece4640e", "value": "Suspicious RASdial Activity" }, @@ -30441,8 +38643,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1562072617552678912", "https://ss64.com/nt/cmd.html", + "https://twitter.com/cyb3rops/status/1562072617552678912", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml" ], "tags": [ @@ -30450,6 +38652,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a16980c2-0c56-4de0-9a79-17971979efdd", "value": "Missing Space Characters in Command Lines" }, @@ -30466,10 +38677,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/raspberry-robin/", - "https://twitter.com/Hexacorn/status/1187143326673330176", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://redcanary.com/blog/raspberry-robin/", + "https://twitter.com/Hexacorn/status/1187143326673330176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_odbcconf.yml" ], "tags": [ @@ -30477,6 +38688,15 @@ "attack.t1218.008" ] }, + "related": [ + { + "dest-uuid": "6e3bd510-6b33-41a4-af80-2d80f3ee0071", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "65d2be45-8600-4042-b4c0-577a1ff8a60e", "value": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe" }, @@ -30502,6 +38722,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3b3c7f55-f771-4dd6-8a6e-08d057a17caf", "value": "Download Arbitrary Files Via MSPUB.EXE" }, @@ -30527,6 +38756,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "01c42d3c-242d-4655-85b2-34f1739632f7", "value": "Abusing Permissions Using Dsacls" }, @@ -30552,6 +38790,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f426547a-e0f7-441a-b63e-854ac5bdf54d", "value": "Perl Inline Command Execution" }, @@ -30579,6 +38826,15 @@ "attack.t1615" ] }, + "related": [ + { + "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e56d3073-83ff-4021-90fe-c658e0709e72", "value": "Gpresult Display Group Policy Information" }, @@ -30595,8 +38851,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation", "https://github.com/carlospolop/PEASS-ng", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml" ], "tags": [ @@ -30631,6 +38887,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", "value": "Execution via stordiag.exe" }, @@ -30647,8 +38912,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml" @@ -30660,6 +38925,22 @@ "attack.t1021.003" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "10c14723-61c7-4c75-92ca-9af245723ad2", "value": "Impacket Lateralization Detection" }, @@ -30686,6 +38967,22 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "59e938ff-0d6d-4dc3-b13f-36cc28734d4e", "value": "Execute Code with Pester.bat" }, @@ -30757,6 +39054,15 @@ "cve.2021.35211" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "75578840-9526-4b2a-9462-af469a45e767", "value": "Serv-U Exploitation CVE-2021-35211 by DEV-0322" }, @@ -30773,9 +39079,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml" ], "tags": [ @@ -30783,6 +39089,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", "value": "Sensitive Registry Access via Volume Shadow Copy" }, @@ -30807,6 +39122,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4b991083-3d0e-44ce-8fc4-b254025d8d4b", "value": "Unusual Parent Process for cmd.exe" }, @@ -30833,6 +39157,15 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6385697e-9f1b-40bd-8817-f4a91f40508e", "value": "Suspicious Base64 Encoded Powershell Invoke" }, @@ -30857,6 +39190,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", "value": "File Download with Headless Browser" }, @@ -30882,6 +39224,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a743ceba-c771-4d75-97eb-8a90f7f4844c", "value": "UAC Bypass Using PkgMgr and DISM" }, @@ -30907,6 +39258,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd71385d-fd9b-4691-9b98-2b1f7e508714", "value": "Lolbin Runexehelper Use As Proxy" }, @@ -30957,6 +39317,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4ae3e30b-b03f-43aa-87e3-b622f4048eed", "value": "Winword LOLBIN Usage" }, @@ -30987,6 +39356,22 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ba778144-5e3d-40cf-8af9-e28fb1df1e20", "value": "Sofacy Trojan Loader Activity" }, @@ -31027,8 +39412,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism", + "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsim_remove.yml" ], "tags": [ @@ -31052,8 +39437,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.vmray.com/analyses/5ad401c3a568/report/overview.html", "https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/", + "https://www.vmray.com/analyses/5ad401c3a568/report/overview.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_muddywater_dnstunnel.yml" ], "tags": [ @@ -31061,6 +39446,15 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "36222790-0d43-4fe8-86e4-674b27809543", "value": "DNS Tunnel Technique from MuddyWater" }, @@ -31085,6 +39479,15 @@ "attack.t1564.001" ] }, + "related": [ + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4281cb20-2994-4580-aa63-c8b86d019934", "value": "Hiding Files with Attrib.exe" }, @@ -31110,6 +39513,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "28c8f68b-098d-45af-8d43-8089f3e35403", "value": "Suspicious Registration via cscript.exe" }, @@ -31224,9 +39636,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.poweradmin.com/paexec/", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.poweradmin.com/paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml" ], "tags": [ @@ -31234,6 +39646,15 @@ "attack.t1587.001" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8834e2f7-6b4b-4f09-8906-d2276470ee23", "value": "PsExec/PAExec Escalation to LOCAL SYSTEM" }, @@ -31259,33 +39680,18 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e", "value": "Sysprep on AppData Folder" }, - { - "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/05/24", - "falsepositive": [ - "Other tools that work with encoded scripts in the command line instead of script files" - ], - "filename": "proc_creation_win_susp_powershell_cmd_patterns.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_cmd_patterns.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", - "value": "Suspicious PowerShell Encoded Command Patterns" - }, { "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", "meta": { @@ -31308,6 +39714,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", "value": "Suspicious Desktopimgdownldr Command" }, @@ -31332,6 +39747,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9cfc00b6-bfb7-49ce-9781-ef78503154bb", "value": "Wlrmdr Lolbin Use as Launcher" }, @@ -31348,14 +39772,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://twitter.com/Hexacorn/status/776122138063409152", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/SigmaHQ/sigma/issues/3742", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://twitter.com/Hexacorn/status/776122138063409152", "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" ], "tags": [ @@ -31365,16 +39789,32 @@ "attack.t1218.013" ] }, + "related": [ + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1bae753e-8e52-4055-a66d-2ead90303ca9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e6474a1b-5390-49cd-ab41-8d88655f7394", "value": "Rename Mavinject Execution" }, { - "description": "Detects the Nishang Invoke-PowerShellTcpOneLine reverse shell", + "description": "Detects usage of the \"TcpClient\" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang \"Invoke-PowerShellTcpOneLine\" reverse shell.", "meta": { "author": "FPT.EagleEye, wagga", "creation_date": "2021/03/03", "falsepositive": [ - "Administrative might use this function for checking network connectivity" + "Administrative might use this function to check network connectivity" ], "filename": "proc_creation_win_powershell_reverse_shell_connection.yml", "level": "high", @@ -31382,6 +39822,7 @@ "logsource.product": "windows", "refs": [ "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" ], @@ -31390,8 +39831,17 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "edc2f8ae-2412-4dfd-b9d5-0c57727e70be", - "value": "Powershell Reverse Shell Connection" + "value": "Potential Powershell ReverseShell Connection" }, { "description": "Detects using Diskshadow.exe to execute arbitrary code in text file", @@ -31415,9 +39865,42 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0c2f8629-7129-4a8a-9897-7e0768f13ff2", "value": "Execution via Diskshadow.exe" }, + { + "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_turn_on_dev_features.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "a383dec4-deec-4e6e-913b-ed9249670848", + "value": "Potential Signing Bypass Via Windows Developer Features" + }, { "description": "Detects netsh commands that configure a port forwarding (PortProxy)", "meta": { @@ -31432,9 +39915,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.dfirnotes.net/portproxy_detection/", "https://adepts.of0x.cc/netsh-portproxy-code/", "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://www.dfirnotes.net/portproxy_detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_fwd.yml" ], "tags": [ @@ -31444,6 +39927,15 @@ "attack.t1090" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "322ed9ec-fcab-4f67-9a34-e7c6aef43614", "value": "Netsh Port Forwarding" }, @@ -31470,6 +39962,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7a74da6b-ea76-47db-92cc-874ad90df734", "value": "MSDT Executed with Suspicious Parent" }, @@ -31524,6 +40025,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d7bcd677-645d-4691-a8d4-7a5602b780d1", "value": "Suspicious PowerShell Command Line" }, @@ -31548,6 +40058,15 @@ "attack.t1555.004" ] }, + "related": [ + { + "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a4694263-59a8-4608-a3a0-6f8d3a51664c", "value": "Suspicious Key Manager Access" }, @@ -31564,8 +40083,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virusradar.com/en/Win32_Kasidet.AD/description", "https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100", + "https://www.virusradar.com/en/Win32_Kasidet.AD/description", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add_susp_image.yml" ], "tags": [ @@ -31573,6 +40092,15 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", "value": "Netsh Program Allowed with Suspcious Location" }, @@ -31589,8 +40117,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1207671369963646976", "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", + "https://twitter.com/SBousseaden/status/1207671369963646976", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_wocao.yml" ], "tags": [ @@ -31604,6 +40132,29 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1cfac73c-be78-4f9a-9b08-5bde0c3953ab", "value": "Operation Wocao Activity" }, @@ -31629,6 +40180,15 @@ "attack.t1087.001" ] }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "502b42de-4306-40b4-9596-6f590c81f073", "value": "Local Accounts Discovery" }, @@ -31645,12 +40205,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", - "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", + "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", + "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml" ], "tags": [ @@ -31661,6 +40221,29 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "23daeb52-e6eb-493c-8607-c4f0246cb7d8", "value": "New Lolbin Process by Office Applications" }, @@ -31677,9 +40260,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_html_help_spawn.yml" ], "tags": [ @@ -31699,6 +40282,71 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", "value": "HTML Help Shell Spawn" }, @@ -31754,13 +40402,29 @@ "attack.s0404" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", "value": "Copying Sensitive Files with Credential Data" }, { "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", "meta": { - "author": "Florian Roth, Nasreddine Bencherchali (updated)", + "author": "Florian Roth, Nasreddine Bencherchali", "creation_date": "2020/07/03", "falsepositive": [ "Unknown" @@ -31770,10 +40434,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", "https://twitter.com/max_mal_/status/1542461200797163522", "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", - "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml" ], "tags": [ @@ -31781,6 +40445,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", "value": "Suspicious Curl Usage on Windows" }, @@ -31821,9 +40494,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", "https://ss64.com/nt/dsacls.html", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" ], "tags": [ @@ -31831,6 +40504,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bac9fb54-2da7-44e9-988f-11e9a5edbc0c", "value": "Password Spraying Attempts Using Dsacls" }, @@ -31847,9 +40529,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", "https://github.com/h3v0x/CVE-2021-26084_Confluence", "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml" ], "tags": [ @@ -31859,9 +40541,58 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "245f92e3-c4da-45f1-9070-bc552e06db11", "value": "Atlassian Confluence CVE-2021-26084" }, + { + "description": "Detects potential DLL injection and execution using \"Tracker.exe\"", + "meta": { + "author": "Avneet Singh @v3t0_, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_tracker.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055.001" + ] + }, + "related": [ + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "148431ce-4b70-403d-8525-fcc2993f29ea", + "value": "Potential DLL Injection Or Execution Using Tracker.exe" + }, { "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\"...etc", "meta": { @@ -31884,6 +40615,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", "value": "Suspicious WMIC Execution - ProcessCallCreate" }, @@ -31900,9 +40640,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", - "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", + "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", + "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml" ], "tags": [ @@ -31910,6 +40650,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", "value": "Microsoft IIS Service Account Password Dumped" }, @@ -31934,6 +40683,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "74a12f18-505c-4114-8d0b-8448dd5485c6", "value": "Nimgrab File Download" }, @@ -31985,6 +40743,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "79b06761-465f-4f88-9ef2-150e24d3d737", "value": "Procdump Evasion" }, @@ -32002,9 +40769,9 @@ "logsource.product": "windows", "refs": [ "https://youtu.be/5mqid-7zp8k?t=2481", - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml" ], "tags": [ @@ -32057,6 +40824,15 @@ "attack.t1588.002" ] }, + "related": [ + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7cccd811-7ae9-4ebe-9afd-cb5c406b824b", "value": "Usage of Sysinternals Tools" }, @@ -32083,6 +40859,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c5c00f49-b3f9-45a6-997e-cfdecc6e1967", "value": "Suspicious Schtasks Execution AppData Folder" }, @@ -32108,6 +40900,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b697e69c-746f-4a86-9f59-7bfff8eab881", "value": "UAC Bypass Using Disk Cleanup" }, @@ -32124,9 +40925,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", "https://twitter.com/_felamos/status/1204705548668555264", "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet.yml" ], "tags": [ @@ -32134,6 +40935,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d80d5c81-04ba-45b4-84e4-92eba40e0ad3", "value": "Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN" }, @@ -32150,8 +40960,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml" ], "tags": [ @@ -32186,6 +40996,15 @@ "car.2013-05-002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", "value": "MS Office Product Spawning Exe in User Dir" }, @@ -32214,6 +41033,15 @@ "car.2013-08-001" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "92626ddd-662c-49e3-ac59-f6535f12d189", "value": "Scheduled Task Creation" }, @@ -32255,8 +41083,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", "https://sourceforge.net/projects/mouselock/", + "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mouse_lock.yml" ], "tags": [ @@ -32281,8 +41109,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/wusa.exe/", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://www.echotrail.io/insights/search/wusa.exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml" ], "tags": [ @@ -32313,6 +41141,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "70e68156-6571-427b-a6e9-4476a173a9b6", "value": "Cmd Stream Redirection" }, @@ -32337,6 +41174,15 @@ "attack.t1528" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6d3a3952-6530-44a3-8554-cf17c116c615", "value": "Suspicious Office Token Search Via CLI" }, @@ -32353,8 +41199,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/17", "https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/17", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml" ], "tags": [ @@ -32362,6 +41208,15 @@ "attack.t1048.003" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5", "value": "Suspicious WebDav Client Execution" }, @@ -32401,8 +41256,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://support.anydesk.com/Automatic_Deployment", "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20", + "https://support.anydesk.com/Automatic_Deployment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml" ], "tags": [ @@ -32410,6 +41265,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", "value": "AnyDesk Silent Installation" }, @@ -32426,8 +41290,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26", "https://twitter.com/subTee/status/1216465628946563073", + "https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_task_folder_evasion.yml" ], "tags": [ @@ -32462,6 +41326,22 @@ "attack.t1021.006" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8", "value": "Remote PowerShell Session Host Process (WinRM)" }, @@ -32487,7 +41367,7 @@ ] }, "uuid": "2569ed8c-1147-498a-9b8c-2ad3656b10ed", - "value": "DllRegisterServer Call From Non Rundll32" + "value": "Renamed Rundll32 Execution Via DllRegisterServer" }, { "description": "Detects commands that temporarily turn off Volume Snapshots", @@ -32534,6 +41414,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3d48c9d3-1aa6-418d-98d3-8fd3c01a564e", "value": "Use of Mftrace.exe" }, @@ -32558,6 +41447,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1775e15e-b61b-4d14-a1a3-80981298085a", "value": "Suspicious Rundll32 Without Any CommandLine Params" }, @@ -32574,9 +41472,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/filip_dragovic/status/1590104354727436290", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120", "https://twitter.com/filip_dragovic/status/1590052248260055041", + "https://twitter.com/filip_dragovic/status/1590104354727436290", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml" ], "tags": "No established tags" @@ -32605,6 +41503,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", "value": "Process Dump via RdrLeakDiag.exe" }, @@ -32621,8 +41528,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mustangpanda.yml" ], @@ -32631,6 +41538,15 @@ "attack.resource_development" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2d87d610-d760-45ee-a7e6-7a6f2a65de00", "value": "Mustang Panda Dropper" }, @@ -32657,6 +41573,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dee0a7a3-f200-4112-a99b-952196d81e42", "value": "DumpMinitool Usage" }, @@ -32682,6 +41607,15 @@ "attack.t1059.006" ] }, + "related": [ + { + "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9637e8a5-7131-4f7f-bdc7-2b05d8670c43", "value": "Suspicious File Characteristics Due to Missing Fields" }, @@ -32711,6 +41645,29 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "29fd07fc-9cfd-4331-b7fd-cc18dfa21052", "value": "Maze Ransomware" }, @@ -32751,10 +41708,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://www.activecyber.us/activelabs/windows-uac-bypass", - "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", "https://twitter.com/ReaQta/status/1222548288731217921", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" ], "tags": [ @@ -32763,6 +41720,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d797268e-28a9-49a7-b9a8-2f5039011c5c", "value": "Bypass UAC via WSReset.exe" }, @@ -32780,8 +41746,8 @@ "logsource.product": "windows", "refs": [ "https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a", - "https://blog.f-secure.com/analysis-of-lockergoga-ransomware/", "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/", + "https://blog.f-secure.com/analysis-of-lockergoga-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_lockergoga_ransomware.yml" ], "tags": [ @@ -32789,6 +41755,15 @@ "attack.t1486" ] }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "74db3488-fd28-480a-95aa-b7af626de068", "value": "LockerGoga Ransomware" }, @@ -32815,6 +41790,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "899133d5-4d7c-4a7f-94ee-27355c879d90", "value": "Python Inline Command Execution" }, @@ -32859,8 +41843,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", "https://twitter.com/vysecurity/status/977198418354491392", + "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_hex_ip.yml" ], "tags": [ @@ -32869,6 +41853,15 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", "value": "Ping Hex IP" }, @@ -32885,8 +41878,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", + "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml" ], "tags": [ @@ -32895,9 +41888,49 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "89ca78fd-b37c-4310-b3d3-81a023f83936", "value": "Schtasks Creation Or Modification With SYSTEM Privileges" }, + { + "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", + "meta": { + "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", + "creation_date": "2018/09/03", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_susp_powershell_base64_encoded_cmd.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_base64_encoded_cmd.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", + "value": "Suspicious Encoded PowerShell Command Line" + }, { "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", "meta": { @@ -32919,6 +41952,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cbb9e3d1-2386-4e59-912e-62f1484f7a89", "value": "Conhost Spawned By Suspicious Parent Process" }, @@ -32947,6 +41989,22 @@ "attack.g0001" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f0b70adb-0075-43b0-9745-e82a1c608fcc", "value": "ZxShell Malware" }, @@ -32963,7 +42021,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Turla has used fsutil fsinfo drives to list connected drives. https://attack.mitre.org/techniques/T1120/", + "Turla has used fsutil fsinfo drives to list connected drives.", "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml" ], @@ -33020,6 +42078,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7d6d30b8-5b91-4b90-a891-46cccaf29598", "value": "Lolbin Ssh.exe Use As Proxy" }, @@ -33036,8 +42103,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", "https://twitter.com/pabraeken/status/993298228840992768", + "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqltoolsps_bin.yml" ], "tags": [ @@ -33047,6 +42114,22 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a746c9b8-a2fb-4ee5-a428-92bee9e99060", "value": "SQL Client Tools PowerShell Session Detection" }, @@ -33072,6 +42155,15 @@ "attack.t1574" ] }, + "related": [ + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a2910908-e86f-4687-aeba-76a5f996e652", "value": "DLL Execution Via Register-cimprovider.exe" }, @@ -33096,6 +42188,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", "value": "Run PowerShell Script from ADS" }, @@ -33113,15 +42214,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", - "https://github.com/Neo23x0/Raccine#the-process", + "https://blog.talosintelligence.com/2017/05/wannacry.html", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://blog.talosintelligence.com/2017/05/wannacry.html", + "https://github.com/Neo23x0/Raccine#the-process", + "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml" ], "tags": [ @@ -33131,6 +42232,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c947b146-0abc-4c87-9c64-b17e9d7274a2", "value": "Shadow Copies Deletion Using Operating Systems Utilities" }, @@ -33147,9 +42257,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" ], "tags": [ @@ -33173,9 +42283,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" ], "tags": [ @@ -33186,6 +42296,22 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d059842b-6b9d-4ed1-b5c3-5b89143c6ede", "value": "Bitsadmin Download" }, @@ -33211,6 +42337,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6f3e2987-db24-4c78-a860-b4f4095a7095", "value": "Data Compressed - rar.exe" }, @@ -33238,6 +42373,22 @@ "attack.t1134.003" ] }, + "related": [ + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f89b08d0-77ad-4728-817b-9b16c5a69c7a", "value": "SharpImpersonation Execution" }, @@ -33286,6 +42437,15 @@ "attack.t1087.001" ] }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c8a180d6-47a3-4345-a609-53f9c3d834fc", "value": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet" }, @@ -33310,6 +42470,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", "value": "Suspicious Compression Tool Parameters" }, @@ -33326,11 +42495,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", - "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", - "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", - "https://twitter.com/JohnLaTwC/status/1223292479270600706", "https://twitter.com/bohops/status/980659399495741441", + "https://twitter.com/JohnLaTwC/status/1223292479270600706", + "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", + "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml" ], "tags": [ @@ -33338,6 +42507,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c363385c-f75d-4753-a108-c1a8e28bdbda", "value": "Suspicious Usage of the Manage-bde.wsf Script" }, @@ -33362,9 +42540,52 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18749301-f1c5-4efc-a4c3-276ff1f5b6f8", "value": "Use of VSIISExeLauncher.exe" }, + { + "description": "Detect execution of suspicious double extension files in ParentCommandLine", + "meta": { + "author": "frack113", + "creation_date": "2023/01/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_double_ext_parent.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_double_ext_parent.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.007" + ] + }, + "related": [ + { + "dest-uuid": "11f29a39-0942-4d62-92b6-fe236cf3066e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "5e6a80c8-2d45-4633-9ef4-fa2671a39c5c", + "value": "Suspicious Double File Extention in ParentCommandLine" + }, { "description": "This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", "meta": { @@ -33378,9 +42599,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", - "https://twitter.com/bryon_/status/975835709587075072", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", + "https://twitter.com/bryon_/status/975835709587075072", + "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml" ], "tags": [ @@ -33390,6 +42611,22 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0152550d-3a26-4efd-9f0e-54a0b28ae2f3", "value": "Detection of PowerShell Execution via Sqlps.exe" }, @@ -33414,6 +42651,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d522eca2-2973-4391-a3e0-ef0374321dae", "value": "Abused Debug Privilege by Arbitrary Parent Processes" }, @@ -33440,6 +42686,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", "value": "Invoke-Obfuscation Via Use Clip" }, @@ -33464,6 +42719,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1c8774a0-44d4-4db0-91f8-e792359c70bd", "value": "REGISTER_APP.VBS Proxy Execution" }, @@ -33488,6 +42752,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "883faa95-175a-4e22-8181-e5761aeb373c", "value": "Suspicious Service Binary Directory" }, @@ -33528,8 +42801,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", "https://github.com/cube0x0", + "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml" ], "tags": "No established tags" @@ -33559,6 +42832,15 @@ "attack.t1559" ] }, + "related": [ + { + "dest-uuid": "acd0ba37-7ba9-4cc5-ac61-796586cd856d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", "value": "Trickbot Malware Activity" }, @@ -33575,10 +42857,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", - "https://twitter.com/Z3Jpa29z/status/1317545798981324801", "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", + "https://twitter.com/Z3Jpa29z/status/1317545798981324801", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csi.yml" ], "tags": [ @@ -33588,9 +42870,52 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "40b95d31-1afc-469e-8d34-9a3a667d058e", "value": "Suspicious Csi.exe Usage" }, + { + "description": "Detects suspicious powershell invocations from interpreters or unusual programs", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/01/16", + "falsepositive": [ + "Microsoft Operations Manager (MOM)", + "Other scripts" + ], + "filename": "proc_creation_win_susp_powershell_script_engine_parent_.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.securitynewspaper.com/2017/03/20/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_script_engine_parent_.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "95eadcb2-92e4-4ed1-9031-92547773a6db", + "value": "Suspicious PowerShell Invocation From Script Engines" + }, { "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", "meta": { @@ -33613,6 +42938,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", "value": "Renamed ProcDump Execution" }, @@ -33629,14 +42963,23 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.scythe.io/library/threat-emulation-qakbot", "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://www.scythe.io/library/threat-emulation-qakbot", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml" ], "tags": [ "attack.t1218.001" ] }, + "related": [ + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d4ca7c59-e9e4-42d8-bf57-91a776efcb87", "value": "LOLBIN From Abnormal Drive" }, @@ -33662,6 +43005,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2", "value": "Use of Pcalua For Execution" }, @@ -33678,8 +43030,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd.html", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd2.html#using", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml" ], @@ -33689,11 +43041,20 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4e2ed651-1906-4a59-a78a-18220fca1b22", "value": "NirCmd Tool Execution" }, { - "description": "Detects suspicious ways to download files or content and execute them using PowerShell", + "description": "Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression", "meta": { "author": "Florian Roth", "creation_date": "2022/03/24", @@ -33713,6 +43074,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "85b0b087-eddf-4a2b-b033-d771fa2b9775", "value": "PowerShell Web Download and Execution" }, @@ -33729,8 +43099,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hostname.yml" ], "tags": [ @@ -33754,10 +43124,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/hFireF0X/status/897640081053364225", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", - "https://twitter.com/hFireF0X/status/897640081053364225", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml" ], "tags": [ @@ -33770,6 +43140,22 @@ "car.2019-04-001" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", "value": "CMSTP UAC Bypass via COM Object Access" }, @@ -33811,8 +43197,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/x86matthew/status/1505476263464607744?s=12", "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", + "https://twitter.com/x86matthew/status/1505476263464607744?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml" ], "tags": "No established tags" @@ -33845,6 +43231,29 @@ "attack.s0106" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "058f4380-962d-40a5-afce-50207d36d7e2", "value": "CrackMapExec Command Execution" }, @@ -33862,9 +43271,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" ], "tags": [ @@ -33889,10 +43298,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", - "https://github.com/Neo23x0/DLLRunner", - "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", "https://twitter.com/cyb3rops/status/1186631731543236608", + "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", + "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", + "https://github.com/Neo23x0/DLLRunner", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml" ], "tags": [ @@ -33900,6 +43309,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", "value": "Suspicious Call by Ordinal" }, @@ -33924,6 +43342,15 @@ "attack.t1218.010" ] }, + "related": [ + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "10152a7b-b566-438f-a33c-390b607d1c8d", "value": "Empire Monkey" }, @@ -33950,6 +43377,15 @@ "car.2013-05-009" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18da1007-3f26-470f-875d-f77faf1cab31", "value": "Ps.exe Renamed SysInternals Tool" }, @@ -33974,6 +43410,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d047726b-c71c-4048-a99b-2e2f50dc107d", "value": "Kavremover Dropped Binary LOLBIN Usage" }, @@ -34000,6 +43445,15 @@ "attack.t1218.007" ] }, + "related": [ + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "84f52741-8834-4a8c-a413-2eb2269aa6c8", "value": "Suspicious Msiexec Load DLL" }, @@ -34026,6 +43480,22 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eca49c87-8a75-4f13-9c73-a5a29e845f03", "value": "Suspicious Runscripthelper.exe" }, @@ -34050,6 +43520,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1e0e1a81-e79b-44bc-935b-ddb9c8006b3d", "value": "CL_Mutexverifiers.ps1 Proxy Execution" }, @@ -34075,6 +43554,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "90d50722-0483-4065-8e35-57efaadd354d", "value": "DevInit Lolbin Download" }, @@ -34091,8 +43579,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remove_windows_defender_definition_files.yml" ], "tags": [ @@ -34116,8 +43604,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/j0nh4t/status/1429049506021138437", "https://streamable.com/q2dsji", + "https://twitter.com/j0nh4t/status/1429049506021138437", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml" ], "tags": [ @@ -34125,6 +43613,15 @@ "attack.t1553" ] }, + "related": [ + { + "dest-uuid": "b83e166d-13d7-4b52-8677-dff90c548fd7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a4eaf250-7dc1-4842-862a-5e71cd59a167", "value": "Suspicious RazerInstaller Explorer Subprocess" }, @@ -34148,6 +43645,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "88f680b8-070e-402c-ae11-d2914f2257f1", "value": "Encoded IEX" }, @@ -34165,8 +43671,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", - "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", + "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windowsoptionalfeature.yml" ], "tags": [ @@ -34197,6 +43703,15 @@ "attack.t1119" ] }, + "related": [ + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aa2efee7-34dd-446e-8a37-40790a66efd7", "value": "Recon Information for Export with Command Prompt" }, @@ -34223,6 +43738,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "033fe7d6-66d1-4240-ac6b-28908009c71f", "value": "APT29" }, @@ -34275,6 +43799,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e", "value": "Registry Dump of SAM Creds and Secrets" }, @@ -34370,8 +43903,8 @@ "refs": [ "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", - "https://lolbas-project.github.io/lolbas/Binaries/Setres/", "https://twitter.com/0gtweet/status/1583356502340870144", + "https://lolbas-project.github.io/lolbas/Binaries/Setres/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml" ], "tags": [ @@ -34380,6 +43913,22 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "835e75bf-4bfd-47a4-b8a6-b766cac8bcb7", "value": "Use of Setres.exe" }, @@ -34396,10 +43945,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", + "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rclone_execution.yml" ], @@ -34408,6 +43957,15 @@ "attack.t1567.002" ] }, + "related": [ + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e37db05d-d1f9-49c8-b464-cee1a4b11638", "value": "Rclone Execution via Command Line or PowerShell" }, @@ -34424,9 +43982,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml" ], "tags": [ @@ -34434,6 +43992,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", "value": "Copy from Volume Shadow Copy" }, @@ -34450,9 +44017,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/c_APT_ure/status/939475433711722497", "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", "https://twitter.com/haroonmeer/status/939099379834658817", - "https://twitter.com/c_APT_ure/status/939475433711722497", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_builtin_commands_recon.yml" ], "tags": [ @@ -34511,6 +44078,22 @@ "attack.t1059.007" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cea72823-df4d-4567-950c-0b579eaf0846", "value": "WScript or CScript Dropper" }, @@ -34535,6 +44118,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6", "value": "Sideloading Link.EXE" }, @@ -34559,6 +44151,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a6a39bdb-935c-4f0a-ab77-35f4bbf44d33", "value": "Suspicious Script Execution From Temp Folder" }, @@ -34585,6 +44186,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e32d4572-9826-4738-b651-95fa63747e8a", "value": "FromBase64String Command Line" }, @@ -34609,6 +44226,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", "value": "Use of Anydesk Remote Access Software from Suspicious Folder" }, @@ -34634,6 +44260,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6355a919-2e97-4285-a673-74645566340d", "value": "RdrLeakDiag Process Dump" }, @@ -34662,6 +44297,15 @@ "car.2014-04-003" ] }, + "related": [ + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "03cc0c25-389f-4bf8-b48d-11878079f1ca", "value": "MSHTA Spawning Windows Shell" }, @@ -34686,6 +44330,15 @@ "attack.t1485" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4b046706-5789-4673-b111-66f25fe99534", "value": "Overwrite Deleted Data with Cipher" }, @@ -34727,8 +44380,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", "https://twitter.com/mrd0x/status/1475085452784844803?s=12", + "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml" ], "tags": "No established tags" @@ -34749,8 +44402,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://forensafe.com/blogs/typedpaths.html", "https://twitter.com/dez_/status/1560101453150257154", + "https://forensafe.com/blogs/typedpaths.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_persistence_typed_paths.yml" ], "tags": [ @@ -34781,6 +44434,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f", "value": "UNC2452 Process Creation Patterns" }, @@ -34797,8 +44459,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/swagkarna/Defeat-Defender-V1.2.0", "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", + "https://github.com/swagkarna/Defeat-Defender-V1.2.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml" ], "tags": [ @@ -34847,8 +44509,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/", "https://www.echotrail.io/insights/search/defaultpack.exe", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml" ], "tags": [ @@ -34857,6 +44519,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b2309017-4235-44fe-b5af-b15363011957", "value": "Lolbin Defaultpack.exe Use As Proxy" }, @@ -34874,10 +44545,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", - "https://twitter.com/gN3mes1s/status/1206874118282448897", "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", + "https://twitter.com/gN3mes1s/status/1206874118282448897", + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml" ], "tags": [ @@ -34885,6 +44556,15 @@ "attack.t1027.004" ] }, + "related": [ + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dcaa3f04-70c3-427a-80b4-b870d73c94c4", "value": "Suspicious Csc.exe Source File Folder" }, @@ -34909,6 +44589,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "75edd216-1939-4c73-8d61-7f3a0d85b5cc", "value": "Suspicious Execution of InstallUtil To Download" }, @@ -34934,6 +44623,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", "value": "Inveigh Hack Tool" }, @@ -34961,6 +44659,22 @@ "attack.t1071" ] }, + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18739897-21b1-41da-8ee4-5b786915a676", "value": "GALLIUM Artefacts" }, @@ -34986,6 +44700,15 @@ "attack.g0069" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a62298a3-1fe0-422f-9a68-ffbcbc5a123d", "value": "MERCURY Command Line Patterns" }, @@ -35010,6 +44733,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6b369ced-4b1d-48f1-b427-fdc0de0790bd", "value": "Suspicious Diantz Alternate Data Stream Execution" }, @@ -35035,6 +44767,15 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "208748f7-881d-47ac-a29c-07ea84bf691d", "value": "Microsoft Outlook Product Spawning Windows Shell" }, @@ -35060,6 +44801,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", "value": "UAC Bypass Tool UACMe Akagi" }, @@ -35086,6 +44836,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b222df08-0e07-11eb-adc1-0242ac120002", "value": "Invoke-Obfuscation CLIP+ Launcher" }, @@ -35110,6 +44869,15 @@ "attack.t1489" ] }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "86085955-ea48-42a2-9dd3-85d4c36b167d", "value": "Suspicious Execution of Taskkill" }, @@ -35158,6 +44926,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ca621ba5-54ab-4035-9942-d378e6fcde3c", "value": "HandleKatz LSASS Dumper Usage" }, @@ -35174,11 +44951,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://twitter.com/JohnLaTwC/status/835149808817991680", - "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", - "https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/", "https://twitter.com/egre55/status/1087685529016193025", + "https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/", + "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", + "https://twitter.com/JohnLaTwC/status/835149808817991680", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_command.yml" ], "tags": [ @@ -35195,6 +44972,22 @@ "attack.g0096" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e011a729-98a6-4139-b5c4-bf6f6dd8239a", "value": "Suspicious Certutil Command Usage" }, @@ -35211,8 +45004,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_enum.yml" ], "tags": [ @@ -35268,6 +45061,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "afe52666-401e-4a02-b4ff-5d128990b8cb", "value": "RAR Greedy Compression" }, @@ -35284,8 +45086,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml" ], "tags": [ @@ -35293,6 +45095,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7a02e22e-b885-4404-b38b-1ddc7e65258a", "value": "Suspicious Schtasks Schedule Type With High Privileges" }, @@ -35318,6 +45129,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cc08d590-8b90-413a-aff6-31d1a99678d7", "value": "Suspicious PrinterPorts Creation (CVE-2020-1048)" }, @@ -35334,8 +45154,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", + "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml" ], "tags": [ @@ -35345,6 +45165,22 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "46123129-1024-423e-9fae-43af4a0fa9a5", "value": "Windows Defender Download Activity" }, @@ -35372,6 +45208,15 @@ "car.2019-04-001" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3268b746-88d8-4cd3-bffc-30077d02c787", "value": "Empire PowerShell UAC Bypass" }, @@ -35396,6 +45241,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892", "value": "Suspicious CMD Shell Redirect" }, @@ -35412,10 +45266,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" ], "tags": [ @@ -35426,6 +45280,22 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6e30c82f-a9f8-4aab-b79c-7c12bce6f248", "value": "Bitsadmin Download to Uncommon Target Folder" }, @@ -35518,8 +45388,8 @@ "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", - "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", + "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" ], "tags": [ @@ -35552,6 +45422,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "64760eef-87f7-4ed3-93fd-655668ea9420", "value": "Use of Scriptrunner.exe" }, @@ -35568,8 +45447,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", + "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" ], "tags": [ @@ -35577,6 +45456,15 @@ "attack.t1003.005" ] }, + "related": [ + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "07f8bdc2-c9b3-472a-9817-5a670b872f53", "value": "Cmdkey Cached Credentials Recon" }, @@ -35593,10 +45481,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" ], "tags": [ @@ -35607,6 +45495,22 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2ddef153-167b-4e89-86b6-757a9e65dcac", "value": "Bitsadmin Download to Suspicious Target Folder" }, @@ -35631,6 +45535,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "70ad0861-d1fe-491c-a45f-fa48148a300d", "value": "Suspicious File Download via CertOC.exe" }, @@ -35647,12 +45560,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", - "https://attack.mitre.org/techniques/T1557/001/", - "https://github.com/ohpe/juicy-potato", "https://pentestlab.blog/2017/04/13/hot-potato/", + "https://github.com/ohpe/juicy-potato", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", + "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml" ], "tags": [ @@ -35660,6 +45572,15 @@ "attack.t1557.001" ] }, + "related": [ + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5589ab4f-a767-433c-961d-c91f3f704db1", "value": "SMB Relay Attack Tools" }, @@ -35685,6 +45606,15 @@ "attack.s0111" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "958d81aa-8566-4cea-a565-59ccd4df27b0", "value": "Defrag Deactivation" }, @@ -35711,6 +45641,15 @@ "attack.t1095" ] }, + "related": [ + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e31033fc-33f0-4020-9a16-faf9b31cbf08", "value": "Netcat Suspicious Execution" }, @@ -35735,6 +45674,15 @@ "attack.t1485" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a4824fca-976f-4964-b334-0621379e84c4", "value": "Sysinternals SDelete Delete File" }, @@ -35751,9 +45699,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://abuse.io/lockergoga.txt", - "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_trace_evasion.yml" ], "tags": [ @@ -35781,8 +45729,8 @@ "refs": [ "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml" ], "tags": [ @@ -35790,6 +45738,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", "value": "Empire PowerShell Launch Parameters" }, @@ -35832,8 +45789,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", + "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml" ], @@ -35844,6 +45801,15 @@ "attack.t1087.002" ] }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aae1243f-d8af-40d8-ab20-33fc6d0c55bc", "value": "Suspicious Use of PsLogList" }, @@ -35860,9 +45826,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://twitter.com/frack113/status/1555830623633375232", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml" ], "tags": [ @@ -35870,6 +45836,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "349d891d-fef0-4fe4-bc53-eee623a15969", "value": "Use Short Name Path in Command Line" }, @@ -35894,6 +45869,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "88656cec-6c3b-487c-82c0-f73ebb805503", "value": "Use of UltraViewer Remote Access Software" }, @@ -35918,6 +45902,15 @@ "attack.t1059.003" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "00a4bacd-6db4-46d5-9258-a7d5ebff4003", "value": "Read and Execute a File Via Cmd.exe" }, @@ -35934,9 +45927,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml" ], "tags": [ @@ -35947,6 +45940,22 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", "value": "Bitsadmin Download File with Suspicious Extension" }, @@ -35971,6 +45980,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0b7163dc-7eee-4960-af17-c0cd517f92da", "value": "WMIC Service Start/Stop" }, @@ -35995,6 +46013,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", "value": "Suspicious Invoke-WebRequest Usage" }, @@ -36045,6 +46072,15 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a5fefe6-734f-452e-a07d-fc1c35bce4b2", "value": "Netsh Firewall Rule Deletion" }, @@ -36061,11 +46097,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", "https://twitter.com/vysecurity/status/885545634958385153", - "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", - "https://twitter.com/Hexacorn/status/885570278637678592", "https://twitter.com/Hexacorn/status/885553465417756673", + "https://twitter.com/Hexacorn/status/885570278637678592", + "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", + "http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_escape.yml" ], "tags": [ @@ -36073,6 +46109,15 @@ "attack.t1140" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd", "value": "Suspicious Commandline Escape" }, @@ -36098,6 +46143,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b124ddf4-778d-418e-907f-6dd3fc0d31cd", "value": "Download Arbitrary Files Via PresentationHost.exe" }, @@ -36160,8 +46214,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml" ], "tags": [ @@ -36193,6 +46247,15 @@ "attack.t1136.001" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b9f0e6f5-09b4-4358-bae4-08408705bd5c", "value": "Net.exe User Account Creation - Never Expire" }, @@ -36233,6 +46296,7 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install", + "https://lolbas-project.github.io/lolbas/Binaries/Winget/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml" ], "tags": [ @@ -36241,6 +46305,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "313d6012-51a0-4d93-8dfc-de8553239e25", "value": "Monitoring Winget For LOLbin Execution" }, @@ -36289,6 +46362,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dc4576d4-7467-424f-9eee-fd2b02855fe0", "value": "MSDT.EXE Execution With Suspicious Cab Option" }, @@ -36303,8 +46385,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_adwind.yml" ], "tags": [ @@ -36313,6 +46395,22 @@ "attack.t1059.007" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1fac1481-2dbc-48b2-9096-753c49b4ec71", "value": "Adwind RAT / JRAT" }, @@ -36338,6 +46436,15 @@ "attack.s0005" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7aa7009a-28b9-4344-8c1f-159489a390df", "value": "Windows Credential Editor" }, @@ -36354,8 +46461,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/yosqueoy/ditsnap", "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://github.com/yosqueoy/ditsnap", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml" ], "tags": [ @@ -36363,6 +46470,15 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d3b70aad-097e-409c-9df2-450f80dc476b", "value": "DIT Snapshot Viewer Use" }, @@ -36379,8 +46495,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", + "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_hotfix_enum.yml" ], "tags": [ @@ -36388,6 +46504,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45", "value": "WMIC Hotfix Recon" }, @@ -36404,8 +46529,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/ps/foreach-object.htmll", "https://ss64.com/nt/for.html", + "https://ss64.com/ps/foreach-object.htmll", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_network_scan_loop.yml" ], @@ -36416,6 +46541,15 @@ "attack.t1018" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f8ad2e2c-40b6-4117-84d7-20b89896ab23", "value": "Suspicious Scan Loop Network" }, @@ -36462,6 +46596,15 @@ "attack.t1489" ] }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ce72ef99-22f1-43d4-8695-419dcb5d9330", "value": "Suspicious Stop Windows Service" }, @@ -36487,6 +46630,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", "value": "Encoded FromBase64String" }, @@ -36512,6 +46671,15 @@ "attack.t1482" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", "value": "Launch TruffleSnout Executable" }, @@ -36537,6 +46705,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f", "value": "Suspicious Get ComputerSystem Information with WMIC" }, @@ -36553,9 +46730,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://twitter.com/oulusoyum/status/1191329746069655553", "https://twitter.com/mattifestation/status/1196390321783025666", - "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" ], "tags": [ @@ -36565,6 +46742,22 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0b4ae027-2a2d-4b93-8c7e-962caaba5b2a", "value": "Time Travel Debugging Utility Usage" }, @@ -36581,9 +46774,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/threat-detection-report/threats/qbot/", "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", + "https://redcanary.com/threat-detection-report/threats/qbot/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" ], "tags": [ @@ -36591,6 +46784,15 @@ "attack.t1005" ] }, + "related": [ + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6a69f62d-ce75-4b57-8dce-6351eb55b362", "value": "Esentutl Steals Browser Information" }, @@ -36607,9 +46809,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml" ], "tags": [ @@ -36620,6 +46822,29 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bf6c39fc-e203-45b9-9538-05397c1b4f3f", "value": "Abusing Findstr for Defense Evasion" }, @@ -36637,9 +46862,9 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", - "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", + "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powertool_execution.yml" ], "tags": [ @@ -36674,6 +46899,22 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5bb68627-3198-40ca-b458-49f973db8752", "value": "Rundll32 Without Parameters" }, @@ -36702,6 +46943,22 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dec44ca7-61ad-493c-bfd7-8819c5faa09b", "value": "WSL Execution" }, @@ -36770,6 +47027,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9fbf5927-5261-4284-a71d-f681029ea574", "value": "Compress Data and Lock With Password for Exfiltration With 7-ZIP" }, @@ -36794,6 +47060,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "44143844-0631-49ab-97a0-96387d6b2d7c", "value": "Download Files Using Notepad++ GUP Utility" }, @@ -36818,6 +47093,15 @@ "attack.t1027.009" ] }, + "related": [ + { + "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "deb9b646-a508-44ee-b7c9-d8965921c6b6", "value": "Powershell Token Obfuscation - Process Creation" }, @@ -36892,6 +47176,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", "value": "Devtoolslauncher.exe Executes Specified Binary" }, @@ -36917,6 +47210,15 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee", "value": "Judgement Panda Credential Access Activity" }, @@ -36933,8 +47235,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini.yml" ], @@ -36967,6 +47269,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", "value": "7Zip Compressing Dump Files" }, @@ -37008,8 +47319,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224", "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", + "https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_10189.yml" ], "tags": [ @@ -37022,6 +47333,29 @@ "cve.2020.10189" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "846b866e-2a57-46ee-8e16-85fa92759be7", "value": "Exploited CVE-2020-10189 Zoho ManageEngine" }, @@ -37038,8 +47372,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml" ], "tags": [ @@ -37072,6 +47406,15 @@ "cve.2021.35211" ] }, + "related": [ + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", "value": "Suspicious Serv-U Process Pattern" }, @@ -37097,6 +47440,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", "value": "Wsudo Suspicious Execution" }, @@ -37113,8 +47465,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_proxy_exec_wmic.yml" ], "tags": [ @@ -37125,6 +47477,29 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e1693bc8-7168-4eab-8718-cdcaa68a1738", "value": "Office Processes Proxy Execution Through WMIC" }, @@ -37150,6 +47525,15 @@ "attack.t1218.010" ] }, + "related": [ + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", "value": "Suspicious Regsvr32 HTTP IP Pattern" }, @@ -37175,6 +47559,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bbeaed61-1990-4773-bf57-b81dbad7db2d", "value": "Curl Usage on Windows" }, @@ -37199,6 +47592,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6812a10b-60ea-420c-832f-dfcc33b646ba", "value": "Detection of PowerShell Execution via DLL" }, @@ -37223,11 +47625,20 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0bbc6369-43e3-453d-9944-cae58821c173", "value": "Execution via WorkFolders.exe" }, { - "description": "Detects suspicious sub processes spawned by PowerShell", + "description": "Detects suspicious child processes spawned by PowerShell", "meta": { "author": "Florian Roth, Tim Shelton", "creation_date": "2022/04/26", @@ -37245,7 +47656,7 @@ "tags": "No established tags" }, "uuid": "e4b6d2a7-d8a4-4f19-acbd-943c16d90647", - "value": "Suspicious PowerShell Sub Processes" + "value": "Suspicious PowerShell Child Processes" }, { "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", @@ -37284,8 +47695,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", "https://twitter.com/ShadowChasing1/status/1552595370961944576", + "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_use.yml" ], "tags": [ @@ -37293,6 +47704,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f0507c0f-a3a2-40f5-acc6-7f543c334993", "value": "Suspicious Net Use Command Combo" }, @@ -37309,8 +47729,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", "https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", + "https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_8759.yml" ], "tags": [ @@ -37321,6 +47741,22 @@ "attack.t1566.001" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fdd84c68-a1f6-47c9-9477-920584f94905", "value": "Exploit for CVE-2017-8759" }, @@ -37345,6 +47781,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "84b14121-9d14-416e-800b-f3b829c5a14d", "value": "Suspicious CustomShellHost Execution" }, @@ -37369,6 +47814,15 @@ "attack.t1562.010" ] }, + "related": [ + { + "dest-uuid": "824add00-99a1-4b15-9a2d-6c5683b7b497", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", "value": "Registry Disabling LSASS PPL" }, @@ -37416,6 +47870,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f548a603-c9f2-4c89-b511-b089f7e94549", "value": "Potential Persistence Execution Via Microsoft Compatibility Appraiser" }, @@ -37444,6 +47907,22 @@ "attack.t1620" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", "value": "Base64 Encoded Reflective Assembly Load" }, @@ -37460,9 +47939,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml" ], "tags": [ @@ -37470,6 +47949,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "24c8392b-aa3c-46b7-a545-43f71657fe98", "value": "Suspicious Schtasks Schedule Types" }, @@ -37486,8 +47974,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml" ], "tags": [ @@ -37523,6 +48011,29 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aaf46cdc-934e-4284-b329-34aa701e3771", "value": "Application Whitelisting Bypass via Bginfo" }, @@ -37540,8 +48051,8 @@ "logsource.product": "windows", "refs": [ "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", + "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml" ], "tags": [ @@ -37549,6 +48060,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "68bcd73b-37ef-49cb-95fc-edc809730be6", "value": "WMIC Unquoted Services Path Lookup" }, @@ -37565,8 +48085,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://twitter.com/orange_8361/status/1518970259868626944", + "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -37590,12 +48110,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://www.joeware.net/freetools/tools/adfind/", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_adfind.yml" ], "tags": [ @@ -37606,6 +48126,22 @@ "attack.t1069.002" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", "value": "Renamed AdFind Detection" }, @@ -37631,6 +48167,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", "value": "Renamed MegaSync" }, @@ -37687,6 +48232,29 @@ "attack.t1218.005" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", "value": "Baby Shark Activity" }, @@ -37736,6 +48304,15 @@ "attack.t1485" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a70042a-6622-4a2b-8958-267625349abf", "value": "Run from a Zip File" }, @@ -37761,6 +48338,15 @@ "attack.t1546.011" ] }, + "related": [ + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "517490a7-115a-48c6-8862-1a481504d5a8", "value": "Possible Shim Database Persistence via sdbinst.exe" }, @@ -37777,9 +48363,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.php.net/manual/en/features.commandline.php", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", - "https://www.php.net/manual/en/features.commandline.php", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml" ], "tags": [ @@ -37787,6 +48373,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d81871ef-5738-47ab-9797-7a9c90cd4bfb", "value": "Php Inline Command Execution" }, @@ -37837,6 +48432,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "faa48cae-6b25-4f00-a094-08947fef582f", "value": "Rar Usage with Password and Compression Level" }, @@ -37862,6 +48466,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "50919691-7302-437f-8e10-1fe088afa145", "value": "Regsvr32 Command Line Without DLL" }, @@ -37887,6 +48500,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c3198a27-23a0-4c2c-af19-e5328d49680e", "value": "Blue Mockingbird" }, @@ -37906,8 +48528,8 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", - "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml" ], "tags": [ @@ -37940,6 +48562,15 @@ "attack.t1218.010" ] }, + "related": [ + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", "value": "Suspicious Regsvr32 Execution From Remote Share" }, @@ -37956,8 +48587,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/klinix5/InstallerFileTakeOver", "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", + "https://github.com/klinix5/InstallerFileTakeOver", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_lpe_cve_2021_41379.yml" ], "tags": [ @@ -37965,6 +48596,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "af8bbce4-f751-46b4-8d91-82a33a736f61", "value": "Possible InstallerFileTakeOver LPE CVE-2021-41379" }, @@ -37992,6 +48632,15 @@ "attack.t1021.001" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", "value": "Suspicious Add User to Remote Desktop Users Group" }, @@ -38008,8 +48657,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification.yml" ], "tags": [ @@ -38040,6 +48689,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3b6ab547-8ec2-4991-b9d2-2b06702a48d7", "value": "PowerShell Download from URL" }, @@ -38103,8 +48761,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1182389676876980224", "https://twitter.com/cglyer/status/1182391019633029120", + "https://twitter.com/cglyer/status/1182389676876980224", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" ], "tags": [ @@ -38112,6 +48770,15 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", "value": "WMI Backdoor Exchange Transport Agent" }, @@ -38190,6 +48857,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8202070f-edeb-4d31-a010-a26c72ac5600", "value": "Shells Spawned by Web Servers" }, @@ -38206,14 +48882,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://twitter.com/Hexacorn/status/776122138063409152", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/SigmaHQ/sigma/issues/3742", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://twitter.com/Hexacorn/status/776122138063409152", "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" ], "tags": [ @@ -38223,6 +48899,22 @@ "attack.t1218.013" ] }, + "related": [ + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1bae753e-8e52-4055-a66d-2ead90303ca9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4f73421b-5a0b-4bbf-a892-5a7fb99bea66", "value": "Mavinject Inject DLL Into Running Process" }, @@ -38247,6 +48939,15 @@ "attack.t1218.007" ] }, + "related": [ + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8150732a-0c9d-4a99-82b9-9efb9b90c40c", "value": "Suspicious Msiexec Quiet Install From Remote Location" }, @@ -38271,6 +48972,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9eb271b9-24ae-4cd4-9465-19cfc1047f3e", "value": "Proxy Execution Via Explorer.exe" }, @@ -38295,6 +49005,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", "value": "CreateMiniDump Hacktool" }, @@ -38335,12 +49054,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_advanced_ip_scanner.yml" ], "tags": [ @@ -38365,8 +49084,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/med0x2e/status/1520402518685200384", "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", + "https://twitter.com/med0x2e/status/1520402518685200384", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml" ], "tags": [ @@ -38375,6 +49094,15 @@ "attack.t1212" ] }, + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bb76d96b-821c-47cf-944b-7ce377864492", "value": "Suspicious NTLM Authentication on the Printer Spooler Service" }, @@ -38425,6 +49153,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9f107a84-532c-41af-b005-8d12a607639f", "value": "Cabinet File Expansion" }, @@ -38449,6 +49186,15 @@ "attack.t1489" ] }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "220457c1-1c9f-4c2e-afe6-9598926222c1", "value": "Delete All Scheduled Tasks" }, @@ -38498,6 +49244,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8c7090c3-e0a0-4944-bd08-08c3a0cecf79", "value": "TropicTrooper Campaign November 2018" }, @@ -38514,9 +49269,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml" ], "tags": [ @@ -38524,6 +49279,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1dd05363-104e-4b4a-b963-196a534b03a1", "value": "Suspicious Mofcomp Execution" }, @@ -38565,8 +49329,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_firewall_disable.yml" ], @@ -38576,6 +49340,15 @@ "attack.s0108" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "57c4bf16-227f-4394-8ec7-1b745ee061c3", "value": "Firewall Disabled via Netsh" }, @@ -38600,6 +49373,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "074e0ded-6ced-4ebd-8b4d-53f55908119d", "value": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl" }, @@ -38626,6 +49408,15 @@ "attack.t1218.009" ] }, + "related": [ + { + "dest-uuid": "c48a67ee-b657-45c1-91bf-6cdbe27205f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cc368ed0-2411-45dc-a222-510ace303cb2", "value": "Regasm/Regsvcs Suspicious Execution" }, @@ -38653,6 +49444,15 @@ "attack.t1185" ] }, + "related": [ + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b3d34dc5-2efd-4ae3-845f-8ec14921f449", "value": "Browser Started with Remote Debugging" }, @@ -38669,8 +49469,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md", "https://www.pdq.com/pdq-deploy/", + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdq_deploy.yml" ], "tags": [ @@ -38682,6 +49482,28 @@ "uuid": "d679950c-abb7-43a6-80fb-2a480c4fc450", "value": "Use of PDQ Deploy Remote Adminstartion Tool" }, + { + "description": "Detects suspicious PowerShell invocation command parameters", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_powershell_invocation_specific.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_invocation_specific.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "536e2947-3729-478c-9903-745aaffe60d2", + "value": "Suspicious PowerShell Invocations - Specific - ProcessCreation" + }, { "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", "meta": { @@ -38720,9 +49542,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", - "https://attack.mitre.org/techniques/T1036/", + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" ], "tags": [ @@ -38730,6 +49551,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0ba1da6d-b6ce-4366-828c-18826c9de23e", "value": "Highly Relevant Renamed Binary" }, @@ -38746,8 +49576,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml" ], "tags": [ @@ -38755,9 +49585,51 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1444443e-6757-43e4-9ea4-c8fc705f79a2", "value": "Modification of Boot Configuration" }, + { + "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/05/24", + "falsepositive": [ + "Other tools that work with encoded scripts in the command line instead of script files" + ], + "filename": "proc_creation_win_susp_powershell_encoded_cmd_patterns.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encoded_cmd_patterns.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", + "value": "Suspicious PowerShell Encoded Command Patterns" + }, { "description": "Detect the harvesting of wifi credentials using netsh.exe", "meta": { @@ -38804,6 +49676,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", "value": "Schtasks From Suspicious Folders" }, @@ -38829,6 +49710,15 @@ "attack.t1552.006" ] }, + "related": [ + { + "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "05f3c945-dcc8-4393-9f3d-af65077a8f86", "value": "Suspicious SYSVOL Domain Group Policy Access" }, @@ -38855,6 +49745,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "81325ce1-be01-4250-944f-b4789644556f", "value": "Suspicious Schtasks From Env Var Folder" }, @@ -38871,8 +49770,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification_set_service.yml" ], "tags": [ @@ -38896,8 +49795,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml" ], "tags": [ @@ -38929,6 +49828,15 @@ "attack.t1218.010" ] }, + "related": [ + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", "value": "Regsvr32 Flags Anomaly" }, @@ -38945,9 +49853,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" ], "tags": [ @@ -38997,8 +49905,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml" ], "tags": [ @@ -39031,6 +49939,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", "value": "Malicious Base64 Encoded PowerShell Keywords in Command Lines" }, @@ -39047,9 +49964,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", "https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", + "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_dump.yml" ], "tags": [ @@ -39057,6 +49974,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ffa6861c-4461-4f59-8a41-578c39f3f23e", "value": "LSASS Memory Dumping" }, @@ -39081,6 +50007,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0a13e132-651d-11eb-ae93-0242ac130002", "value": "Suspicious Auditpol Usage" }, @@ -39106,6 +50041,15 @@ "attack.t1564.001" ] }, + "related": [ + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "efec536f-72e8-4656-8960-5e85d091345b", "value": "Set Suspicious Files as System Files Using Attrib" }, @@ -39130,6 +50074,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "883835a7-df45-43e4-bf1d-4268768afda4", "value": "Regedit as Trusted Installer" }, @@ -39146,8 +50099,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/schroedingers-petya/78870/", "https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100", + "https://securelist.com/schroedingers-petya/78870/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml" ], "tags": [ @@ -39159,6 +50112,29 @@ "car.2016-04-002" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "79aeeb41-8156-4fac-a0cd-076495ab82a1", "value": "NotPetya Ransomware Activity" }, @@ -39175,8 +50151,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://asec.ahnlab.com/en/38156/", "https://github.com/fatedier/frp", + "https://asec.ahnlab.com/en/38156/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_frp.yml" ], "tags": [ @@ -39184,6 +50160,15 @@ "attack.t1090" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "32410e29-5f94-4568-b6a3-d91a8adad863", "value": "Fast Reverse Proxy (FRP)" }, @@ -39201,9 +50186,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", - "https://attack.mitre.org/techniques/T1036/", + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml" ], "tags": [ @@ -39211,6 +50195,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "36480ae1-a1cb-4eaa-a0d6-29801d7e9142", "value": "Renamed Binary" }, @@ -39227,7 +50220,6 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/techniques/T1196/", "https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_control_panel_item.yml" ], @@ -39239,6 +50231,22 @@ "attack.t1546" ] }, + "related": [ + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", "value": "Control Panel Items" }, @@ -39263,6 +50271,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "344482e4-a477-436c-aa70-7536d18a48c7", "value": "Execution via MSSQL Xp_cmdshell Stored Procedure" }, @@ -39280,8 +50297,8 @@ "logsource.product": "windows", "refs": [ "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_grabbing_sensitive_hives_via_reg.yml" ], @@ -39293,6 +50310,29 @@ "car.2013-07-001" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fd877b94-9bb5-4191-bb25-d79cbd93c167", "value": "Grabbing Sensitive Hives via Reg Utility" }, @@ -39309,12 +50349,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://www.joeware.net/freetools/tools/adfind/", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml" ], "tags": [ @@ -39325,6 +50365,22 @@ "attack.t1069.002" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9a132afa-654e-11eb-ae93-0242ac130002", "value": "AdFind Usage Detection" }, @@ -39341,11 +50397,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", + "https://blog.alyac.co.kr/1901", + "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", "https://en.wikipedia.org/wiki/Hangul_(word_processor)", "https://twitter.com/cyberwar_15/status/1187287262054076416", - "https://blog.alyac.co.kr/1901", - "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", - "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" ], "tags": [ @@ -39357,6 +50413,22 @@ "attack.g0032" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "023394c4-29d5-46ab-92b8-6a534c6f447b", "value": "Suspicious HWP Sub Processes" }, @@ -39381,6 +50453,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e52cb31c-10ed-4aea-bcb7-593c9f4a315b", "value": "UAC Bypass via Windows Firewall Snap-In Hijack" }, @@ -39405,6 +50486,15 @@ "attack.t1555.003" ] }, + "related": [ + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d0dae994-26c6-4d2d-83b5-b3c8b79ae513", "value": "Launch WebBrowserPassView Executable" }, @@ -39445,8 +50535,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", "https://github.com/quarkslab/quarkspwdump", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_quarks_pwdump.yml" ], "tags": [ @@ -39454,6 +50544,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0685b176-c816-4837-8e7b-1216f346636b", "value": "Quarks PwDump Usage" }, @@ -39478,6 +50577,15 @@ "attack.t1572" ] }, + "related": [ + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", "value": "Suspicious SSH Usage RDP Tunneling" }, @@ -39494,9 +50602,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", "https://twitter.com/nas_bench/status/1534957360032120833", - "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml" ], "tags": [ @@ -39507,6 +50615,29 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b5c7395f-e501-4a08-94d4-57fe7a9da9d2", "value": "WinDbg/CDB LOLBIN Usage" }, @@ -39523,8 +50654,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_creation.yml" ], "tags": [ @@ -39534,6 +50665,29 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b17ea6f7-6e90-447e-a799-e6c0a493d6ce", "value": "Shadow Copies Creation Using Operating Systems Utilities" }, @@ -39558,6 +50712,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b1876533-4ed5-4a83-90f3-b8645840a413", "value": "SafetyKatz Hack Tool" }, @@ -39583,6 +50746,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "09af397b-c5eb-4811-b2bb-08b3de464ebf", "value": "WMI Reconnaissance List Remote Services" }, @@ -39609,6 +50781,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3d4aebe0-6d29-45b2-a8a4-3dfde586a26d", "value": "Fireball Archer Install" }, @@ -39636,6 +50817,22 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "419dbf2b-8a9b-4bea-bf99-7544b050ec8d", "value": "Microsoft Workflow Compiler" }, @@ -39652,8 +50849,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Print/", "https://twitter.com/Oddvarmoe/status/985518877076541440", + "https://lolbas-project.github.io/lolbas/Binaries/Print/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_print.yml" ], "tags": [ @@ -39661,6 +50858,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bafac3d6-7de9-4dd9-8874-4a1194b493ed", "value": "Abusing Print Executable" }, @@ -39677,8 +50883,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", + "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_w32tm.yml" ], "tags": [ @@ -39713,6 +50919,15 @@ "attack.t1059.003" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", "value": "Elise Backdoor" }, @@ -39738,6 +50953,15 @@ "attack.t1106" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4a12fa47-c735-4032-a214-6fab5b120670", "value": "Lazarus Activity Apr21" }, @@ -39786,6 +51010,15 @@ "attack.t1555.003" ] }, + "related": [ + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "47147b5b-9e17-4d76-b8d2-7bac24c5ce1b", "value": "Potential Browser Data Stealing" }, @@ -39802,7 +51035,6 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/techniques/T1564/006/", "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_virtualbox.yml" @@ -39813,6 +51045,22 @@ "attack.t1564" ] }, + "related": [ + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bab049ca-7471-4828-9024-38279a4c04da", "value": "Detect Virtualbox Driver Installation OR Starting Of VMs" }, @@ -39837,6 +51085,15 @@ "attack.t1588.002" ] }, + "related": [ + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd764533-2e07-40d6-a718-cfeec7f2da7f", "value": "Renamed SysInternals Debug View" }, @@ -39854,8 +51111,8 @@ "logsource.product": "windows", "refs": [ "https://www.echotrail.io/insights/search/mshta.exe", - "https://en.wikipedia.org/wiki/HTML_Application", "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://en.wikipedia.org/wiki/HTML_Application", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml" ], "tags": [ @@ -39863,6 +51120,15 @@ "attack.t1106" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", "value": "Suspicious MSHTA Process Patterns" }, @@ -39888,32 +51154,6 @@ "uuid": "02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf", "value": "Potential COM Objects Download Cradles Usage - Process Creation" }, - { - "description": "Detects suspicious encoded character syntax often used for defense evasion", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/07/09", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_powershell_encoded_param.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/0gtweet/status/1281103918693482496", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encoded_param.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" - ] - }, - "uuid": "e312efd0-35a1-407f-8439-b8d434b438a6", - "value": "PowerShell Encoded Character Syntax" - }, { "description": "Detects the use of 3proxy, a tiny free proxy server", "meta": { @@ -39927,8 +51167,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/3proxy/3proxy", "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/3proxy/3proxy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml" ], "tags": [ @@ -39936,6 +51176,15 @@ "attack.t1572" ] }, + "related": [ + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f38a82d2-fba3-4781-b549-525efbec8506", "value": "3Proxy Usage" }, @@ -39952,10 +51201,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/d1r4c/status/1279042657508081664", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", "https://curl.se/docs/manpage.html", "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", - "https://twitter.com/d1r4c/status/1279042657508081664", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml" ], "tags": [ @@ -39964,6 +51213,22 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "00bca14a-df4e-4649-9054-3f2aa676bc04", "value": "Suspicious Curl File Upload" }, @@ -39989,6 +51254,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "80fc36aa-945e-4181-89f2-2f907ab6775d", "value": "UAC Bypass Using IEInstal - Process" }, @@ -40016,6 +51290,22 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "90dcf730-1b71-4ae7-9ffc-6fcf62bd0132", "value": "Suspicious ZipExec Execution" }, @@ -40042,6 +51332,29 @@ "attack.t1132.001" ] }, + "related": [ + { + "dest-uuid": "79a4052e-1a89-4b09-aea6-51f1d11fe19c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "98a96a5a-64a0-4c42-92c5-489da3866cb0", "value": "DNS Exfiltration and Tunneling Tools Execution" }, @@ -40066,6 +51379,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b6d98a4f-cef0-4abf-bbf6-24132854a83d", "value": "Use of GoToAssist Remote Access Software" }, @@ -40090,6 +51412,15 @@ "attack.t1552.006" ] }, + "related": [ + { + "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "91a2c315-9ee6-4052-a853-6f6a8238f90d", "value": "Findstr GPP Passwords" }, @@ -40129,9 +51460,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml" ], "tags": [ @@ -40139,6 +51470,15 @@ "attack.t1218.010" ] }, + "related": [ + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "089fc3d2-71e8-4763-a8a5-c97fbb0a403e", "value": "Suspicious Regsvr32 Execution With Image Extension" }, @@ -40164,6 +51504,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9df0dd3a-1a5c-47e3-a2bc-30ed177646a0", "value": "Remote Code Execute via Winrm.vbs" }, @@ -40182,8 +51531,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", - "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", + "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml" ], "tags": [ @@ -40207,10 +51556,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1211636381086339073", - "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", + "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", + "https://twitter.com/SBousseaden/status/1211636381086339073", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" ], "tags": [ @@ -40222,6 +51571,15 @@ "attack.t1021.002" ] }, + "related": [ + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", "value": "Copy from Admin Share" }, @@ -40247,6 +51605,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "49f2f17b-b4c8-4172-a68b-d5bf95d05130", "value": "UAC Bypass via ICMLuaUtil" }, @@ -40271,6 +51638,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", "value": "SharpEvtMute EvtMuteHook Load" }, @@ -40298,6 +51674,22 @@ "attack.t1134.003" ] }, + "related": [ + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cf0c254b-22f1-4b2b-8221-e137b3c0af94", "value": "Impersonate Execution" }, @@ -40314,8 +51706,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_set_service_to_hide_services.yml" ], "tags": [ @@ -40412,9 +51804,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://twitter.com/jonasLyk/status/1555914501802921984", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml" ], "tags": [ @@ -40422,6 +51814,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", "value": "Use NTFS Short Name in Image" }, @@ -40447,6 +51848,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20", "value": "Renamed PowerShell" }, @@ -40471,6 +51881,15 @@ "attack.t1539" ] }, + "related": [ + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4833155a-4053-4c9c-a997-777fcea0baa7", "value": "SQLite Firefox Cookie DB Access" }, @@ -40488,8 +51907,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/hexacorn/status/1448037865435320323", "https://twitter.com/Gal_B1t/status/1062971006078345217", + "https://twitter.com/hexacorn/status/1448037865435320323", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml" ], "tags": [ @@ -40571,6 +51990,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ce7cf472-6fcc-490a-9481-3786840b5d9b", "value": "InfDefaultInstall.exe .inf Execution" }, @@ -40588,8 +52016,8 @@ "logsource.product": "windows", "refs": [ "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", - "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml" ], "tags": [ @@ -40597,6 +52025,15 @@ "attack.t1059.003" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4f154fb6-27d1-4813-a759-78b93e0b9c48", "value": "Operator Bloopers Cobalt Strike Modules" }, @@ -40613,8 +52050,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/948061991012327424", "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", + "https://twitter.com/bohops/status/948061991012327424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml" ], "tags": [ @@ -40622,6 +52059,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a0459f02-ac51-4c09-b511-b8c9203fc429", "value": "Execution via CL_Invocation.ps1" }, @@ -40741,6 +52187,15 @@ "attack.t1135" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "75925535-ca97-4e0a-a850-00b5c00779dc", "value": "Automated Turla Group Lateral Movement" }, @@ -40765,6 +52220,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7f43c430-5001-4f8b-aaa9-c3b88f18fa5c", "value": "Execute From Alternate Data Streams" }, @@ -40811,6 +52275,15 @@ "attack.t1484.001" ] }, + "related": [ + { + "dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ada4b0c4-758b-46ac-9033-9004613a150d", "value": "Modify Group Policy Settings" }, @@ -40837,6 +52310,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "258fc8ce-8352-443a-9120-8a11e4857fa5", "value": "Execute Arbitrary Commands Using MSDT.EXE" }, @@ -40861,6 +52343,15 @@ "attack.t1552.002" ] }, + "related": [ + { + "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1", "value": "Enumeration for Credentials in Registry" }, @@ -40885,6 +52376,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "53d4bb30-3f36-4e8a-b078-69d36c4a79ff", "value": "Custom Class Execution via Xwizard" }, @@ -40901,10 +52401,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", "https://twitter.com/BleepinComputer/status/1372218235949617161", "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", "https://twitter.com/GadixCRK/status/1369313704869834753?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml" ], @@ -40914,6 +52414,15 @@ "attack.t1053" ] }, + "related": [ + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7", "value": "Exchange Exploitation Activity" }, @@ -40931,8 +52440,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command", - "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", + "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml" ], "tags": [ @@ -40941,6 +52450,22 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b7155193-8a81-4d8f-805d-88de864ca50c", "value": "UNC2452 PowerShell Pattern" }, @@ -40967,6 +52492,22 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4d7cda18-1b12-4e52-b45c-d28653210df8", "value": "Sysmon Driver Unload" }, @@ -41015,6 +52556,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8f88e3f6-2a49-48f5-a5c4-2f7eedf78710", "value": "Java Running with Remote Debugging" }, @@ -41056,8 +52606,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", + "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" @@ -41088,9 +52638,53 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7453575c-a747-40b9-839b-125a0aae324b", "value": "Unidentified Attacker November 2018" }, + { + "description": "Detects suspicious encoded character syntax often used for defense evasion", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/07/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_powershell_obfuscation_via_utf8.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1281103918693482496", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_obfuscation_via_utf8.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e312efd0-35a1-407f-8439-b8d434b438a6", + "value": "Potential PowerShell Obfuscation Via WCHAR" + }, { "description": "Detects when a possible suspicious driver is being installed via pnputil.exe lolbin", "meta": { @@ -41106,8 +52700,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", + "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" ], "tags": [ @@ -41139,6 +52733,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "145322e4-0fd3-486b-81ca-9addc75736d8", "value": "Use of UltraVNC Remote Access Software" }, @@ -41164,6 +52767,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b", "value": "Suspicious Scheduled Task Name As GUID" }, @@ -41189,6 +52801,15 @@ "attack.t1021.006" ] }, + "related": [ + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a197e378-d31b-41c0-9635-cfdf1c1bb423", "value": "WinRM Access with Evil-WinRM" }, @@ -41214,9 +52835,42 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e1118a8f-82f5-44b3-bb6b-8a284e5df602", "value": "Scheduled Task WScript VBScript" }, + { + "description": "Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_appx_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "f91ed517-a6ba-471d-9910-b3b4a398c0f3", + "value": "Suspicious Windows App Activity" + }, { "description": "Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.", "meta": { @@ -41239,6 +52893,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5b80cf53-3a46-4adc-960b-05ec19348d74", "value": "Wscript Execution from Non C Drive" }, @@ -41263,6 +52926,15 @@ "attack.t1027.004" ] }, + "related": [ + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b10f171-7f04-47c7-9fa2-5be43c76e535", "value": "Visual Basic Command Line Compiler Usage" }, @@ -41324,9 +52996,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml" ], "tags": [ @@ -41351,8 +53023,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://h.43z.one/ipconverter/", + "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_obfuscated_ip_via_cli.yml" ], "tags": [ @@ -41385,6 +53057,15 @@ "attack.initial_access" ] }, + "related": [ + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "24de4f3b-804c-4165-b442-5a06a2302c7e", "value": "Arbitrary Shell Command Execution Via Settingcontent-Ms" }, @@ -41401,8 +53082,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/regsvr32.exe", "https://redcanary.com/blog/intelligence-insights-april-2022/", + "https://www.echotrail.io/insights/search/regsvr32.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_spawn_explorer.yml" ], "tags": [ @@ -41410,6 +53091,15 @@ "attack.t1218.010" ] }, + "related": [ + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", "value": "Regsvr32 Spawning Explorer" }, @@ -41426,8 +53116,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/6", + "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_high_integrity_sdclt.yml" ], "tags": [ @@ -41436,6 +53126,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "40f9af16-589d-4984-b78d-8c2aec023197", "value": "High Integrity Sdclt Process" }, @@ -41452,8 +53151,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html", "https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html", + "https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html", "https://github.com/lukebaggett/dnscat2-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscat2_powershell_implementation.yml" ], @@ -41465,6 +53164,36 @@ "attack.t1041" ] }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b11d75d6-d7c1-11ea-87d0-0242ac130003", "value": "DNSCat2 Powershell Implementation Detection Via Process Creation" }, @@ -41490,6 +53219,22 @@ "attack.t1059.007" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "df1f26d3-bea7-4700-9ea2-ad3e990cf90e", "value": "Node Process Executions" }, @@ -41507,8 +53252,8 @@ "logsource.product": "windows", "refs": [ "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", - "https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/", "https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/", + "https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml" ], "tags": [ @@ -41517,6 +53262,15 @@ "car.2016-03-002" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "526be59f-a573-4eea-b5f7-f0973207634d", "value": "Suspicious WMIC Execution" }, @@ -41542,6 +53296,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", "value": "Suspicious Modification Of Scheduled Tasks" }, @@ -41568,33 +53331,18 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b3512211-c67e-4707-bedc-66efc7848863", "value": "Potential PowerShell Downgrade Attack" }, - { - "description": "This rule detects DLL injection and execution via LOLBAS - Tracker.exe", - "meta": { - "author": "Avneet Singh @v3t0_, oscd.community", - "creation_date": "2020/10/18", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_tracker_execution.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tracker_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1055.001" - ] - }, - "uuid": "148431ce-4b70-403d-8525-fcc2993f29ea", - "value": "DLL Injection with Tracker.exe" - }, { "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", "meta": { @@ -41616,6 +53364,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f26307d8-14cd-47e3-a26b-4b4769f24af6", "value": "CrackMapExec Process Patterns" }, @@ -41643,6 +53400,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fff9d2b7-e11c-4a69-93d3-40ef66189767", "value": "Suspicious Copy From or To System32" }, @@ -41669,6 +53435,22 @@ "attack.persistence" ] }, + "related": [ + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ae9b0bd7-8888-4606-b444-0ed7410cb728", "value": "Writing Of Malicious Files To The Fonts Folder" }, @@ -41695,6 +53477,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ac20ae82-8758-4f38-958e-b44a3140ca88", "value": "Invoke-Obfuscation Via Use MSHTA" }, @@ -41719,9 +53510,51 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d85873ef-a0f8-4c48-a53a-6b621f11729d", "value": "Use of LogMeIn Remote Access Software" }, + { + "description": "Detects powershell scripts that import modules from suspicious directories", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/10", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_import_module_susp_dirs.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_import_module_susp_dirs.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c31364f7-8be6-4b77-8483-dd2b5a7b69a3", + "value": "Import PowerShell Modules From Suspicious Directories - ProcCreation" + }, { "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", "meta": { @@ -41743,6 +53576,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d", "value": "Compress Data and Lock With Password for Exfiltration With WINZIP" }, @@ -41768,6 +53610,15 @@ "attack.t1564.001" ] }, + "related": [ + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bb19e94c-59ae-4c15-8c12-c563d23fe52b", "value": "Set Windows System File with Attrib" }, @@ -41798,6 +53649,15 @@ "attack.t1135" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f", "value": "Turla Group Lateral Movement" }, @@ -41822,6 +53682,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4b13db67-0c45-40f1-aba8-66a1a7198a1e", "value": "Suspicious Extrac32 Alternate Data Stream Execution" }, @@ -41848,6 +53717,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a20391f8-76fb-437b-abc0-dba2df1952c6", "value": "NodejsTools PressAnyKey Lolbin" }, @@ -41872,6 +53750,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eee00933-a761-4cd0-be70-c42fe91731e7", "value": "GfxDownloadWrapper.exe Downloads File from Suspicious URL" }, @@ -41913,10 +53800,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", "https://nodejs.org/api/cli.html", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" ], "tags": [ @@ -41924,6 +53811,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6640f31c-01ad-49b5-beb5-83498a5cd8bd", "value": "Node.exe Process Abuse" }, @@ -41949,6 +53845,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ac175779-025a-4f12-98b0-acdaeb77ea85", "value": "PowerShell Script Run in AppData" }, @@ -41965,9 +53870,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", - "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" ], "tags": [ @@ -41976,6 +53881,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc", "value": "UAC Bypass Using ChangePK and SLUI" }, @@ -41992,8 +53906,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw", "https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100", + "https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml" ], "tags": [ @@ -42004,6 +53918,22 @@ "attack.t1566.001" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "678eb5f4-8597-4be6-8be7-905e4234b53a", "value": "Droppers Exploiting CVE-2017-11882" }, @@ -42029,6 +53959,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c0b2768a-dd06-4671-8339-b16ca8d1f27f", "value": "Fsutil Behavior Set SymlinkEvaluation" }, @@ -42053,6 +53992,15 @@ "attack.t1552.006" ] }, + "related": [ + { + "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fe63010f-8823-4864-a96b-a7b4a0f7b929", "value": "Findstr LSASS" }, @@ -42092,8 +54040,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://adsecurity.org/?p=2604", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml" @@ -42103,6 +54051,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180", "value": "Change PowerShell Policies to an Insecure Level" }, @@ -42119,9 +54076,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://twitter.com/pabraeken/status/990717080805789697", "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", + "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml" ], "tags": [ @@ -42155,6 +54112,15 @@ "attack.t1090" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", "value": "Netsh RDP Port Forwarding" }, @@ -42203,6 +54169,15 @@ "attack.t1090.003" ] }, + "related": [ + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", "value": "Tor Client or Tor Browser Use" }, @@ -42219,12 +54194,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/shantanukhande/status/1229348874298388484", + "https://twitter.com/Wietze/status/1542107456507203586", "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", "https://twitter.com/Hexacorn/status/1224848930795552769", - "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://twitter.com/SBousseaden/status/1167417096374050817", - "https://twitter.com/Wietze/status/1542107456507203586", + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/shantanukhande/status/1229348874298388484", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml" ], "tags": [ @@ -42235,6 +54210,15 @@ "car.2013-05-009" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "646ea171-dded-4578-8a4d-65e9822892e3", "value": "Process Dump via Rundll32 and Comsvcs.dll" }, @@ -42251,16 +54235,16 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://twitter.com/_xpn_/status/1268712093928378368", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml" ], "tags": [ @@ -42268,11 +54252,20 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "41421f44-58f9-455d-838a-c398859841d4", "value": "ETW Logging Tamper In .NET Processes" }, { - "description": "Detects the use of WinAPI Functions via the commandline as seen used by threat actors via the tool winapiexec", + "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", "meta": { "author": "Nasreddine Bencherchali", "creation_date": "2022/09/06", @@ -42292,8 +54285,17 @@ "attack.t1106" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", - "value": "Potential WinAPI Access Via CommandLine" + "value": "Potential WinAPI Calls Via CommandLine" }, { "description": "Detects suspicious scheduled task creations from a parent stored in a temporary folder", @@ -42316,6 +54318,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9494479d-d994-40bf-a8b1-eea890237021", "value": "Suspicious Add Scheduled Task Parent" }, @@ -42341,6 +54352,15 @@ "car.2013-08-001" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "931b6802-d6a6-4267-9ffa-526f57f22aaf", "value": "Windows 10 Scheduled Task SandboxEscaper 0-day" }, @@ -42357,8 +54377,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/", "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", + "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_recon_activity.yml" ], "tags": [ @@ -42366,6 +54386,15 @@ "attack.t1482" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "410ad193-a728-4107-bc79-4419789fcbf8", "value": "Trickbot Malware Recon Activity" }, @@ -42413,6 +54442,15 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "93199800-b52a-4dec-b762-75212c196542", "value": "RunXCmd Tool Execution As System" }, @@ -42429,8 +54467,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/990758590020452353", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", + "https://twitter.com/pabraeken/status/990758590020452353", "https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" ], @@ -42439,6 +54477,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "15c7904e-6ad1-4a45-9b46-5fb25df37fd2", "value": "Malicious PE Execution by Microsoft Visual Studio Debugger" }, @@ -42467,6 +54514,29 @@ "attack.t1059.007" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5cddf373-ef00-4112-ad72-960ac29bac34", "value": "Koadic Execution" }, @@ -42491,6 +54561,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", "value": "Disable Windows IIS HTTP Logging" }, @@ -42515,6 +54594,15 @@ "attack.t1217" ] }, + "related": [ + { + "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "725a9768-0f5e-4cb3-aec2-bc5719c6831a", "value": "Suspicious Where Execution" }, @@ -42532,8 +54620,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://curl.se/docs/manpage.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd", + "https://curl.se/docs/manpage.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_useragent.yml" ], "tags": [ @@ -42541,6 +54629,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3286d37a-00fd-41c2-a624-a672dcd34e60", "value": "Suspicious Curl Change User Agents" }, @@ -42565,6 +54662,15 @@ "attack.t1555.004" ] }, + "related": [ + { + "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "58f50261-c53b-4c88-bd12-1d71f12eda4c", "value": "Windows Credential Manager Access via VaultCmd" }, @@ -42605,8 +54711,8 @@ "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", - "https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection", "https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml", + "https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml" ], "tags": [ @@ -42616,6 +54722,22 @@ "attack.privilege_escalation" ] }, + "related": [ + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7ba08e95-1e0b-40cd-9db5-b980555e42fd", "value": "SOURGUM Actor Behaviours" }, @@ -42632,8 +54754,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadowcopy_deletion_via_powershell.yml" ], "tags": [ @@ -42641,6 +54763,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", "value": "Deletion of Volume Shadow Copies via WMI with PowerShell" }, @@ -42657,9 +54788,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/vysecurity/status/974806438316072960", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", - "https://twitter.com/vysecurity/status/974806438316072960", "https://twitter.com/vysecurity/status/873181705024266241", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rpcping.yml" ], @@ -42668,6 +54799,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "93671f99-04eb-4ab4-a161-70d446a84003", "value": "Capture Credentials with Rpcping.exe" }, @@ -42694,6 +54834,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a1ed54a-2ba4-4221-94d5-01dee560d71e", "value": "Renamed CreateDump Process Dump" }, @@ -42710,8 +54859,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" ], "tags": [ @@ -42720,6 +54869,22 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "36475a7d-0f6d-4dce-9b01-6aeb473bbaf1", "value": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code" }, @@ -42736,9 +54901,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", - "https://github.com/jpillora/chisel/", "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", + "https://github.com/jpillora/chisel/", + "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chisel_usage.yml" ], "tags": [ @@ -42746,6 +54911,15 @@ "attack.t1090.001" ] }, + "related": [ + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8b0e12da-d3c3-49db-bb4f-256703f380e5", "value": "Chisel Tunneling Tool Usage" }, @@ -42770,6 +54944,15 @@ "attack.t1557.001" ] }, + "related": [ + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", "value": "Impacket Tool Execution" }, @@ -42810,8 +54993,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", "https://twitter.com/pabraeken/status/993497996179492864", + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vboxdrvinst.yml" ], "tags": [ @@ -42843,6 +55026,15 @@ "attack.t1567" ] }, + "related": [ + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1f0f6176-6482-4027-b151-00071af39d7e", "value": "Suspicious ConfigSecurityPolicy Execution" }, @@ -42859,8 +55051,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1491557187168178176", "https://www.youtube.com/watch?v=Ie831jF0bb0", + "https://twitter.com/_xpn_/status/1491557187168178176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml" ], "tags": [ @@ -42870,6 +55062,22 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", "value": "Process Access via TrolleyExpress Exclusion" }, @@ -42886,9 +55094,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", - "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", + "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_disable_defender_av_security_monitoring.yml" ], "tags": [ @@ -42921,6 +55129,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7f741dcf-fc22-4759-87b4-9ae8376676a2", "value": "Bypass UAC via Fodhelper.exe" }, @@ -42945,6 +55162,15 @@ "attack.t1090" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "68d37776-61db-42f5-bf54-27e87072d17e", "value": "NPS Tunneling Tool" }, @@ -42970,6 +55196,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2704ab9e-afe2-4854-a3b1-0c0706d03578", "value": "Dumpert Process Dumper" }, @@ -43020,6 +55255,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "056a7ee1-4853-4e67-86a0-3fd9ceed7555", "value": "Invoke-Obfuscation RUNDLL LAUNCHER" }, @@ -43044,6 +55288,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a77c1610-fc73-4019-8e29-0f51efc04a51", "value": "Suspicious Dosfuscation Character in Commandline" }, @@ -43068,6 +55321,15 @@ "attack.t1552.004" ] }, + "related": [ + { + "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "213d6a77-3d55-4ce8-ba74-fcfef741974e", "value": "Discover Private Keys" }, @@ -43093,6 +55355,15 @@ "attack.t1556.002" ] }, + "related": [ + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b7966f4a-b333-455b-8370-8ca53c229762", "value": "Dropping Of Password Filter DLL" }, @@ -43120,6 +55391,22 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9e2e51c5-c699-4794-ba5a-29f5da40ac0c", "value": "Turla Group Commands May 2020" }, @@ -43144,6 +55431,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c86133ad-4725-4bd0-8170-210788e0a7ba", "value": "Net WebClient Casing Anomalies" }, @@ -43168,6 +55464,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "731231b9-0b5d-4219-94dd-abb6959aa7ea", "value": "Suspicious Rundll32 Activity Invoking Sys File" }, @@ -43209,8 +55514,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml" ], "tags": [ @@ -43218,6 +55523,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "104cdb48-a7a8-4ca7-a453-32942c6e5dcb", "value": "File Download Using ProtocolHandler.exe" }, @@ -43242,13 +55556,22 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ad720b90-25ad-43ff-9b5e-5c841facc8e5", "value": "Add User to Local Administrators" }, { - "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases)", + "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) viq CommandLine", "meta": { - "author": "James Pemberton / @4A616D6573", + "author": "James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger", "creation_date": "2019/10/24", "falsepositive": [ "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." @@ -43259,6 +55582,7 @@ "logsource.product": "windows", "refs": [ "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", + "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_web_request_cmd_and_cmdlets.yml" ], @@ -43267,6 +55591,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d", "value": "Usage Of Web Request Commands And Cmdlets" }, @@ -43291,6 +55624,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", "value": "Winrar Compressing Dump Files" }, @@ -43307,10 +55649,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/", "https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/", "https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/", "https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/", + "https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_emotet.yml" ], "tags": [ @@ -43320,6 +55662,15 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18", "value": "Emotet Process Creation" }, @@ -43337,8 +55688,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_recon.yml" ], @@ -43348,6 +55699,15 @@ "attack.t1087.002" ] }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d95de845-b83c-4a9a-8a6a-4fc802ebf6c0", "value": "Suspicious Reconnaissance Activity Using Net" }, @@ -43374,6 +55734,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6c96fc76-0eb1-11eb-adc1-0242ac120002", "value": "Invoke-Obfuscation STDIN+ Launcher" }, @@ -43424,6 +55793,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "692f0bec-83ba-4d04-af7e-e884a96059b6", "value": "WMI Spawning Windows PowerShell" }, @@ -43452,6 +55837,22 @@ "attack.t1114" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "25676e10-2121-446e-80a4-71ff8506af47", "value": "Exchange PowerShell Snap-Ins Usage" }, @@ -43477,6 +55878,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "853e74f9-9392-4935-ad3b-2e8c040dae86", "value": "UAC Bypass Using DismHost" }, @@ -43503,6 +55913,15 @@ "attack.s0040" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f5e3b62f-e577-4e59-931e-0a15b2b94e1e", "value": "Htran or NATBypass Markers" }, @@ -43528,6 +55947,15 @@ "attack.t1529" ] }, + "related": [ + { + "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ec290c06-9b6b-4338-8b6b-095c0f284f10", "value": "Suspicious Execution of Shutdown to Log Out" }, @@ -43544,9 +55972,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", - "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", + "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" ], "tags": [ @@ -43554,6 +55982,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d06be4b9-8045-428b-a567-740a26d9db25", "value": "Verclsid.exe Runs COM Object" }, @@ -43570,8 +56007,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", "https://ss64.com/nt/mklink.html", + "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_create_link_osk_cmd.yml" ], "tags": [ @@ -43607,6 +56044,29 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ac8666b-046f-4201-8aba-1951aaec03a3", "value": "Command Line Execution with Suspicious URL and AppData Strings" }, @@ -43664,6 +56124,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fa4b21c9-0057-4493-b289-2556416ae4d7", "value": "Squirrel Lolbin" }, @@ -43681,9 +56150,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/", - "https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2", "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2", + "https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml" ], "tags": [ @@ -43691,6 +56160,15 @@ "attack.t1204" ] }, + "related": [ + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "965fff6c-1d7e-4e25-91fd-cdccd75f7d2c", "value": "DarkSide Ransomware Pattern" }, @@ -43760,6 +56238,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6004abd0-afa4-4557-ba90-49d172e0a299", "value": "Execute Pcwrun.EXE To Leverage Follina" }, @@ -43784,6 +56271,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", "value": "Suspicious Use of CSharp Interactive Console" }, @@ -43800,8 +56296,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)", "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", + "https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add.yml" ], "tags": [ @@ -43809,6 +56305,15 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c", "value": "Netsh Port or Application Allowed" }, @@ -43834,6 +56339,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "73fcad2e-ff14-4c38-b11d-4172c8ac86c7", "value": "Suspicious Rundll32 Script in CommandLine" }, @@ -43883,6 +56397,15 @@ "attack.t1552.006" ] }, + "related": [ + { + "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "47e4bab7-c626-47dc-967b-255608c9a920", "value": "Suspicious Recon Activity Using Findstr Keywords" }, @@ -43900,9 +56423,9 @@ "logsource.product": "windows", "refs": [ "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", - "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/antonioCoco/RogueWinRM", + "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" ], "tags": [ @@ -43910,6 +56433,15 @@ "attack.t1134.002" ] }, + "related": [ + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "590a5f4c-6c8c-4f10-8307-89afe9453a9d", "value": "Suspicious Child Process Created as System" }, @@ -43926,11 +56458,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", - "https://www.joesandbox.com/analysis/443736/0/html", "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", + "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", + "https://www.joesandbox.com/analysis/443736/0/html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_revil_kaseya.yml" ], "tags": [ @@ -43939,6 +56471,15 @@ "attack.g0115" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5de632bc-7fbd-4c8a-944a-fce55c59eae5", "value": "REvil Kaseya Incident Malware Patterns" }, @@ -43955,8 +56496,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://h.43z.one/ipconverter/", + "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_obfuscated_ip_download.yml" ], "tags": [ @@ -43989,6 +56530,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", "value": "CobaltStrike Load by Rundll32" }, @@ -44039,7 +56589,7 @@ "value": "Network Sniffing" }, { - "description": "Detects a suspicious parents of powershell.exe", + "description": "Detects a suspicious parents of powershell.exe process", "meta": { "author": "Teymur Kheirkhabarov, Harish Segar (rule)", "creation_date": "2020/03/20", @@ -44059,6 +56609,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "754ed792-634f-40ae-b3bc-e0448d33f695", "value": "Suspicious PowerShell Parent Process" }, @@ -44075,8 +56634,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", + "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_selectmyparent.yml" @@ -44086,6 +56645,15 @@ "attack.t1134.004" ] }, + "related": [ + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "52ff7941-8211-46f9-84f8-9903efb7077d", "value": "PPID Spoofing Tool Usage" }, @@ -44102,9 +56670,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://twitter.com/splinter_code/status/1483815103279603714", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml" ], @@ -44126,9 +56694,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records", "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" ], "tags": [ @@ -44161,6 +56729,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "129966c9-de17-4334-a123-8b58172e664d", "value": "Suspicious Dump64.exe Execution" }, @@ -44188,6 +56765,22 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f37aba28-a9e6-4045-882c-d5004043b337", "value": "Suspicious Cmdl32 Execution" }, @@ -44204,8 +56797,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", + "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml" ], @@ -44214,6 +56807,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fb843269-508c-4b76-8b8d-88679db22ce7", "value": "Suspicious Execution of Powershell with Base64" }, @@ -44238,6 +56840,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b52e84a3-029e-4529-b09b-71d19dd27e94", "value": "Use of Anydesk Remote Access Software" }, @@ -44254,8 +56865,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", + "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml" ], "tags": [ @@ -44263,6 +56874,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f24bcaea-0cd1-11eb-adc1-0242ac120002", "value": "Suspicious Atbroker Execution" }, @@ -44289,6 +56909,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4bf943c6-5146-4273-98dd-e958fd1e3abf", "value": "Invoke-Obfuscation Obfuscated IEX Invocation" }, @@ -44305,9 +56934,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", "https://github.com/fireeye/DueDLLigence", - "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" ], "tags": [ @@ -44315,6 +56944,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd3d1298-eb3b-476c-ac67-12847de55813", "value": "DLL Execution via Rasautou.exe" }, @@ -44339,6 +56977,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "30e92f50-bb5a-4884-98b5-d20aa80f3d7a", "value": "Hidden Powershell in Link File Pattern" }, @@ -44355,9 +57002,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", "https://github.com/tevora-threat/SharpView/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", + "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml" ], "tags": [ @@ -44369,6 +57016,29 @@ "attack.t1033" ] }, + "related": [ + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", "value": "Suspicious Execution of SharpView Aka PowerView" }, @@ -44420,6 +57090,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3037d961-21e9-4732-b27a-637bcc7bf539", "value": "Suspicious High IntegrityLevel Conhost Legacy Option" }, @@ -44471,6 +57150,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b66474aa-bd92-4333-a16c-298155b120df", "value": "Suspicious Powershell No File or Command" }, @@ -44497,6 +57192,15 @@ "attack.s0108" ] }, + "related": [ + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "56321594-9087-49d9-bf10-524fe8479452", "value": "Suspicious Netsh DLL Persistence" }, @@ -44550,6 +57254,43 @@ "attack.t1003.006" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a642964e-bead-4bed-8910-1bb4d63e3b4d", "value": "Mimikatz Command Line" }, @@ -44575,6 +57316,15 @@ "attack.t1485" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c1d867fe-8d95-4487-aab4-e53f2d339f90", "value": "Renamed Sysinternals Sdelete Usage" }, @@ -44591,8 +57341,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1183756892952248325", "https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", + "https://twitter.com/cglyer/status/1183756892952248325", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_switch.yml" ], "tags": [ @@ -44616,10 +57366,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", + "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", "https://github.com/defaultnamehere/cookie_crimes/", "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", - "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", + "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml" ], "tags": [ @@ -44627,11 +57377,20 @@ "attack.t1185" ] }, + "related": [ + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3e8207c5-fcd2-4ea6-9418-15d45b4890e4", "value": "Potential Data Stealing Via Chromium Headless Debugging" }, { - "description": "Detects suspicious ways to run Invoke-Execution using IEX acronym", + "description": "Detects suspicious ways to run Invoke-Execution using IEX alias", "meta": { "author": "Florian Roth", "creation_date": "2022/03/24", @@ -44672,6 +57431,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6c6d9280-e6d0-4b9d-80ac-254701b64916", "value": "NTLM Coercion Via Certutil.exe" }, @@ -44740,8 +57508,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cyber.wtf/2021/11/15/guess-whos-back/", "https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html", + "https://cyber.wtf/2021/11/15/guess-whos-back/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_emotet_rundll32_execution.yml" ], "tags": [ @@ -44749,6 +57517,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "54e57ce3-0672-46eb-a402-2c0948d5e3e9", "value": "Emotet RunDLL32 Process Creation" }, @@ -44789,8 +57566,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/6", + "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml" ], "tags": [ @@ -44798,6 +57575,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "da2738f2-fadb-4394-afa7-0a0674885afa", "value": "Sdclt Child Processes" }, @@ -44838,9 +57624,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/neonprimetime/status/1435584010202255375", - "https://www.joesandbox.com/analysis/476188/1/iochtml", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", + "https://www.joesandbox.com/analysis/476188/1/iochtml", + "https://twitter.com/neonprimetime/status/1435584010202255375", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml" ], "tags": [ @@ -44848,6 +57634,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "894397c6-da03-425c-a589-3d09e7d1f750", "value": "CVE-2021-40444 Process Pattern" }, @@ -44864,8 +57659,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hvs-consulting.de/lazarus-report/", "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", + "https://www.hvs-consulting.de/lazarus-report/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml" ], "tags": [ @@ -44874,6 +57669,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "24c4d154-05a4-4b99-b57d-9b977472443a", "value": "Lazarus Activity Dec20" }, @@ -44890,8 +57694,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", + "https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gamaredon_ultravnc.yml" ], "tags": [ @@ -44926,6 +57730,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "242301bc-f92f-4476-8718-78004a6efd9f", "value": "Suspicious Load DLL via CertOC.exe" }, @@ -44951,6 +57764,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ca6bd18-0ba0-44ca-851c-92ed89a61085", "value": "UAC Bypass Using Consent and Comctl32 - Process" }, @@ -44967,8 +57789,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/", "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/", + "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml" ], "tags": [ @@ -44976,6 +57798,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d3bf399f-b0cf-4250-8bb4-dfc192ab81dc", "value": "Ie4uinit Lolbin Use From Invalid Path" }, @@ -44992,8 +57823,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml" ], "tags": [ @@ -45003,6 +57834,15 @@ "car.2019-04-001" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "be344333-921d-4c4d-8bb8-e584cf584780", "value": "UAC Bypass via Event Viewer" }, @@ -45052,6 +57892,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7eedcc9d-9fdb-4d94-9c54-474e8affc0c7", "value": "Invoke-Obfuscation COMPRESS OBFUSCATION" }, @@ -45068,8 +57917,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml" ], "tags": [ @@ -45102,6 +57951,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "459f2f98-397b-4a4a-9f47-6a5ec2f1c69d", "value": "Download Arbitrary Files Via MSOHTMED.EXE" }, @@ -45129,6 +57987,22 @@ "attack.t1566.001" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "864403a1-36c9-40a2-a982-4c9a45f7d833", "value": "Exploit for CVE-2017-0261" }, @@ -45145,7 +58019,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/techniques/T1037/", + "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml" ], "tags": [ @@ -45153,6 +58027,15 @@ "attack.persistence" ] }, + "related": [ + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", "value": "Logon Scripts (UserInitMprLogonScript)" }, @@ -45177,6 +58060,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d21374ff-f574-44a7-9998-4a8c8bf33d7d", "value": "Wmiprvse Spawning Process" }, @@ -45202,6 +58094,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", "value": "New Network Provider - CommandLine" }, @@ -45227,6 +58128,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f35c5d71-b489-4e22-a115-f003df287317", "value": "CobaltStrike Process Patterns" }, @@ -45253,6 +58163,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "af77cf95-c469-471c-b6a0-946c685c4798", "value": "Proxy Execution via Wuauclt" }, @@ -45270,7 +58189,6 @@ "logsource.product": "windows", "refs": [ "https://github.com/vanhauser-thc/thc-hydra", - "https://attack.mitre.org/techniques/T1110/001/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_hydra.yml" ], "tags": [ @@ -45295,8 +58213,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", + "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml" ], "tags": [ @@ -45329,6 +58247,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3c05e90d-7eba-4324-9972-5d7f711a60a8", "value": "UAC Bypass Tools Using ComputerDefaults" }, @@ -45370,10 +58297,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], "tags": [ @@ -45397,8 +58324,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", + "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml" ], "tags": [ @@ -45432,6 +58359,15 @@ "attack.t1197" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b9cbbc17-d00d-4e3d-a827-b06d03d2380d", "value": "Monitoring For Persistence Via BITS" }, @@ -45481,6 +58417,15 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2afafd61-6aae-4df4-baed-139fa1f4c345", "value": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)" }, @@ -45520,8 +58465,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", "https://twitter.com/kmkz_security/status/1220694202301976576", + "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdp_hijack_shadowing.yml" ], "tags": [ @@ -45529,6 +58474,15 @@ "attack.t1563.002" ] }, + "related": [ + { + "dest-uuid": "e0033c16-a07e-48aa-8204-7c3ca669998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6ba5a05f-b095-4f0a-8654-b825f4f16334", "value": "MSTSC Shadowing" }, @@ -45545,9 +58499,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=", "https://twitter.com/cyb3rops/status/972186477512839170", "https://securelist.com/apt-slingshot/84312/", + "https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_equationgroup_dll_u_load.yml" ], "tags": [ @@ -45556,6 +58510,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d465d1d8-27a2-4cca-9621-a800f37cf72e", "value": "Equation Group DLL_U Load" }, @@ -45573,8 +58536,8 @@ "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", - "http://www.xuetr.com/", "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", + "http://www.xuetr.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml" ], "tags": "No established tags" @@ -45596,13 +58559,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", "https://twitter.com/xorJosh/status/1598646907802451969", "https://ngrok.com/docs", + "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", "https://www.softwaretestinghelp.com/how-to-use-ngrok/", - "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", - "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml" ], "tags": [ @@ -45610,9 +58573,41 @@ "attack.t1572" ] }, + "related": [ + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", "value": "Ngrok Usage" }, + { + "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_set_unsecure_powershell_policy.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/de-de/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_set_unsecure_powershell_policy.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "cf2e938e-9a3e-4fe8-a347-411642b28a9f", + "value": "Potential PowerShell Execution Policy Tampering - ProcCreation" + }, { "description": "Detects usage of a CLSID folder name located in a suspicious location from the commandline as seen being used in IcedID", "meta": { @@ -45650,10 +58645,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml" ], "tags": [ @@ -45661,6 +58656,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b96b2031-7c17-4473-afe7-a30ce714db29", "value": "Use of FSharp Interpreters" }, @@ -45677,8 +58681,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_applications_spawning_wmi_commandline.yml" ], "tags": [ @@ -45689,6 +58693,29 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "518643ba-7d9c-4fa5-9f37-baed36059f6a", "value": "Office Applications Spawning Wmi Cli" }, @@ -45705,9 +58732,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/995837734379032576", "https://twitter.com/pabraeken/status/999090532839313408", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", + "https://twitter.com/pabraeken/status/995837734379032576", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdeploy.yml" ], "tags": [ @@ -45715,6 +58742,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "646bc99f-6682-4b47-a73a-17b1b64c9d34", "value": "Execute Files with Msdeploy.exe" }, @@ -45740,6 +58776,15 @@ "attack.t1528" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d2eb17db-1d39-41dc-b57f-301f6512fa75", "value": "Suspicious Command With Teams Objects Pathes" }, @@ -45756,8 +58801,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/735261176745988096", "https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120", + "https://twitter.com/mattifestation/status/735261176745988096", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml" ], "tags": [ @@ -45768,28 +58813,6 @@ "uuid": "30edb182-aa75-42c0-b0a9-e998bb29067c", "value": "Powershell AMSI Bypass via .NET Reflection" }, - { - "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", - "meta": { - "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", - "creation_date": "2018/09/03", - "falsepositive": "No established falsepositives", - "filename": "proc_creation_win_susp_powershell_enc_cmd.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_enc_cmd.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", - "value": "Suspicious Encoded PowerShell Command Line" - }, { "description": "Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", "meta": { @@ -45827,8 +58850,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/skelsec/pypykatz", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz", + "https://github.com/skelsec/pypykatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pypykatz.yml" ], "tags": [ @@ -45836,6 +58859,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a29808fd-ef50-49ff-9c7a-59a9b040b404", "value": "Registry Parse with Pypykatz" }, @@ -45852,9 +58884,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", - "https://twitter.com/bohops/status/1477717351017680899?s=12", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", + "https://twitter.com/bohops/status/1477717351017680899?s=12", + "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml" ], "tags": [ @@ -45877,9 +58909,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://twitter.com/0gtweet/status/1564968845726580736", "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" ], "tags": [ @@ -45889,6 +58921,22 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6f535e01-ca1f-40be-ab8d-45b19c0c8b7f", "value": "Suspicious Ldifde Command Usage" }, @@ -45917,6 +58965,29 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", "value": "Windows Shell Spawning Suspicious Program" }, @@ -45933,10 +59004,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", - "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", + "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml" ], "tags": [ @@ -45944,6 +59015,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c625d754-6a3d-4f65-9c9a-536aea960d37", "value": "Accesschk Usage To Check Privileges" }, @@ -45968,6 +59048,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b27077d6-23e6-45d2-81a0-e2b356eea5fd", "value": "Use of TTDInject.exe" }, @@ -45993,6 +59082,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9c7e131a-0f2c-4ae0-9d43-b04f4e266d43", "value": "Using AppVLP To Circumvent ASR File Path Rule" }, @@ -46009,10 +59107,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_del.yml" ], "tags": [ @@ -46020,6 +59118,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "54786ddc-5b8a-11ed-9b6a-0242ac120002", "value": "Suspicious Ping And Del Combination" }, @@ -46046,6 +59153,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", "value": "Suspicious Scheduled Task Creation Involving Temp Folder" }, @@ -46096,6 +59212,22 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f7b5f842-a6af-4da5-9e95-e32478f3cd2f", "value": "MsiExec Web Install" }, @@ -46122,6 +59254,22 @@ "attack.t1059.005" ] }, + "related": [ + { + "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "575dce0c-8139-4e30-9295-1ee75969f7fe", "value": "GatherNetworkInfo.vbs Script Usage" }, @@ -46148,6 +59296,22 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "06b401f4-107c-4ff9-947f-9ec1e7649f1e", "value": "LOLBIN Execution Of The FTP.EXE Binary" }, @@ -46173,6 +59337,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "02e0b2ea-a597-428e-b04a-af6a1a403e5c", "value": "Exploiting CVE-2019-1388" }, @@ -46197,6 +59370,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1e53dd56-8d83-4eb4-a43e-b790a05510aa", "value": "Always Install Elevated MSI Spawned Cmd And Powershell" }, @@ -46223,6 +59405,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", "value": "CreateDump Process Dump" }, @@ -46272,6 +59463,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1af57a4b-460a-4738-9034-db68b880c665", "value": "PowerShell SAM Copy" }, @@ -46296,6 +59496,15 @@ "attack.t1071" ] }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "03552375-cc2c-4883-bbe4-7958d5a980be", "value": "SILENTTRINITY Stager Execution" }, @@ -46312,9 +59521,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", - "https://github.com/GhostPack/Rubeus", "https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", + "https://github.com/GhostPack/Rubeus", + "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml" ], "tags": [ @@ -46325,6 +59534,15 @@ "attack.t1550.003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", "value": "Rubeus Hack Tool" }, @@ -46341,8 +59559,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/killamjr/status/1179034907932315648", "https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/", + "https://twitter.com/killamjr/status/1179034907932315648", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_qbot.yml" ], "tags": [ @@ -46350,6 +59568,15 @@ "attack.t1059.005" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4fcac6eb-0287-4090-8eea-2602e4c20040", "value": "QBot Process Creation" }, @@ -46376,6 +59603,22 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cafeeba3-01da-4ab4-b6c4-a31b1d9730c7", "value": "PrintBrm ZIP Creation of Extraction" }, @@ -46392,11 +59635,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", + "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", - "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", + "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_execution.yml" ], "tags": [ @@ -46415,6 +59658,43 @@ "attack.s0039" ] }, + "related": [ + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "183e7ea8-ac4b-4c23-9aec-b3dac4e401ac", "value": "Net.exe Execution" }, @@ -46440,6 +59720,22 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "40b19fa6-d835-400c-b301-41f3a2baacaf", "value": "Shadow Copies Access via Symlink" }, @@ -46464,6 +59760,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bd1c6866-65fc-44b2-be51-5588fcff82b9", "value": "Renamed Msdt.exe" }, @@ -46515,6 +59820,15 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "771d1eb5-9587-4568-95fb-9ec44153a012", "value": "NSudo Tool Execution" }, @@ -46539,6 +59853,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0403d67d-6227-4ea8-8145-4e72db7da120", "value": "UtilityFunctions.ps1 Proxy Dll" }, @@ -46555,10 +59878,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", - "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", + "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", + "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml" ], "tags": [ @@ -46566,6 +59889,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "285b85b1-a555-4095-8652-a8a4106af63f", "value": "Suspicious Rundll32 Setupapi.dll Activity" }, @@ -46583,8 +59915,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml" ], "tags": [ @@ -46592,6 +59924,15 @@ "attack.t1136.001" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd219ff3-fa99-45d4-8380-a7d15116c6dc", "value": "Net.exe User Account Creation" }, @@ -46608,8 +59949,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1474899714290208777?s=12", "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace", + "https://twitter.com/0gtweet/status/1474899714290208777?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dtrace_kernel_dump.yml" ], "tags": "No established tags" @@ -46641,6 +59982,15 @@ "car.2013-07-002" ] }, + "related": [ + { + "dest-uuid": "e0033c16-a07e-48aa-8204-7c3ca669998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", "value": "Suspicious RDP Redirect Using TSCON" }, @@ -46665,6 +60015,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "758ff488-18d5-4cbe-8ec4-02b6285a434f", "value": "Use of NetSupport Remote Access Software" }, @@ -46690,6 +60049,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0eb2107b-a596-422e-b123-b389d5594ed7", "value": "Hurricane Panda Activity" }, @@ -46717,6 +60085,15 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9c0295ce-d60d-40bd-bd74-84673b7592b1", "value": "Suspicious Encoded Obfuscated LOAD String" }, @@ -46733,8 +60110,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_shtinkering.yml" ], "tags": [ @@ -46742,6 +60119,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3", "value": "Potential Credential Dumping Via WER" }, @@ -46768,6 +60154,22 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "277a4393-446c-449a-b0ed-7fdc7795244c", "value": "Renamed FTP.EXE Binary Execution" }, @@ -46784,8 +60186,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/chromeloader/", "https://emkc.org/s/RJjuLa", + "https://redcanary.com/blog/chromeloader/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chrome_load_extension.yml" ], "tags": [ @@ -46793,6 +60195,15 @@ "attack.t1176" ] }, + "related": [ + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "27ba3207-dd30-4812-abbf-5d20c57d474e", "value": "Powershell ChromeLoader Browser Hijacker" }, @@ -46818,6 +60229,15 @@ "attack.t1496" ] }, + "related": [ + { + "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", "value": "Windows Crypto Mining Indicators" }, @@ -46842,6 +60262,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "52788a70-f1da-40dd-8fbd-73b5865d6568", "value": "JSC Convert Javascript To Executable" }, @@ -46869,6 +60298,15 @@ "car.2019-04-003" ] }, + "related": [ + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", "value": "Regsvr32 Anomaly" }, @@ -46885,9 +60323,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml" ], "tags": [ @@ -46895,6 +60333,15 @@ "attack.t1489" ] }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", "value": "Disable Important Scheduled Task" }, @@ -46920,6 +60367,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9c8c7000-3065-44a8-a555-79bcba5d9955", "value": "Execute MSDT Via Answer File" }, @@ -46944,6 +60400,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "36210e0d-5b19-485d-a087-c096088885f0", "value": "Suspicious PowerShell Parameter Substring" }, @@ -46960,8 +60425,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/993383596244258816", "https://twitter.com/_st0pp3r_/status/1560072680887525378", + "https://twitter.com/Oddvarmoe/status/993383596244258816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pester_parent.yml" ], "tags": [ @@ -46971,6 +60436,22 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18988e1b-9087-4f8a-82fe-0414dce49878", "value": "Execute Code with Pester.bat as Parent" }, @@ -46996,6 +60477,15 @@ "attack.t1546.002" ] }, + "related": [ + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0fc35fc3-efe6-4898-8a37-0b233339524f", "value": "Suspicious ScreenSave Change by Reg.exe" }, @@ -47045,6 +60535,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b1377339-fda6-477a-b455-ac0923f9ec2c", "value": "AnyDesk Inline Piped Password" }, @@ -47061,9 +60560,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml" ], "tags": [ @@ -47071,6 +60570,15 @@ "attack.t1055.001" ] }, + "related": [ + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6345b048-8441-43a7-9bed-541133633d7a", "value": "ZOHO Dctask64 Process Injection" }, @@ -47095,6 +60603,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", "value": "Possible Exfiltration Of Data Via CLI" }, @@ -47145,6 +60662,22 @@ "attack.t1027.004" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "81ebd28b-9607-4478-bf06-974ed9d53ed7", "value": "Application Whitelisting Bypass via Dnx.exe" }, @@ -47162,9 +60695,9 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", - "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", + "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" ], "tags": [ @@ -47172,6 +60705,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b30a8bc5-e21b-4ca2-9420-0a94019ac56a", "value": "Use of VisualUiaVerifyNative.exe" }, @@ -47196,6 +60738,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e31f89f7-36fb-4697-8ab6-48823708353b", "value": "Suspicious Cmd Execution via WMI" }, @@ -47220,6 +60771,15 @@ "attack.t1557.001" ] }, + "related": [ + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd8c163e-a19b-402e-bdd5-419ff5859f12", "value": "ADCSPwn Hack Tool" }, @@ -47236,8 +60796,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/raspberry-robin/", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml" ], "tags": [ @@ -47269,6 +60829,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5687f942-867b-4578-ade7-1e341c46e99a", "value": "VMToolsd Suspicious Child Process" }, @@ -47295,6 +60864,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", "value": "Scheduled Task Executing Powershell Encoded Payload from Registry" }, @@ -47313,8 +60898,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md", "https://github.com/swagkarna/Defeat-Defender-V1.2.0", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml" ], "tags": [ @@ -47322,6 +60907,15 @@ "attack.t1222.001" ] }, + "related": [ + { + "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "37ae075c-271b-459b-8d7b-55ad5f993dd8", "value": "File or Folder Permissions Modifications" }, @@ -47348,6 +60942,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "178e615d-e666-498b-9630-9ed363038101", "value": "Suspicious Elevated System Shell" }, @@ -47401,6 +61004,22 @@ "attack.t1218.003" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e66779cc-383e-4224-a3a4-267eeb585c40", "value": "Bypass UAC via CMSTP" }, @@ -47418,9 +61037,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_base64.yml" ], "tags": [ @@ -47454,6 +61073,15 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba", "value": "PsExec Tool Execution" }, @@ -47500,6 +61128,15 @@ "cve.2021.26857" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887", "value": "CVE-2021-26857 Exchange Exploitation" }, @@ -47524,6 +61161,15 @@ "attack.t1027.005" ] }, + "related": [ + { + "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", "value": "DefenderCheck Usage" }, @@ -47540,8 +61186,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", "https://redcanary.com/blog/intelligence-insights-december-2021", + "https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java_keytool.yml" ], "tags": [ @@ -47599,6 +61245,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "61ab5496-748e-4818-a92f-de78e20fe7f1", "value": "Quick Execution of a Series of Suspicious Commands" }, @@ -47616,8 +61271,8 @@ "logsource.product": "windows", "refs": [ "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -47652,6 +61307,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "89a9a0e0-f61a-42e5-8957-b1479565a658", "value": "UAC Bypass WSReset" }, @@ -47725,6 +61389,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b8b1b304-a60f-4999-9a6e-c547bde03ffd", "value": "DeviceCredentialDeployment Execution" }, @@ -47741,8 +61414,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml" ], "tags": [ @@ -47753,6 +61426,29 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "04f5363a-6bca-42ff-be70-0d28bf629ead", "value": "Office Applications Spawning Wmi Cli Alternate" }, @@ -47777,6 +61473,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2a072a96-a086-49fa-bcb5-15cc5a619093", "value": "Service Execution" }, @@ -47802,6 +61507,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2e65275c-8288-4ab4-aeb7-6274f58b6b20", "value": "Procdump Usage" }, @@ -47827,6 +61541,15 @@ "attack.t1218.005" ] }, + "related": [ + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "67f113fa-e23d-4271-befa-30113b3e08b1", "value": "Mshta JavaScript Execution" }, @@ -47852,6 +61575,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8", "value": "Ruby Inline Command Execution" }, @@ -47876,6 +61608,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dd3ee8cc-f751-41c9-ba53-5a32ed47e563", "value": "Suspicious Reg Add Open Command" }, @@ -47902,6 +61643,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2", "value": "Renamed PsExec" }, @@ -47926,6 +61676,22 @@ "attack.t1059.007" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1e33157c-53b1-41ad-bbcc-780b80b58288", "value": "WSF/JSE/JS/VBA/VBE File Execution" }, @@ -47954,6 +61720,36 @@ "attack.t1027.004" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", "value": "Suspicious Parent of Csc.exe" }, @@ -47980,6 +61776,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e9f55347-2928-4c06-88e5-1a7f8169942e", "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION" }, @@ -47996,8 +61801,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/threat-detection-report/threats/qbot/", "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", + "https://redcanary.com/threat-detection-report/threats/qbot/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml" ], "tags": [ @@ -48046,8 +61851,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/", + "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_evilnum_jul20.yml" ], "tags": [ @@ -48055,6 +61860,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8acf3cfa-1e8c-4099-83de-a0c4038e18f0", "value": "EvilNum Golden Chickens Deployment via OCX Files" }, @@ -48079,6 +61893,15 @@ "attack.t1489" ] }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", "value": "Delete Important Scheduled Task" }, @@ -48095,8 +61918,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/byt3bl33d3r/CrackMapExec", "https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242", + "https://github.com/byt3bl33d3r/CrackMapExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml" ], "tags": [ @@ -48106,6 +61929,22 @@ "attack.t1027.005" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", "value": "CrackMapExec PowerShell Obfuscation" }, @@ -48132,6 +61971,15 @@ "attack.t1027.003" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "33339be3-148b-4e16-af56-ad16ec6c7e7b", "value": "Findstr Launching .lnk File" }, @@ -48180,6 +62028,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", "value": "Wbadmin Delete Systemstatebackup" }, @@ -48204,6 +62061,15 @@ "attack.t1074.001" ] }, + "related": [ + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98", "value": "Zip A Folder With PowerShell For Staging In Temp" }, @@ -48214,7 +62080,8 @@ "creation_date": "2019/09/26", "falsepositive": [ "Admin activity", - "Scripts and administrative tools used in the monitored environment" + "Scripts and administrative tools used in the monitored environment", + "Maintenance activity" ], "filename": "proc_creation_win_susp_eventlog_clear.yml", "level": "high", @@ -48222,8 +62089,10 @@ "logsource.product": "windows", "refs": [ "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", + "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", + "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" ], "tags": [ @@ -48233,6 +62102,22 @@ "car.2016-04-002" ] }, + "related": [ + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", "value": "Suspicious Eventlog Clear or Configuration Using Wevtutil" }, @@ -48283,6 +62168,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13", "value": "Write Protect For Storage Disabled" }, @@ -48310,6 +62204,22 @@ "attack.t1134.002" ] }, + "related": [ + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "15619216-e993-4721-b590-4c520615a67d", "value": "Meterpreter or Cobalt Strike Getsystem Service Start" }, @@ -48334,6 +62244,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", "value": "Suspicious Certreq Command to Download" }, @@ -48357,6 +62276,15 @@ "attack.t1489" ] }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eb87818d-db5d-49cc-a987-d5da331fbd90", "value": "Stop Windows Service" }, @@ -48381,6 +62309,22 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", "value": "Process Creation with Renamed BrowserCore.exe" }, @@ -48405,6 +62349,15 @@ "attack.t1049" ] }, + "related": [ + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1c67a717-32ba-409b-a45d-0fb704a73a81", "value": "Suspicious Listing of Network Connections" }, @@ -48429,6 +62382,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "02b18447-ea83-4b1b-8805-714a8a34546a", "value": "Suspicious OfflineScannerShell.exe Execution From Another Folder" }, @@ -48456,6 +62418,15 @@ "attack.t1083" ] }, + "related": [ + { + "dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "38646daa-e78f-4ace-9de0-55547b2d30da", "value": "Seatbelt PUA Tool" }, @@ -48481,6 +62452,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7a01183d-71a2-46ad-ad5c-acd989ac1793", "value": "UAC Bypass Abusing Winsat Path Parsing - Process" }, @@ -48505,6 +62485,15 @@ "attack.t1486" ] }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0e0255bf-2548-47b8-9582-c0955c9283f5", "value": "Suspicious Reg Add BitLocker" }, @@ -48529,6 +62518,15 @@ "attack.t1216.001" ] }, + "related": [ + { + "dest-uuid": "09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "45d3a03d-f441-458c-8883-df101a3bb146", "value": "Launch-VsDevShell.PS1 Proxy Execution" }, @@ -48554,6 +62552,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd951fdc-4b2f-47f5-ba99-a33bf61e3770", "value": "Always Install Elevated Windows Installer" }, @@ -48582,6 +62589,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f3d39c45-de1a-4486-a687-ab126124f744", "value": "Sdiagnhost Calling Suspicious Child Process" }, @@ -48647,8 +62663,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml" ], "tags": [ @@ -48680,6 +62696,15 @@ "attack.privilege_escalation" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", "value": "Suspicious Shells Spawn by SQL Server" }, @@ -48706,6 +62731,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5b572dcf-254b-425c-a8c5-d9af6bea35a6", "value": "Suspicious Xor PowerShell Command Line" }, @@ -48731,6 +62765,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ad92e3f9-7eb6-460e-96b1-582b0ccbb980", "value": "UAC Bypass Using MSConfig Token Modification - Process" }, @@ -48747,9 +62790,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://twitter.com/splinter_code/status/1483815103279603714", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml" ], @@ -48805,6 +62848,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1228c958-e64e-4e71-92ad-7d429f4138ba", "value": "Script Interpreter Execution From Suspicious Folder" }, @@ -48832,6 +62884,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", "value": "Suspicious PowerShell Cmdline" }, @@ -48848,8 +62909,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", + "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_http.yml" ], "tags": [ @@ -48857,6 +62918,15 @@ "attack.t1218.001" ] }, + "related": [ + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f57c58b3-ee69-4ef5-9041-455bf39aaa89", "value": "HH.exe Remote CHM File Execution" }, @@ -48873,8 +62943,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml" ], "tags": [ @@ -48882,6 +62952,15 @@ "attack.t1560" ] }, + "related": [ + { + "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aa92fd02-09f2-48b0-8a93-864813fb8f41", "value": "Conti NTDS Exfiltration Command" }, @@ -48906,6 +62985,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "12f6b752-042d-483e-bf9c-915a6d06ad75", "value": "Windows Firewall Disabled via PowerShell" }, @@ -48932,6 +63020,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "27aec9c9-dbb0-4939-8422-1742242471d0", "value": "Invoke-Obfuscation VAR+ Launcher" }, @@ -48958,31 +63055,6 @@ "uuid": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", "value": "Suspicious Svchost Process" }, - { - "description": "Detects transferring files from system on a server bitstransfer Powershell cmdlets", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/19", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_bitstransfer.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bitstransfer.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.persistence", - "attack.t1197" - ] - }, - "uuid": "cd5c8085-4070-4e22-908d-a5b3342deb74", - "value": "Suspicious Bitstransfer via PowerShell" - }, { "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", "meta": { @@ -49004,6 +63076,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", "value": "Suspicious NT Resource Kit Auditpol Usage" }, @@ -49030,6 +63111,22 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d7825193-b70a-48a4-b992-8b5b3015cc11", "value": "Windows Update Client LOLBIN" }, @@ -49046,8 +63143,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/shantanu561993/SharpChisel", "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", + "https://github.com/shantanu561993/SharpChisel", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml" ], "tags": [ @@ -49055,6 +63152,15 @@ "attack.t1090.001" ] }, + "related": [ + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", "value": "SharpChisel Usage" }, @@ -49072,8 +63178,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml" ], "tags": [ @@ -49099,9 +63205,9 @@ "refs": [ "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", "http://blog.sevagas.com/?Hacking-around-HTA-files", - "https://twitter.com/mattifestation/status/1326228491302563846", "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", + "https://twitter.com/mattifestation/status/1326228491302563846", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_execution.yml" ], "tags": [ @@ -49113,6 +63219,29 @@ "cve.2020.1599" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", "value": "MSHTA Suspicious Execution 01" }, @@ -49160,6 +63289,29 @@ "attack.t1574.005" ] }, + "related": [ + { + "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", "value": "SharpUp PrivEsc Tool" }, @@ -49176,8 +63328,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml" ], "tags": [ @@ -49185,6 +63337,15 @@ "attack.t1005" ] }, + "related": [ + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b57ba453-b384-4ab9-9f40-1038086b4e53", "value": "VeeamBackup Database Credentials Dump" }, @@ -49209,6 +63370,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b53317a0-8acf-4fd1-8de8-a5401e776b96", "value": "WMI Uninstall An Application" }, @@ -49225,8 +63395,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", "https://twitter.com/harr0ey/status/991670870384021504", + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_openwith.yml" ], "tags": [ @@ -49234,6 +63404,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", "value": "OpenWith.exe Executes Specified Binary" }, @@ -49250,8 +63429,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml" ], @@ -49260,6 +63439,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5b768e71-86f2-4879-b448-81061cbae951", "value": "Suspicious Manipulation Of Default Accounts" }, @@ -49276,8 +63464,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml" ], "tags": [ @@ -49286,6 +63474,15 @@ "attack.t1546.015" ] }, + "related": [ + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f1edd233-30b5-4823-9e6a-c4171b24d316", "value": "Rundll32 Registered COM Objects" }, @@ -49333,6 +63530,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", "value": "Suspicious Splwow64 Without Params" }, @@ -49349,9 +63555,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://twitter.com/jonasLyk/status/1555914501802921984", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml" ], "tags": [ @@ -49359,6 +63565,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795", "value": "Use NTFS Short Name in Command Line" }, @@ -49375,8 +63590,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", + "https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_powershell_script_from_input_stream.yml" ], "tags": [ @@ -49385,6 +63600,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", "value": "Run PowerShell Script from Redirected Input Stream" }, @@ -49436,6 +63660,22 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "03e2746e-2b31-42f1-ab7a-eb39365b2422", "value": "Judgement Panda Exfil Activity" }, @@ -49461,6 +63701,15 @@ "attack.t1106" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18cf6cf0-39b0-4c22-9593-e244bdc9a2d4", "value": "TA505 Dropper Load Pattern" }, @@ -49487,6 +63736,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cdf05894-89e7-4ead-b2b0-0a5f97a90f2f", "value": "Encoded PowerShell Command Line" }, @@ -49566,6 +63824,22 @@ "attack.t1036.005" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3711eee4-a808-4849-8a14-faf733da3612", "value": "Greenbug Campaign Indicators" }, @@ -49590,6 +63864,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "379fa130-190e-4c3f-b7bc-6c8e834485f3", "value": "Windows Cmd Delete File" }, @@ -49606,8 +63889,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm.yml" ], "tags": [ @@ -49615,6 +63898,15 @@ "attack.t1218.001" ] }, + "related": [ + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "68c8acb4-1b60-4890-8e82-3ddf7a6dba84", "value": "HH.exe Execution" }, @@ -49642,6 +63934,29 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", "value": "PowerShell DownloadFile" }, @@ -49658,8 +63973,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_modification.yml" ], "tags": [ @@ -49683,8 +63998,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", + "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_secedit.yml" ], "tags": [ @@ -49709,6 +64024,71 @@ "attack.t1082" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "379809f6-2fac-42c1-bd2e-e9dee70b27f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "22522668-ddf6-470b-a027-9d6866679f67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "43881e51-ac74-445b-b4c6-f9f9e9bf23fe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b8cfed42-6a8a-4989-ad72-541af74475ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c2c76b77-32be-4d1f-82c9-7e544bdfe0eb", "value": "Potential Suspicious Activity Using SeCEdit" }, @@ -49735,6 +64115,15 @@ "attack.t1218.007" ] }, + "related": [ + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6f4191bb-912b-48a8-9ce7-682769541e6d", "value": "Suspicious Msiexec Execute Arbitrary DLL" }, @@ -49759,6 +64148,15 @@ "attack.resource_development" ] }, + "related": [ + { + "dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ff23ffbc-3378-435e-992f-0624dcf93ab4", "value": "PurpleSharp Indicator" }, @@ -49775,8 +64173,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.exploit-db.com/exploits/37525", "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", + "https://www.exploit-db.com/exploits/37525", "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" ], @@ -49799,8 +64197,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bcdedit.yml" ], "tags": [ @@ -49908,6 +64306,15 @@ "attack.t1204" ] }, + "related": [ + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0acaad27-9f02-4136-a243-c357202edd74", "value": "Ryuk Ransomware Command Line Activity" }, @@ -49924,8 +64331,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powersploit_empire_schtasks.yml" ], "tags": [ @@ -49940,6 +64347,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "56c217c3-2de2-479b-990f-5c109ba8458f", "value": "Default PowerSploit and Empire Schtasks Persistence" }, @@ -49964,6 +64387,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2c28c248-7f50-417a-9186-a85b223010ee", "value": "Wscript Shell Run In CommandLine" }, @@ -49980,10 +64412,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://twitter.com/cglyer/status/1355171195654709249", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_security_product_uninstall.yml" ], "tags": [ @@ -50016,6 +64448,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "534f2ef7-e8a2-4433-816d-c91bccde289b", "value": "Explorer NOUACCHECK Flag" }, @@ -50044,6 +64485,15 @@ "car.2013-05-009" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5afee48e-67dd-4e03-a783-f74259dcf998", "value": "Suspicious Use of Procdump on LSASS" }, @@ -50062,10 +64512,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", + "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" ], @@ -50074,6 +64524,15 @@ "attack.t1567" ] }, + "related": [ + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e290b10b-1023-4452-a4a9-eb31a9013b3a", "value": "LOLBAS Data Exfiltration by DataSvcUtil.exe" }, @@ -50105,6 +64564,22 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ce6e34ca-966d-41c9-8d93-5b06c8b97a06", "value": "Chafer Activity" }, @@ -50129,6 +64604,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d", "value": "Gpg4Win Decrypt Files From Suspicious Locations" }, @@ -50169,8 +64653,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf", "https://lolbas-project.github.io/lolbas/Binaries/Psr/", + "https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psr_capture_screenshots.yml" ], @@ -50218,11 +64702,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", - "https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", + "https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", + "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trust_discovery.yml" ], "tags": [ @@ -50230,6 +64714,15 @@ "attack.t1482" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3bad990e-4848-4a78-9530-b427d854aac0", "value": "Domain Trust Discovery" }, @@ -50246,8 +64739,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", + "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_ke3chang_regadd.yml" ], "tags": [ @@ -50308,6 +64801,22 @@ "attack.t1071" ] }, + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "440a56bf-7873-4439-940a-1c8a671073c2", "value": "GALLIUM Sha1 Artefacts" }, @@ -50335,6 +64844,22 @@ "car.2013-07-002" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1012f107-b8f1-4271-af30-5aed2de89b39", "value": "Terminal Service Process Spawn" }, @@ -50352,9 +64877,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.poweradmin.com/paexec/", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.poweradmin.com/paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml" ], "tags": [ @@ -50362,6 +64887,15 @@ "attack.t1587.001" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "207b0396-3689-42d9-8399-4222658efc99", "value": "PsExec/PAExec Flags" }, @@ -50404,8 +64938,8 @@ "logsource.product": "windows", "refs": [ "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", - "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml" ], "tags": [ @@ -50413,6 +64947,15 @@ "attack.t1059.003" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "647c7b9e-d784-4fda-b9a0-45c565a7b729", "value": "Operator Bloopers Cobalt Strike Commands" }, @@ -50437,6 +64980,22 @@ "attack.t1564.003" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", "value": "Covenant Launcher Indicators" }, @@ -50464,6 +65023,15 @@ "attack.t1070.001" ] }, + "related": [ + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd1f961e-0b96-436b-b7c6-38da4583ec00", "value": "Disable or Delete Windows Eventlog" }, @@ -50506,9 +65074,9 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/", + "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/", "https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer", "https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/", - "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_formbook.yml" ], "tags": [ @@ -50516,6 +65084,15 @@ "attack.t1587.001" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "032f5fb3-d959-41a5-9263-4173c802dc2b", "value": "Formbook Process Creation" }, @@ -50542,6 +65119,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9847f263-4a81-424f-970c-875dab15b79b", "value": "Suspicious TSCON Start as SYSTEM" }, @@ -50566,6 +65152,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fb0b815b-f5f6-4f50-970f-ffe21f253f7a", "value": "Suspicious Extexport Execution" }, @@ -50582,9 +65177,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", - "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml" ], "tags": [ @@ -50592,6 +65187,15 @@ "attack.t1218.007" ] }, + "related": [ + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5", "value": "Suspicious Msiexec Quiet Install" }, @@ -50616,6 +65220,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "caa06de8-fdef-4c91-826a-7f9e163eef4b", "value": "RunDLL32 Spawning Explorer" }, @@ -50686,8 +65299,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_x509enrollment.yml" ], @@ -50719,6 +65332,22 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", "value": "Suspicious Spool Service Child Process" }, @@ -50745,6 +65374,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5cdb711b-5740-4fb2-ba88-f7945027afac", "value": "Rundll32 UNC Path Execution" }, @@ -50769,6 +65407,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f4bbd493-b796-416e-bbf2-121235348529", "value": "Non Interactive PowerShell" }, @@ -50785,8 +65432,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml" ], "tags": [ @@ -50798,6 +65445,22 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b0666ad-3e38-4e3d-9bab-78b06de85f7b", "value": "Execution of Renamed PaExec" }, @@ -50825,6 +65488,22 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7df1713a-1a5b-4a4b-a071-dc83b144a101", "value": "Esentutl Gather Credentials" }, @@ -50841,9 +65520,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_dctask64.yml" ], "tags": [ @@ -50854,6 +65533,29 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", "value": "Renamed ZOHO Dctask64" }, @@ -50870,8 +65572,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/", + "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml" ], "tags": [ @@ -50879,6 +65581,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4eddc365-79b4-43ff-a9d7-99422dc34b93", "value": "Use of Remote.exe" }, @@ -50903,6 +65614,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "814c95cc-8192-4378-a70a-f1aafd877af1", "value": "Use of OpenConsole" }, @@ -50975,6 +65695,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "221b251a-357a-49a9-920a-271802777cc0", "value": "WMI Process Reconnaissance" }, @@ -51000,6 +65729,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "850d55f9-6eeb-4492-ad69-a72338f65ba4", "value": "Ilasm Lolbin Use Compile C-Sharp" }, @@ -51024,6 +65762,15 @@ "attack.t1593.003" ] }, + "related": [ + { + "dest-uuid": "70910fbd-58dc-4c1c-8c48-814d11fcd022", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aef9d1f1-7396-4e92-a927-4567c7a495c1", "value": "Suspicious Git Clone" }, @@ -51049,6 +65796,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "32b96012-7892-429e-b26c-ac2bf46066ff", "value": "Shell32 DLL Execution in Suspicious Directory" }, @@ -51073,6 +65829,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4a2a2c3e-209f-4d01-b513-4155a540b469", "value": "Suspicious MsiExec Embedding Parent" }, @@ -51147,6 +65912,15 @@ "attack.t1021.001" ] }, + "related": [ + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "48a61b29-389f-4032-b317-b30de6b95314", "value": "Suspicious Plink Port Forwarding" }, @@ -51164,10 +65938,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", - "https://twitter.com/JohnLaTwC/status/1415295021041979392", + "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", "https://vms.drweb.fr/virus/?i=24144899", + "https://twitter.com/JohnLaTwC/status/1415295021041979392", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_disable_sec_services.yml" ], "tags": [ @@ -51247,6 +66021,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6", "value": "Too Long PowerShell Commandlines" }, @@ -51271,6 +66054,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "214641c2-c579-4ecb-8427-0cf19df6842e", "value": "Remote File Download via Desktopimgdownldr Utility" }, @@ -51316,6 +66108,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4d6c9da1-318b-4edf-bcea-b6c93fa98fd0", "value": "Credential Acquisition via Registry Hive Dumping" }, @@ -51340,6 +66141,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "43103702-5886-11ed-9b6a-0242ac120002", "value": "Suspicious Vsls-Agent Command With AgentExtensionPath Load" }, @@ -51369,6 +66179,36 @@ "attack.t1059.007" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8d63dadf-b91b-4187-87b6-34a1114577ea", "value": "SquiblyTwo Execution" }, @@ -51396,6 +66236,15 @@ "attack.t1552.001" ] }, + "related": [ + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f576a613-2392-4067-9d1a-9345fb58d8d1", "value": "Automated Collection Command Prompt" }, @@ -51445,6 +66294,15 @@ "attack.t1529" ] }, + "related": [ + { + "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "34ebb878-1b15-4895-b352-ca2eeb99b274", "value": "Suspicious Execution of Shutdown" }, @@ -51496,6 +66354,29 @@ "cve.2019.1378" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1c373b6d-76ce-4553-997d-8c1da9a6b5f5", "value": "Exploiting SetupComplete.cmd CVE-2019-1378" }, @@ -51512,15 +66393,24 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", "https://twitter.com/pabraeken/status/993298228840992768", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" ], "tags": [ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "634b00d5-ccc3-4a06-ae3b-0ec8444dd51b", "value": "Malicious Windows Script Components File Execution by TAEF Detection" }, @@ -51558,8 +66448,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml" ], "tags": [ @@ -51567,6 +66457,15 @@ "attack.t1614.001" ] }, + "related": [ + { + "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7090adee-82e2-4269-bd59-80691e7c6338", "value": "CHCP CodePage Locale Lookup" }, @@ -51583,8 +66482,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml" ], "tags": [ @@ -51595,6 +66494,29 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8a582fe2-0882-4b89-a82a-da6b2dc32937", "value": "Lolbins Process Creation with WmiPrvse" }, @@ -51622,6 +66544,29 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", "value": "RedMimicry Winnti Playbook Execute" }, @@ -51647,6 +66592,15 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "347906f3-e207-4d18-ae5b-a9403d6bcdef", "value": "Netsh Allow Group Policy on Microsoft Defender Firewall" }, @@ -51663,10 +66617,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/1276357235954909188?s=12", - "https://twitter.com/CyberRaiju/status/1273597319322058752", "https://twitter.com/nas_bench/status/1535322450858233858", + "https://twitter.com/CyberRaiju/status/1273597319322058752", "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", + "https://twitter.com/bohops/status/1276357235954909188?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml" ], "tags": [ @@ -51690,10 +66644,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://twitter.com/lefterispan/status/1286259016436514816", - "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", + "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml" ], "tags": [ @@ -51701,6 +66655,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c0b40568-b1e9-4b03-8d6c-b096da6da9ab", "value": "Suspicious AgentExecutor PowerShell Execution" }, @@ -51727,6 +66690,15 @@ "attack.t1220" ] }, + "related": [ + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "05c36dd6-79d6-4a9a-97da-3db20298ab2d", "value": "XSL Script Processing" }, @@ -51751,6 +66723,15 @@ "attack.t1216.001" ] }, + "related": [ + { + "dest-uuid": "09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1fb76ab8-fa60-4b01-bddd-71e89bf555da", "value": "Pubprn.vbs Proxy Execution" }, @@ -51800,6 +66781,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9aa5106d-bce3-4b13-86df-3a20f1d5cf0b", "value": "Use of Forfiles For Execution" }, @@ -51849,6 +66839,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "727454c0-d851-48b0-8b89-385611ab0704", "value": "Lolbin Unregmp2.exe Use As Proxy" }, @@ -51866,12 +66865,12 @@ "logsource.product": "windows", "refs": [ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://github.com/zcgonvh/NTDSDumpEx", - "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://pentestlab.blog/tag/ntds-dit/", + "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", + "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" ], "tags": [ @@ -51879,6 +66878,15 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8bc64091-6875-4881-aaf9-7bd25b5dda08", "value": "Suspicious Process Patterns NTDS.DIT Exfil" }, @@ -51895,9 +66903,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conti_sqlcmd.yml" ], "tags": [ @@ -51905,6 +66913,15 @@ "attack.t1005" ] }, + "related": [ + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2f47f1fd-0901-466e-a770-3b7092834a1b", "value": "Conti Backup Database" }, @@ -51921,13 +66938,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", - "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", "https://www.cobaltstrike.com/help-opsec", - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", - "https://twitter.com/CyberRaiju/status/1251492025678983169", + "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", + "https://twitter.com/CyberRaiju/status/1251492025678983169", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml" ], "tags": [ @@ -51935,6 +66952,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a7c3d773-caef-227e-a7e7-c2f13c622329", "value": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments" }, @@ -51959,6 +66985,15 @@ "attack.t1218.010" ] }, + "related": [ + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0", "value": "BlueMashroom DLL Load" }, @@ -51976,9 +67011,9 @@ "logsource.product": "windows", "refs": [ "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", - "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml" ], "tags": "No established tags" @@ -51987,7 +67022,7 @@ "value": "CrackMapExec Command Line Flags" }, { - "description": "Use \">\" to redicrect information in commandline", + "description": "Detects use of redirection character \">\" to redicrect information in commandline", "meta": { "author": "frack113", "creation_date": "2022/01/22", @@ -52031,6 +67066,15 @@ "attack.t1059.005" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "23250293-eed5-4c39-b57a-841c8933a57d", "value": "Cscript Visual Basic Script Execution" }, @@ -52047,8 +67091,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml" ], "tags": [ @@ -52056,6 +67100,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e6c54d94-498c-4562-a37c-b469d8e9a275", "value": "Suspicious PowerShell Download and Execute Pattern" }, @@ -52081,6 +67134,15 @@ "attack.t1555" ] }, + "related": [ + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7679d464-4f74-45e2-9e01-ac66c5eb041a", "value": "SecurityXploded Tool" }, @@ -52098,9 +67160,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml" ], "tags": [ @@ -52133,6 +67195,15 @@ "attack.privilege_escalation" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", "value": "SysmonEOP Hack Tool" }, @@ -52157,6 +67228,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "480e7e51-e797-47e3-8d72-ebfce65b6d8d", "value": "Python Spawning Pretty TTY on Windows" }, @@ -52173,8 +67253,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Replace/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace", + "https://lolbas-project.github.io/lolbas/Binaries/Replace/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml" ], "tags": [ @@ -52182,6 +67262,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9292293b-8496-4715-9db6-37028dcda4b3", "value": "Replace.exe Usage" }, @@ -52206,6 +67295,15 @@ "attack.t1070.005" ] }, + "related": [ + { + "dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cb7c4a03-2871-43c0-9bbb-18bbdb079896", "value": "Mounted Share Deleted" }, @@ -52233,6 +67331,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b97cd4b1-30b8-4a9d-bd72-6293928d52bc", "value": "Indirect Command Execution By Program Compatibility Wizard" }, @@ -52259,6 +67366,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9c14c9fa-1a63-4a64-8e57-d19280559490", "value": "Invoke-Obfuscation Via Stdin" }, @@ -52283,6 +67399,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a01b8329-5953-4f73-ae2d-aa01e1f35f00", "value": "Suspicious aspnet_compiler.exe Execution" }, @@ -52299,8 +67424,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hvs-consulting.de/lazarus-report/", "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", + "https://www.hvs-consulting.de/lazarus-report/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml" ], "tags": [ @@ -52309,6 +67434,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b49c990-4a9a-4e65-ba95-47c9cc448f6e", "value": "Lazarus Loaders" }, @@ -52325,9 +67459,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", "https://www.joeware.net/freetools/tools/adfind/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml" ], "tags": [ @@ -52373,8 +67507,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/child-processes/", "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", + "https://redcanary.com/blog/child-processes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml" ], "tags": [ @@ -52382,6 +67516,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", "value": "Script Event Consumer Spawning Process" }, @@ -52406,6 +67549,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "164eda96-11b2-430b-85ff-6a265c15bf32", "value": "Suspicious Get Local Groups Information with WMIC" }, @@ -52422,8 +67574,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml" ], "tags": [ @@ -52431,6 +67583,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e42af9df-d90b-4306-b7fb-05c863847ebd", "value": "WMI Remote Command Execution" }, @@ -52447,8 +67608,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/ch2sh/Jlaive", "https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool", + "https://github.com/ch2sh/Jlaive", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_jlaive_batch_execution.yml" ], "tags": [ @@ -52456,6 +67617,15 @@ "attack.t1059.003" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0a99eb3e-1617-41bd-b095-13dc767f3def", "value": "Jlaive Usage For Assembly Execution In-Memory" }, @@ -52473,8 +67643,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc.yml" ], "tags": [ @@ -52509,6 +67679,22 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d08a2711-ee8b-4323-bdec-b7d85e892b31", "value": "CsExec Remote Execution Tool Usage" }, @@ -52525,8 +67711,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" ], @@ -52559,6 +67745,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f", "value": "Potential Download/Upload Activity Using Type Command" }, @@ -52584,6 +67779,15 @@ "attack.t1218.005" ] }, + "related": [ + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b98d0db6-511d-45de-ad02-e82a98729620", "value": "Mshta Remotely Hosted HTA File Execution" }, @@ -52600,9 +67804,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml" ], "tags": [ @@ -52628,8 +67832,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml" @@ -52639,6 +67843,15 @@ "attack.t1552.002" ] }, + "related": [ + { + "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "87a476dc-0079-4583-a985-dee7a20a03de", "value": "Enumeration for 3rd Party Creds From CLI" }, @@ -52684,6 +67897,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4ede543c-e098-43d9-a28f-dd784a13132f", "value": "Winrar Execution in Non-Standard Folder" }, @@ -52708,6 +67930,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aa8e035d-7be4-48d3-a944-102aec04400d", "value": "Suspicious Extrac32 Execution" }, @@ -52724,8 +67955,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/sensepost/ruler", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://github.com/sensepost/ruler", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_outlook.yml" ], "tags": [ @@ -52734,6 +67965,22 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e212d415-0e93-435f-9e1a-f29005bb4723", "value": "Suspicious Execution from Outlook" }, @@ -52797,17 +68044,19 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://adsecurity.org/?p=2921", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/calebstewart/CVE-2021-1675", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://adsecurity.org/?p=2921", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/samratashok/nishang", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml" ], "tags": [ @@ -52823,6 +68072,43 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "02030f2f-6199-49ec-b258-ea71b07e03dc", "value": "Malicious PowerShell Commandlets - ProcessCreation" }, @@ -52847,6 +68133,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "204b17ae-4007-471b-917b-b917b315c5db", "value": "Suspicious Del in CommandLine" }, @@ -52894,6 +68189,22 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7cce6fc8-a07f-4d84-a53e-96e1879843c9", "value": "Potential Binary Impersonating Sysinternals Tools" }, @@ -52978,9 +68289,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", - "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml" ], "tags": [ @@ -52988,6 +68299,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "af491bca-e752-4b44-9c86-df5680533dbc", "value": "Finger.exe Suspicious Invocation" }, @@ -53014,6 +68334,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "729ce0ea-5d8f-4769-9762-e35de441586d", "value": "MpiExec Lolbin" }, @@ -53030,8 +68359,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml" ], "tags": [ @@ -53056,8 +68385,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", - "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", + "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml" ], "tags": [ @@ -53065,6 +68394,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6545ce61-a1bd-4119-b9be-fcbee42c0cf3", "value": "Execute MSDT.EXE Using Diagcab File" }, @@ -53081,10 +68419,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://twitter.com/lefterispan/status/1286259016436514816", - "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", + "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml" ], "tags": [ @@ -53092,6 +68430,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7efd2c8d-8b18-45b7-947d-adfe9ed04f61", "value": "AgentExecutor PowerShell Execution" }, @@ -53118,6 +68465,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c4e49831-1496-40cf-8ce1-b53f942b02f9", "value": "Renamed PAExec" }, @@ -53141,6 +68497,15 @@ "attack.t1048" ] }, + "related": [ + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "99793437-3e16-439b-be0f-078782cf953d", "value": "Tap Installer Execution" }, @@ -53166,6 +68531,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", "value": "UAC Bypass Using NTFS Reparse Point - Process" }, @@ -53192,6 +68566,15 @@ "attack.t1021.001" ] }, + "related": [ + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "327f48c1-a6db-4eb8-875a-f6981f1b0183", "value": "Suspicious SSH Port Forwarding" }, @@ -53217,6 +68600,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d22e2925-cfd8-463f-96f6-89cec9d9bc5f", "value": "Application Whitelisting Bypass via PresentationHost.exe" }, @@ -53234,9 +68626,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809", "https://twitter.com/cyb3rops/status/1514217991034097664", "https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcss_anomalies.yml" ], "tags": [ @@ -53246,6 +68638,22 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a7cd7306-df8b-4398-b711-6f3e4935cf16", "value": "Remote Procedure Call Service Anomaly" }, @@ -53271,6 +68679,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "60f16a96-db70-42eb-8f76-16763e333590", "value": "Application Whitelisting Bypass via Dxcap.exe" }, @@ -53297,6 +68714,15 @@ "attack.t1486" ] }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "689308fc-cfba-4f72-9897-796c1dc61487", "value": "Conti Ransomware Execution" }, @@ -53321,6 +68747,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "57bff678-25d1-4d6c-8211-8ca106d12053", "value": "Use of ScreenConnect Remote Access Software" }, @@ -53337,8 +68772,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511489821247684615", "https://twitter.com/mrd0x/status/1511415432888131586", + "https://twitter.com/mrd0x/status/1511489821247684615", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml" ], "tags": [ @@ -53347,6 +68782,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eb1c4225-1c23-4241-8dd4-051389fde4ce", "value": "Suspicious DumpMinitool Usage" }, @@ -53363,8 +68807,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", + "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml" ], "tags": [ @@ -53412,8 +68856,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md", + "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml" ], "tags": [ @@ -53447,6 +68891,22 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", "value": "Curl Start Combination" }, @@ -53471,6 +68931,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7dc2dedd-7603-461a-bc13-15803d132355", "value": "Conhost Parent Process Executions" }, @@ -53487,8 +68956,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mobile.twitter.com/0gtweet/status/1564131230941122561", "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", + "https://mobile.twitter.com/0gtweet/status/1564131230941122561", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_deviceenroller_evasion.yml" ], "tags": [ @@ -53538,8 +69007,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti.yml" ], "tags": [ @@ -53547,34 +69016,18 @@ "attack.resource_development" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b30e0a7-c675-4b24-8a46-82fa67e2433d", "value": "Conti Volume Shadow Listing" }, - { - "description": "Detects suspicious powershell invocations from interpreters or unusual programs", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/01/16", - "falsepositive": [ - "Microsoft Operations Manager (MOM)", - "Other scripts" - ], - "filename": "proc_creation_win_susp_powershell_parent_combo.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_parent_combo.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "95eadcb2-92e4-4ed1-9031-92547773a6db", - "value": "Suspicious PowerShell Invocation Based on Parent Process" - }, { "description": "Detect an interactive AT job, which may be used as a form of privilege escalation.", "meta": { @@ -53588,8 +69041,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", + "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_interactive_at.yml" ], "tags": [ @@ -53597,6 +69050,15 @@ "attack.t1053.002" ] }, + "related": [ + { + "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "60fc936d-2eb0-4543-8a13-911c750a1dfc", "value": "Interactive AT Job" }, @@ -53645,9 +69107,390 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f2c64357-b1d2-41b7-849f-34d2682c0fad", "value": "Suspicious Add Scheduled Command Pattern" }, + { + "description": "Detects a highly relevant Antivirus alert that reports a password dumper", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/09/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "av_password_dumper.yml", + "level": "critical", + "logsource.category": "antivirus", + "logsource.product": "No established product", + "refs": [ + "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection", + "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_password_dumper.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.t1558", + "attack.t1003.001", + "attack.t1003.002" + ] + }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "78cc2dd2-7d20-4d32-93ff-057084c38b93", + "value": "Antivirus Password Dumper Detection" + }, + { + "description": "Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .", + "meta": { + "author": "Sittikorn S, Nuttakorn T, Tim Shelton", + "creation_date": "2021/07/01", + "falsepositive": [ + "Unlikely, or pending PSP analysis" + ], + "filename": "av_printernightmare_cve_2021_34527.yml", + "level": "critical", + "logsource.category": "antivirus", + "logsource.product": "No established product", + "refs": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", + "https://twitter.com/mvelazco/status/1410291741241102338", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_printernightmare_cve_2021_34527.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1055" + ] + }, + "uuid": "6fe1719e-ecdf-4caf-bffe-4f501cb0a561", + "value": "Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection" + }, + { + "description": "Detects an Antivirus alert in a highly relevant file path or with a relevant file name", + "meta": { + "author": "Florian Roth, Arnim Rupp", + "creation_date": "2018/09/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "av_relevant_files.yml", + "level": "high", + "logsource.category": "antivirus", + "logsource.product": "No established product", + "refs": [ + "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_relevant_files.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588" + ] + }, + "related": [ + { + "dest-uuid": "ce0687a0-e692-4b77-964a-0784a8e54ff1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c9a88268-0047-4824-ba6e-4d81ce0b907c", + "value": "Antivirus Relevant File Paths Alerts" + }, + { + "description": "Detects a highly relevant Antivirus alert that reports an exploitation framework", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/09/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "av_exploiting.yml", + "level": "critical", + "logsource.category": "antivirus", + "logsource.product": "No established product", + "refs": [ + "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_exploiting.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.command_and_control", + "attack.t1219" + ] + }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "238527ad-3c2c-4e4f-a1f6-92fd63adb864", + "value": "Antivirus Exploitation Framework Detection" + }, + { + "description": "Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/08/16", + "falsepositive": [ + "Unlikely" + ], + "filename": "av_hacktool.yml", + "level": "high", + "logsource.category": "antivirus", + "logsource.product": "No established product", + "refs": [ + "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_hacktool.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204" + ] + }, + "related": [ + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "fa0c05b6-8ad3-468d-8231-c1cbccb64fba", + "value": "Antivirus Hacktool Detection" + }, + { + "description": "Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches.", + "meta": { + "author": "Florian Roth, Arnim Rupp", + "creation_date": "2018/09/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "av_webshell.yml", + "level": "high", + "logsource.category": "antivirus", + "logsource.product": "No established product", + "refs": [ + "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", + "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", + "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", + "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", + "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", + "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", + "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", + "https://github.com/tennc/webshell", + "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "fdf135a2-9241-4f96-a114-bb404948f736", + "value": "Antivirus Web Shell Detection" + }, + { + "description": "Detects a highly relevant Antivirus alert that reports ransomware", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/05/12", + "falsepositive": [ + "Unlikely" + ], + "filename": "av_ransomware.yml", + "level": "critical", + "logsource.category": "antivirus", + "logsource.product": "No established product", + "refs": [ + "https://www.nextron-systems.com/?s=antivirus", + "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_ransomware.yml" + ], + "tags": [ + "attack.t1486" + ] + }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4c6ca276-d4d0-4a8c-9e4c-d69832f8671f", + "value": "Antivirus Ransomware Detection" + }, + { + "description": "Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields", + "meta": { + "author": "@juju4", + "creation_date": "2022/12/27", + "falsepositive": [ + "Inventory and monitoring activity", + "Vulnerability scanners", + "Legitimate applications" + ], + "filename": "db_anomalous_query.yml", + "level": "medium", + "logsource.category": "database", + "logsource.product": "No established product", + "refs": [ + "https://github.com/sqlmapproject/sqlmap", + "https://github.com/SigmaHQ/sigma/tree/master/rules/category/database/db_anomalous_query.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.initial_access", + "attack.privilege_escalation", + "attack.t1190", + "attack.t1505.001" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d84c0ded-edd7-4123-80ed-348bb3ccc4d5", + "value": "Suspicious SQL Query" + }, + { + "description": "Detects an issue in apache logs that reports threading related errors", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/01/22", + "falsepositive": [ + "3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185" + ], + "filename": "web_apache_threading_error.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "No established product", + "refs": [ + "https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/product/apache/web_apache_threading_error.yml" + ], + "tags": "No established tags" + }, + "uuid": "e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c", + "value": "Apache Threading Error" + }, + { + "description": "Detects a segmentation fault error message caused by a creashing apache worker process", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/02/28", + "falsepositive": [ + "Unknown" + ], + "filename": "web_apache_segfault.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "No established product", + "refs": [ + "http://www.securityfocus.com/infocus/1633", + "https://github.com/SigmaHQ/sigma/tree/master/rules/product/apache/web_apache_segfault.yml" + ], + "tags": [ + "attack.impact", + "attack.t1499.004" + ] + }, + "related": [ + { + "dest-uuid": "2bee5ffb-7a7a-4119-b1f2-158151b19ac0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1da8ce0b-855d-4004-8860-7d64d42063b1", + "value": "Apache Segmentation Fault" + }, + { + "description": "Detects multiple blocks by the mod_security module (Web Application Firewall)", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/02/28", + "falsepositive": [ + "Vulnerability scanners", + "Frequent attacks if system faces Internet" + ], + "filename": "modsec_mulitple_blocks.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "modsecurity", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/product/modsecurity/modsec_mulitple_blocks.yml" + ], + "tags": [ + "attack.impact", + "attack.t1499" + ] + }, + "uuid": "a06eea10-d932-4aa6-8ba9-186df72c8d23", + "value": "Multiple Modsecurity Blocks" + }, { "description": "Detects when an security threat is detected in Okta.", "meta": { @@ -53662,8 +69505,8 @@ "logsource.product": "okta", "refs": [ "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" ], "tags": "No established tags" @@ -53950,8 +69793,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml" ], "tags": [ @@ -53959,6 +69802,15 @@ "attack.t1573" ] }, + "related": [ + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d8b0a4fe-07a8-41be-bd39-b14afa025d95", "value": "Activity from Anonymous IP Addresses" }, @@ -53975,8 +69827,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml" ], "tags": [ @@ -53984,6 +69836,15 @@ "attack.t1537" ] }, + "related": [ + { + "dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2b669496-d215-47d8-bd9a-f4a45bf07cda", "value": "Data Exfiltration to Unsanctioned Apps" }, @@ -54000,8 +69861,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_from_susp_ip_addresses.yml" ], "tags": [ @@ -54009,6 +69870,15 @@ "attack.t1573" ] }, + "related": [ + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a3501e8e-af9e-43c6-8cd6-9360bdaae498", "value": "Activity from Suspicious IP Addresses" }, @@ -54025,8 +69895,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_inbox_forwarding.yml" ], "tags": [ @@ -54034,6 +69904,15 @@ "attack.t1020" ] }, + "related": [ + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6c220477-0b5b-4b25-bb90-66183b4089e8", "value": "Suspicious Inbox Forwarding" }, @@ -54050,8 +69929,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml" ], "tags": [ @@ -54075,10 +69954,10 @@ "logsource.product": "m365", "refs": [ "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", - "https://www.sygnia.co/golden-saml-advisory", - "https://o365blog.com/post/aadbackdoor/", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", + "https://o365blog.com/post/aadbackdoor/", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", + "https://www.sygnia.co/golden-saml-advisory", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_new_federated_domain_added.yml" ], "tags": [ @@ -54086,6 +69965,15 @@ "attack.t1136.003" ] }, + "related": [ + { + "dest-uuid": "a009cb25-4801-4116-9105-80a91cf15c1b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "42127bdd-9133-474f-a6f1-97b6c08a4339", "value": "New Federated Domain Added" }, @@ -54102,8 +69990,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml" ], "tags": [ @@ -54135,6 +70023,15 @@ "attack.t1114" ] }, + "related": [ + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6897cd82-6664-11ed-9022-0242ac120002", "value": "PST Export Alert Using New-ComplianceSearchAction" }, @@ -54151,8 +70048,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml" ], "tags": [ @@ -54160,6 +70057,15 @@ "attack.t1485" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "78a34b67-3c39-4886-8fb4-61c46dc18ecd", "value": "Microsoft 365 - Unusual Volume of File Deletion" }, @@ -54176,8 +70082,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml" ], "tags": [ @@ -54185,6 +70091,15 @@ "attack.t1199" ] }, + "related": [ + { + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ff246f56-7f24-402a-baca-b86540e3925c", "value": "Microsoft 365 - User Restricted from Sending Email" }, @@ -54201,8 +70116,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_oauth_app_file_download_activities.yml" ], "tags": [ @@ -54225,8 +70140,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_impossible_travel_activity.yml" ], "tags": [ @@ -54250,8 +70165,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml" ], "tags": [ @@ -54259,6 +70174,15 @@ "attack.t1486" ] }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bd132164-884a-48f1-aa2d-c6d646b04c69", "value": "Microsoft 365 - Potential Ransomware Activity" }, @@ -54283,6 +70207,15 @@ "attack.t1114" ] }, + "related": [ + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18b88d08-d73e-4f21-bc25-4b9892a4fdd0", "value": "PST Export Alert Using eDiscovery Alert" }, @@ -54299,8 +70232,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml" ], "tags": [ @@ -54308,6 +70241,15 @@ "attack.t1573" ] }, + "related": [ + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0f2468a2-5055-4212-a368-7321198ee706", "value": "Activity from Infrequent Country" }, @@ -54421,11 +70363,11 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ + "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", + "https://github.com/elastic/detection-rules/pull/1267", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", - "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", - "https://github.com/elastic/detection-rules/pull/1267", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml" ], "tags": [ @@ -54473,8 +70415,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://cloud.google.com/kubernetes-engine/docs", + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_cronjob.yml" ], @@ -54526,8 +70468,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml" ], "tags": [ @@ -54535,6 +70477,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fe513c69-734c-4d4a-8548-ac5f609be82b", "value": "Google Cloud Firewall Modified or Deleted" }, @@ -54559,6 +70510,15 @@ "attack.t1565" ] }, + "related": [ + { + "dest-uuid": "ac9e6b22-11bf-45d7-9181-c1cb08360931", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "234f9f48-904b-4736-a34c-55d23919e4b7", "value": "Google Cloud Re-identifies Sensitive Information" }, @@ -54587,6 +70547,22 @@ "attack.t1552.007" ] }, + "related": [ + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f8ef3a62-3f44-40a4-abca-761ab235c436", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6ad91e31-53df-4826-bd27-0166171c8040", "value": "Google Cloud Kubernetes Admission Controller" }, @@ -54612,6 +70588,15 @@ "attack.t1531" ] }, + "related": [ + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "13f81a90-a69c-4fab-8f07-b5bb55416a9f", "value": "Google Cloud Service Account Disabled or Deleted" }, @@ -54653,8 +70638,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml" ], "tags": [ @@ -54662,6 +70647,15 @@ "attack.t1074" ] }, + "related": [ + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "980a7598-1e7f-4962-9372-2d754c930d0e", "value": "Google Full Network Traffic Packet Capture" }, @@ -54679,8 +70673,8 @@ "logsource.product": "google_workspace", "refs": [ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_application_removed.yml" ], "tags": [ @@ -54712,6 +70706,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2d1b83e4-17c6-4896-a37b-29140b40a788", "value": "Google Workspace User Granted Admin Privileges" }, @@ -54776,8 +70779,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml" ], @@ -54801,8 +70804,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml" ], "tags": [ @@ -54810,6 +70813,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "04e2a23a-9b29-4a5c-be3a-3542e3f982ba", "value": "Google Workspace Granted Domain API Access" }, @@ -54872,13 +70884,13 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", "https://github.com/elastic/detection-rules/pull/1145/files", "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_s3_data_management_tampering.yml" ], "tags": [ @@ -54886,6 +70898,15 @@ "attack.t1537" ] }, + "related": [ + { + "dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "78b3756a-7804-4ef7-8555-7b9024a02e2d", "value": "AWS S3 Data Management Tampering" }, @@ -54912,6 +70933,22 @@ "attack.t1565" ] }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ac9e6b22-11bf-45d7-9181-c1cb08360931", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "16124c2d-e40b-4fcc-8f2c-5ab7870a2223", "value": "AWS EC2 Disable EBS Encryption" }, @@ -54937,6 +70974,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2", "value": "AWS IAM Backdoor Users Keys" }, @@ -54962,6 +71008,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a607e1fe-74bf-4440-a3ec-b059b9103157", "value": "AWS SecurityHub Findings Evasion" }, @@ -54978,7 +71033,6 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://attack.mitre.org/techniques/T1525", "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ecs_task_definition_backdoor.yml" @@ -54988,6 +71042,15 @@ "attack.t1525" ] }, + "related": [ + { + "dest-uuid": "4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b94bf91e-c2bf-4047-9c43-c6810f43baad", "value": "AWS ECS Backdoor Task Definition" }, @@ -55036,6 +71099,15 @@ "attack.t1619" ] }, + "related": [ + { + "dest-uuid": "8565825b-21c8-4518-b75e-cbc4c717a156", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4723218f-2048-41f6-bcb0-417f2d784f61", "value": "Potential Storage Enumeration on AWS" }, @@ -55053,7 +71125,6 @@ "logsource.product": "aws", "refs": [ "https://www.justice.gov/file/1080281/download", - "https://attack.mitre.org/techniques/T1537/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_snapshot_backup_exfiltration.yml" ], "tags": [ @@ -55061,6 +71132,15 @@ "attack.t1537" ] }, + "related": [ + { + "dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "abae8fec-57bd-4f87-aff6-6e3db989843d", "value": "AWS Snapshot Backup Exfiltration" }, @@ -55085,6 +71165,15 @@ "attack.t1580" ] }, + "related": [ + { + "dest-uuid": "57a3d31a-d04f-4663-b2da-7df8ec3f8c9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "76255e09-755e-4675-8b6b-dbce9842cd2a", "value": "Potential Backup Enumeration on AWS" }, @@ -55109,6 +71198,15 @@ "attack.t1485" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6a7ba45c-63d8-473e-9736-2eaabff79964", "value": "AWS EFS Fileshare Mount Modified or Deleted" }, @@ -55134,6 +71232,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b056de1a-6e6e-4e40-a67e-97c9808cf41b", "value": "AWS Route 53 Domain Transferred to Another Account" }, @@ -55158,6 +71265,15 @@ "attack.resource_development" ] }, + "related": [ + { + "dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "60b84424-a724-4502-bd0d-cc676e1bc90e", "value": "Potential AWS Cloud Email Service Abuse" }, @@ -55213,6 +71329,22 @@ "attack.t1550.001" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "905d389b-b853-46d0-9d3d-dea0d3a3cd49", "value": "AWS STS AssumeRole Misuse" }, @@ -55237,6 +71369,15 @@ "attack.t1020" ] }, + "related": [ + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8a63cdd4-6207-414a-85bc-7e032bd3c1a2", "value": "AWS RDS Master Password Change" }, @@ -55261,6 +71402,15 @@ "attack.t1531" ] }, + "related": [ + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7c797da2-9cf2-4523-ba64-33b06339f0cc", "value": "AWS ElastiCache Security Group Modified or Deleted" }, @@ -55279,8 +71429,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_susp_saml_activity.yml" ], "tags": [ @@ -55293,6 +71443,22 @@ "attack.t1550.001" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e", "value": "AWS Suspicious SAML Activity" }, @@ -55319,6 +71485,15 @@ "attack.t1485" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "33d50d03-20ec-4b74-a74e-1e65a38af1c0", "value": "AWS EKS Cluster Created or Deleted" }, @@ -55343,6 +71518,15 @@ "attack.t1020" ] }, + "related": [ + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c3f265c7-ff03-4056-8ab2-d486227b4599", "value": "Restore Public AWS RDS Instance" }, @@ -55393,9 +71577,67 @@ "attack.t1059.004" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df", "value": "AWS EC2 Startup Shell Script Change" }, + { + "description": "Looks for potential enumeration of AWS buckets via ListBuckets.", + "meta": { + "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", + "creation_date": "2023/01/06", + "falsepositive": [ + "Administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity." + ], + "filename": "aws_enum_buckets.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", + "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", + "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_enum_buckets.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1580" + ] + }, + "related": [ + { + "dest-uuid": "57a3d31a-d04f-4663-b2da-7df8ec3f8c9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f305fd62-beca-47da-ad95-7690a0620084", + "value": "Potential Bucket Enumeration on AWS" + }, { "description": "An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.\nWith this alert, it is used to detect anyone is changing password on behalf of other users.\n", "meta": { @@ -55417,6 +71659,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "055fb148-60f8-462d-ad16-26926ce050f1", "value": "AWS User Login Profile Was Modified" }, @@ -55441,6 +71692,22 @@ "attack.t1537" ] }, + "related": [ + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "54b9a76a-3c71-4673-b4b3-2edb4566ea7b", "value": "AWS EC2 VM Export Failure" }, @@ -55465,6 +71732,15 @@ "attack.t1020" ] }, + "related": [ + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "26ff4080-194e-47e7-9889-ef7602efed0c", "value": "AWS EC2 Download Userdata" }, @@ -55481,8 +71757,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/elastic/detection-rules/pull/1213", "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html", + "https://github.com/elastic/detection-rules/pull/1213", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml" ], "tags": [ @@ -55493,6 +71769,22 @@ "attack.t1550.001" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b45ab1d2-712f-4f01-a751-df3826969807", "value": "AWS STS GetSessionToken Misuse" }, @@ -55557,9 +71849,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml" ], "tags": [ @@ -55568,6 +71860,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3940b5f1-3f46-44aa-b746-ebe615b879e0", "value": "AWS Route 53 Domain Transfer Lock Disabled" }, @@ -55638,6 +71939,15 @@ "attack.t1592" ] }, + "related": [ + { + "dest-uuid": "09312b1a-c3c6-4b45-9844-3ccc78e5d82f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e9c14b23-47e2-4a8b-8a63-d36618e33d70", "value": "Account Enumeration on AWS" }, @@ -55679,8 +71989,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", + "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml" ], "tags": [ @@ -55711,6 +72021,15 @@ "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8ad1600d-e9dc-4251-b0ee-a65268f29add", "value": "AWS Root Credentials" }, @@ -55759,6 +72078,22 @@ "attack.t1136.003" ] }, + "related": [ + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a009cb25-4801-4116-9105-80a91cf15c1b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4ae68615-866f-4304-b24b-ba048dfa5ca7", "value": "AWS ElastiCache Security Group Created" }, @@ -55783,6 +72118,15 @@ "attack.t1212" ] }, + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "60f6535a-760f-42a9-be3f-c9a0a025906e", "value": "Use of Legacy Authentication Protocols" }, @@ -55886,7 +72230,7 @@ "value": "Applications That Are Using ROPC Authentication Flow" }, { - "description": "Change to authentication method could be an indicated of an attacker adding an auth method to the account so they can have continued access.", + "description": "Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.", "meta": { "author": "AlertIQ", "creation_date": "2021/10/10", @@ -55902,9 +72246,21 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_change_to_authentication_method.yml" ], "tags": [ - "attack.credential_access" + "attack.credential_access", + "attack.t1556", + "attack.persistence", + "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4d78a000-ab52-4564-88a5-7ab5242b20c7", "value": "Change to Authentication Method" }, @@ -55927,9 +72283,18 @@ "tags": [ "attack.persistence", "attack.defense_evasion", - "attack.t1078" + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0b4b72e3-4c53-4d5b-b198-2c58cfef39a9", "value": "Guest User Invited By Non Approved Inviters" }, @@ -55983,6 +72348,15 @@ "attack.t1552.001" ] }, + "related": [ + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "459a2970-bb84-4e6a-a32e-ff0fbd99448d", "value": "Azure Key Vault Modified or Deleted" }, @@ -56101,9 +72475,20 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml" ], "tags": [ - "attack.impact" + "attack.impact", + "attack.defense_evasion", + "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "025c9fe7-db72-49f9-af0d-31341dd7dd57", "value": "Azure Firewall Rule Collection Modified or Deleted" }, @@ -56132,6 +72517,22 @@ "attack.t1552.007" ] }, + "related": [ + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f8ef3a62-3f44-40a4-abca-761ab235c436", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a61a3c56-4ce2-4351-a079-88ae4cbd2b58", "value": "Azure Kubernetes Admission Controller" }, @@ -56155,6 +72556,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c1182e02-49a3-481c-b3de-0fadc4091488", "value": "Rare Subscription-level Operations In Azure" }, @@ -56229,6 +72639,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "74298991-9fc4-460e-a92e-511aa60baec1", "value": "Added Owner To Application" }, @@ -56301,6 +72720,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "91c95675-1f27-46d0-bead-d1ae96b97cd3", "value": "User Added To Group With CA Policy Modification Access" }, @@ -56343,7 +72771,6 @@ "logsource.product": "azure", "refs": [ "https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes", - "https://attack.mitre.org/techniques/T1078", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_federation_modified.yml" ], "tags": [ @@ -56448,6 +72875,15 @@ "attack.persistence" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cbb67ecc-fb70-4467-9350-c910bdf7c628", "value": "Added Credentials to Existing Application" }, @@ -56470,9 +72906,27 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml" ], "tags": [ - "attack.impact" + "attack.impact", + "attack.t1485", + "attack.t1565.001" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "46530378-f9db-4af9-a9e5-889c177d3881", "value": "Azure Device or Configuration Modified or Deleted" }, @@ -56495,9 +72949,20 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_application_deleted.yml" ], "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.impact", + "attack.t1489" ] }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "410d2a41-1e6d-452f-85e5-abdd8257a823", "value": "Azure Application Deleted" }, @@ -56546,9 +73011,18 @@ ], "tags": [ "attack.initial_access", - "attack.t1078" + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "09438caa-07b1-4870-8405-1dbafe3dad95", "value": "Azure Subscription Permission Elevation Via ActivityLogs" }, @@ -56590,11 +73064,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml" ], "tags": [ @@ -56625,6 +73099,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "102e11e3-2db5-4c9e-bc26-357d42585d21", "value": "Bulk Deletion Changes To Privileged Account Permissions" }, @@ -56673,6 +73156,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "49a268a4-72f4-4e38-8a7b-885be690c5b5", "value": "User Added To Privilege Role" }, @@ -56693,9 +73185,19 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_creating_number_of_resources_detection.yml" ], "tags": [ + "attack.persistence", "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d2d901db-7a75-45a1-bc39-0cbf00812192", "value": "Number Of Resource Creation Or Deployment Activities" }, @@ -56788,9 +73290,20 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml" ], "tags": [ - "attack.impact" + "attack.impact", + "attack.defense_evasion", + "attack.t1562.007" ] }, + "related": [ + { + "dest-uuid": "77532a55-c283-4cd2-bc5d-2d0b65e9d88c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "83c17918-746e-4bd9-920b-8e098bf88c23", "value": "Azure Network Firewall Policy Modified or Deleted" }, @@ -56864,6 +73377,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "72af37e2-ec32-47dc-992b-bc288a2708cb", "value": "Azure New CloudShell Created" }, @@ -56937,6 +73459,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "26e7c5e2-6545-481e-b7e6-050143459635", "value": "CA Policy Removed by Non Approved Actor" }, @@ -56961,6 +73492,15 @@ "attack.t1578.003" ] }, + "related": [ + { + "dest-uuid": "70857657-bd0b-4695-ad3e-b13f92cac1b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "48739819-8230-4ee3-a8ea-e0289d1fb0ff", "value": "Azure Active Directory Hybrid Health AD FS Service Delete" }, @@ -57034,6 +73574,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0922467f-db53-4348-b7bf-dee8d0d348c6", "value": "New CA Policy by Non-approved Actor" }, @@ -57059,6 +73608,22 @@ "attack.t1526" ] }, + "related": [ + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "35b781cc-1a08-4a5a-80af-42fd7c315c6b", "value": "Discovery Using AzureHound" }, @@ -57084,6 +73649,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "50a3c7aa-ec29-44a4-92c1-fce229eef6fc", "value": "CA Policy Updated by Non Approved Actor" }, @@ -57130,9 +73704,18 @@ "tags": [ "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1078" + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "db6c06c4-bf3b-421c-aa88-15672b88c743", "value": "Changes To PIM Settings" }, @@ -57181,6 +73764,15 @@ "attack.t1578" ] }, + "related": [ + { + "dest-uuid": "144e007b-e638-431d-a894-45d90c54ab90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "288a39fc-4914-4831-9ada-270e9dc12cb4", "value": "Azure Active Directory Hybrid Health AD FS New Server" }, @@ -57229,6 +73821,15 @@ "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5496ff55-42ec-4369-81cb-00f417029e25", "value": "Multifactor Authentication Interrupted" }, @@ -57249,9 +73850,19 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_guest_to_member.yml" ], "tags": [ - "attack.t1078" + "attack.privilege_escalation", + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8dee7a0d-43fd-4b3c-8cd1-605e189d195e", "value": "User State Changed From Guest To Member" }, @@ -57301,6 +73912,15 @@ "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e40f4962-b02b-4192-9bfe-245f7ece1f99", "value": "Multifactor Authentication Denied" }, @@ -57325,6 +73945,15 @@ "attack.t1484" ] }, + "related": [ + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aeaef14c-e5bf-4690-a9c8-835caad458bd", "value": "PIM Alert Setting Changes To Disabled" }, @@ -57345,9 +73974,19 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_granting_permission_detection.yml" ], "tags": [ - "attack.t1098" + "attack.persistence", + "attack.t1098.003" ] }, + "related": [ + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a622fcd2-4b5a-436a-b8a2-a4171161833c", "value": "Granting Of Permissions To An Account" }, @@ -57364,11 +74003,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml" ], "tags": [ @@ -57400,6 +74039,15 @@ "attack.credential_access" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0055ad1f-be85-4798-83cf-a6da17c993b3", "value": "Application URI Configuration Changes" }, @@ -57417,11 +74065,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_role_access.yml" ], "tags": [ @@ -57456,6 +74104,15 @@ "attack.t1552.001" ] }, + "related": [ + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "80eeab92-0979-4152-942d-96749e11df40", "value": "Azure Keyvault Key Modified or Deleted" }, @@ -57528,6 +74185,15 @@ "attack.credential_access" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1b45b0d1-773f-4f23-aedc-814b759563b1", "value": "Application AppID Uri Configuration Changes" }, @@ -57545,11 +74211,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_container_registry_created_or_deleted.yml" ], "tags": [ @@ -57577,9 +74243,18 @@ ], "tags": [ "attack.initial_access", - "attack.t1078" + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "908655e0-25cf-4ae1-b775-1c8ce9cf43d8", "value": "Login to Disabled Account" }, @@ -57606,6 +74281,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "225d8b09-e714-479c-a0e4-55e6f29adf35", "value": "Azure Kubernetes Events Deleted" }, @@ -57623,7 +74307,6 @@ "logsource.product": "azure", "refs": [ "https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/", - "https://attack.mitre.org/techniques/T1098/003/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml" ], "tags": [ @@ -57631,6 +74314,15 @@ "attack.t1098.003" ] }, + "related": [ + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ebbeb024-5b1d-4e16-9c0c-917f86c708a7", "value": "User Added to an Administrator's Azure AD Role" }, @@ -57648,18 +74340,28 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cronjob.yml" ], "tags": [ "attack.persistence", + "attack.t1053.003", "attack.privilege_escalation", "attack.execution" ] }, + "related": [ + { + "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1c71e254-6655-42c1-b2d6-5e4718d7fc0a", "value": "Azure Kubernetes CronJob" }, @@ -57724,11 +74426,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml" ], "tags": [ @@ -57803,12 +74505,47 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_firewall_modified_or_deleted.yml" ], "tags": [ - "attack.impact" + "attack.impact", + "attack.defense_evasion", + "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "512cf937-ea9b-4332-939c-4c2c94baadcd", "value": "Azure Firewall Modified or Deleted" }, + { + "description": "Detects risky authencaition from a non AD registered device without MFA being required.", + "meta": { + "author": "Harjot Singh, '@cyb3rjy0t'", + "creation_date": "2023/01/10", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1078" + ] + }, + "uuid": "572b12d4-9062-11ed-a1eb-0242ac120002", + "value": "Suspicious SignIns From A Non Registered Device" + }, { "description": "Identifies when DNS zone is modified or deleted.", "meta": { @@ -57827,9 +74564,19 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml" ], "tags": [ - "attack.impact" + "attack.impact", + "attack.t1565.001" ] }, + "related": [ + { + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "af6925b0-8826-47f1-9324-337507a0babd", "value": "Azure DNS Zone Modified or Deleted" }, @@ -57879,6 +74626,15 @@ "attack.t1484" ] }, + "related": [ + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9494bff8-959f-4440-bbce-fb87a208d517", "value": "Changes to Device Registration Policy" }, @@ -57899,9 +74655,18 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_only_single_factor_auth_required.yml" ], "tags": [ - "attack.t1078" + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "28eea407-28d7-4e42-b0be-575d5ba60b2c", "value": "Azure AD Only Single Factor Authentication Required" }, @@ -57948,9 +74713,18 @@ "tags": [ "attack.persistence", "attack.privilege_escalation", - "attack.t1078" + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f7b5b004-dece-46e4-a4a5-f6fd0e1c6947", "value": "Privileged Account Creation" }, @@ -57998,6 +74772,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "665e2d43-70dc-4ccc-9d27-026c9dd7ed9c", "value": "User Removed From Group With CA Policy Modification Access" }, @@ -58039,7 +74822,6 @@ "logsource.product": "azure", "refs": [ "https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates", - "https://attack.mitre.org/techniques/T1556/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_mfa_disabled.yml" ], "tags": [ @@ -58047,6 +74829,15 @@ "attack.t1556" ] }, + "related": [ + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7ea78478-a4f9-42a6-9dcd-f861816122bf", "value": "Disabled MFA to Bypass Authentication Mechanisms" }, @@ -58174,6 +74965,15 @@ "attack.t1552.001" ] }, + "related": [ + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b831353c-1971-477b-abb6-2828edc3bca1", "value": "Azure Keyvault Secrets Modified or Deleted" }, @@ -58191,11 +74991,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_network_policy_change.yml" ], "tags": [ @@ -58220,17 +75020,27 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml" ], "tags": [ - "attack.impact" + "attack.impact", + "attack.t1531" ] }, + "related": [ + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "12d027c3-b48c-4d9d-8bb6-a732200034b2", "value": "Azure Kubernetes Service Account Modified or Deleted" }, @@ -58255,6 +75065,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6ec820f2-e963-4801-9127-d8b2dce4d31b", "value": "APT User Agent" }, @@ -58279,6 +75098,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "894a8613-cf12-48b3-8e57-9085f54aa0c3", "value": "Suspicious Base64 User Agent" }, @@ -58304,6 +75132,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b923f7d6-ac89-4a50-a71a-89fb846b4aa8", "value": "Empire UserAgent URI Combo" }, @@ -58320,8 +75157,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://twitter.com/jhencinski/status/1102695118455349248", "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", + "https://twitter.com/jhencinski/status/1102695118455349248", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml" ], "tags": [ @@ -58333,6 +75170,22 @@ "attack.s0190" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9eb68894-7476-4cd6-8752-23b51f5883a7", "value": "Bitsadmin to Uncommon TLD" }, @@ -58359,6 +75212,15 @@ "attack.g0010" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7857f021-007f-4928-8b2c-7aedbe64bb82", "value": "Turla ComRAT" }, @@ -58383,6 +75245,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fb502828-2db0-438e-93e6-801c7548686d", "value": "Chafer Malware URL Pattern" }, @@ -58399,9 +75270,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", + "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_exchange_owassrf_poc_exploitation.yml" ], "tags": [ @@ -58409,6 +75280,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fdd7e904-7304-4616-a46a-e32f917c4be4", "value": "OWASSRF Exploitation Attempt Using Public POC - Proxy" }, @@ -58433,6 +75313,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f", "value": "Exploit Framework User Agent" }, @@ -58459,6 +75348,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e09aed7a-09e0-4c9a-90dd-f0d52507347e", "value": "Windows WebDAV User Agent" }, @@ -58485,6 +75383,22 @@ "attack.t1568" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "195c1119-ef07-4909-bb12-e66f5e07bf3c", "value": "Download from Suspicious Dyndns Hosts" }, @@ -58510,6 +75424,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c9b33401-cc6a-4cf6-83bb-57ddcb2407fc", "value": "CobaltStrike Malleable OneDrive Browsing Traffic Profile" }, @@ -58534,6 +75457,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7195a772-4b3f-43a4-a210-6a003d65caa1", "value": "Suspicious User Agent" }, @@ -58551,8 +75483,8 @@ "logsource.product": "No established product", "refs": [ "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_telegram_api.yml" ], "tags": [ @@ -58562,6 +75494,22 @@ "attack.t1102.002" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b494b165-6634-483d-8c47-2026a6c52372", "value": "Telegram API Access" }, @@ -58588,8 +75536,24 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b5de2919-b74a-4805-91a7-5049accbaefe", - "value": "Download EXE from Suspicious TLD" + "value": "Download From Suspicious TLD - Whitelist" }, { "description": "Detects suspicious user agent strings used by malware in proxy logs", @@ -58604,9 +75568,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", + "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", "http://www.botopedia.org/search?searchword=scan&searchphrase=all", "https://perishablepress.com/blacklist/ua-2013.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_malware.yml" @@ -58616,6 +75580,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5c84856b-55a5-45f1-826f-13f37250cf4e", "value": "Malware User Agent" }, @@ -58643,6 +75616,22 @@ "attack.s0190" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8ccd35a2-1c7c-468b-b568-ac6cdf80eec3", "value": "Bitsadmin to Uncommon IP Server Address" }, @@ -58659,8 +75648,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", "https://rclone.org/", + "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_rclone.yml" ], "tags": [ @@ -58668,6 +75657,15 @@ "attack.t1567.002" ] }, + "related": [ + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2c03648b-e081-41a5-b9fb-7d854a915091", "value": "Rclone Activity via Proxy" }, @@ -58693,6 +75691,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ddf4596-1908-43c9-add2-1d2c2fcc4797", "value": "Potential OWASSRF Exploitation Attempt - Proxy" }, @@ -58718,6 +75725,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fa935401-513b-467b-81f4-f9e77aa0dd78", "value": "Crypto Miner User Agent" }, @@ -58769,6 +75785,36 @@ "attack.t1552.001" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e06ac91d-b9e6-443d-8e5b-af749e7aa6b6", "value": "iOS Implant URL Pattern" }, @@ -58794,6 +75840,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "41b42a36-f62c-4c34-bd40-8cb804a34ad8", "value": "CobaltStrike Malformed UAs in Malleable Profiles" }, @@ -58821,6 +75876,29 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "9c99724c-a483-4d60-ad9d-7f004e42e8e8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5468045b-4fcc-4d1a-973c-c9c9578edacb", "value": "Raw Paste Service Access" }, @@ -58846,6 +75924,15 @@ "attack.t1590" ] }, + "related": [ + { + "dest-uuid": "9d48cab2-7929-4812-ad22-f536665f0109", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a9bb21a-1bb5-42d7-aa05-3219c7c8f47d", "value": "Advanced IP/Port Scanner Update Check" }, @@ -58863,9 +75950,9 @@ "logsource.product": "No established product", "refs": [ "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", + "https://www.spamhaus.org/statistics/tlds/", "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", - "https://www.spamhaus.org/statistics/tlds/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_tlds_blacklist.yml" ], "tags": [ @@ -58876,8 +75963,24 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "00d0b5ab-1f55-4120-8e83-487c0a7baf19", - "value": "Download from Suspicious TLD" + "value": "Download From Suspicious TLD - Blacklist" }, { "description": "Detects specific malware patterns used by FurBall malware linked to Iranian Domestic Kitten APT group", @@ -58915,8 +76018,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_amazon.yml" ], "tags": [ @@ -58925,6 +76028,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "953b895e-5cc9-454b-b183-7f3db555452e", "value": "CobaltStrike Malleable Amazon Browsing Traffic Profile" }, @@ -58951,6 +76063,29 @@ "attack.t1102.003" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "9c99724c-a483-4d60-ad9d-7f004e42e8e8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2b1ee7e4-89b6-4739-b7bb-b811b6607e5e", "value": "PwnDrp Access" }, @@ -58976,6 +76111,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "37325383-740a-403d-b1a2-b2b4ab7992e7", "value": "CobaltStrike Malleable (OCSP) Profile" }, @@ -59002,6 +76146,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c8557060-9221-4448-8794-96320e6f3e74", "value": "Windows PowerShell User Agent" }, @@ -59049,6 +76202,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "304810ed-8853-437f-9e36-c4975c3dfd7e", "value": "BabyShark Agent Pattern" }, @@ -59065,8 +76227,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_hacktool.yml" ], "tags": [ @@ -59076,6 +76238,15 @@ "attack.t1110" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c42a3073-30fb-48ae-8c99-c23ada84b103", "value": "Hack Tool User Agent" }, @@ -59102,6 +76273,22 @@ "attack.t1567.002" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5ba715b6-71b7-44fd-8245-f66893e81b3d", "value": "APT40 Dropbox Tool User Agent" }, @@ -59130,6 +76317,22 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "932ac737-33ca-4afd-9869-0d48b391fcc9", "value": "Ursnif Malware C2 URL Pattern" }, @@ -59155,6 +76358,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "21e44d78-95e7-421b-a464-ffd8395659c4", "value": "Empty User Agent" }, @@ -59183,6 +76395,22 @@ "attack.t1036.005" ] }, + "related": [ + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4922a5dd-6743-4fc2-8e81-144374280997", "value": "Flash Player Update from Suspicious Location" }, @@ -59199,8 +76427,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://paper.seebug.org/1495/", "https://twitter.com/wugeej/status/1369476795255320580", + "https://paper.seebug.org/1495/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml" ], "tags": [ @@ -59209,6 +76437,15 @@ "cve.2021.21978" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "77586a7f-7ea4-4c41-b19c-820140b84ca9", "value": "CVE-2021-21978 Exploitation Attempt" }, @@ -59226,8 +76463,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://bad-jubies.github.io/RCE-NOW-WHAT/", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_win_webshells_in_access_logs.yml" ], "tags": [ @@ -59262,6 +76499,15 @@ "cve.2020.14882" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "85d466b0-d74c-4514-84d3-2bdd3327588b", "value": "Oracle WebLogic Exploit CVE-2020-14882" }, @@ -59278,10 +76524,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/", "https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md", - "https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md", "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", + "https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md", + "https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml" ], "tags": [ @@ -59289,6 +76535,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "38825179-3c78-4fed-b222-2e2166b926b1", "value": "Potential CVE-2021-26084 Exploitation Attempt" }, @@ -59313,6 +76568,15 @@ "attack.initial_access" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6f55f047-112b-4101-ad32-43913f52db46", "value": "SonicWall SSL/VPN Jarrewrite Exploit" }, @@ -59338,6 +76602,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "67bce556-312f-4c81-9162-c3c9ff2599b2", "value": "Exchange Exploitation Used by HAFNIUM" }, @@ -59354,8 +76627,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", "https://www.anquanke.com/post/id/226029", + "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_solarwinds_supernova_webshell.yml" ], "tags": [ @@ -59391,6 +76664,15 @@ "cve.2018.2894" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "37e8369b-43bb-4bf8-83b6-6dd43bda2000", "value": "Oracle WebLogic Exploit" }, @@ -59407,9 +76689,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/", "https://dmaasland.github.io/posts/citrix.html", "https://support.citrix.com/article/CTX276688", + "https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_8193_8195_citrix_exploit.yml" ], "tags": [ @@ -59417,6 +76699,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7", "value": "Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195" }, @@ -59433,8 +76724,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/search?q=CVE-2021-43798", "https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/", + "https://github.com/search?q=CVE-2021-43798", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_43798_grafana.yml" ], "tags": [ @@ -59442,6 +76733,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b72b328-5708-414f-9a2a-6a6867c26e16", "value": "Grafana Path Traversal Exploitation CVE-2021-43798" }, @@ -59480,10 +76780,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://twitter.com/Al1ex4/status/1382981479727128580", + "https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186", "https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/", "https://twitter.com/sec715/status/1373472323538362371", - "https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186", - "https://twitter.com/Al1ex4/status/1382981479727128580", "https://github.com/murataydemir/CVE-2021-27905", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_27905_apache_solr_exploit.yml" ], @@ -59493,6 +76793,15 @@ "cve.2021.27905" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0bbcd74b-0596-41a4-94a0-4e88a76ffdb3", "value": "Potential CVE-2021-27905 Exploitation Attempt" }, @@ -59509,8 +76818,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/", "https://github.com/vnhacker1337/CVE-2022-27925-PoC", + "https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/", "https://www.yang99.top/index.php/archives/82/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_27925_exploit.yml" ], @@ -59520,6 +76829,15 @@ "cve.2022.27925" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dd218fb6-4d02-42dc-85f0-a0a376072efd", "value": "Zimbra Collaboration Suite Email Server Unauthenticated RCE" }, @@ -59536,10 +76854,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html", "https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/", - "https://twitter.com/_0xf4n9x_/status/1572052954538192901", "https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/", + "https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html", + "https://twitter.com/_0xf4n9x_/status/1572052954538192901", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml" ], "tags": [ @@ -59548,6 +76866,15 @@ "cve.2022.36804" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "65c0a0ab-d675-4441-bd6b-d3db226a2685", "value": "Atlassian Bitbucket Command Injection Via Archive API" }, @@ -59566,10 +76893,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", - "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", "https://github.com/payloadbox/sql-injection-payload-list", "https://brightsec.com/blog/sql-injection-payloads/", + "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", + "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_sql_injection_in_access_logs.yml" ], "tags": "No established tags" @@ -59590,9 +76917,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", + "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_owassrf_poc_exploitation.yml" ], "tags": [ @@ -59600,6 +76927,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "92d78c63-5a5c-4c40-9b60-463810ffb082", "value": "OWASSRF Exploitation Attempt Using Public POC - Webserver" }, @@ -59626,6 +76962,15 @@ "cve.2021.26814" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b9888738-29ed-4c54-96a4-f38c57b84bb3", "value": "Exploitation of CVE-2021-26814 in Wazuh" }, @@ -59651,6 +76996,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "181f49fa-0b21-4665-a98c-a57025ebb8c7", "value": "Potential OWASSRF Exploitation Attempt - Webserver" }, @@ -59667,8 +77021,8 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", + "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_nginx_core_dump.yml" ], "tags": [ @@ -59676,6 +77030,15 @@ "attack.t1499.004" ] }, + "related": [ + { + "dest-uuid": "2bee5ffb-7a7a-4119-b1f2-158151b19ac0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "59ec40bb-322e-40ab-808d-84fa690d7e56", "value": "Nginx Core Dump" }, @@ -59701,6 +77064,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5525edac-f599-4bfd-b926-3fa69860e766", "value": "Pulse Connect Secure RCE Attack CVE-2021-22893" }, @@ -59726,6 +77098,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a4a899e8-fd7a-49dd-b5a8-7044def72d61", "value": "CVE-2010-5278 Exploitation Attempt" }, @@ -59742,8 +77123,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", + "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_source_code_enumeration.yml" ], "tags": [ @@ -59767,9 +77148,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://support.f5.com/csp/article/K52145254", "https://twitter.com/yorickkoster/status/1279709009151434754", "https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", + "https://support.f5.com/csp/article/K52145254", "https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_5902_f5_bigip.yml" ], @@ -59778,6 +77159,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "44b53b1c-e60f-4a7b-948e-3435a7918478", "value": "CVE-2020-5902 F5 BIG-IP Exploitation Attempt" }, @@ -59794,9 +77184,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", - "https://swarm.ptsecurity.com/unauth-rce-vmware", "https://f5.pm/go-59627.html", + "https://swarm.ptsecurity.com/unauth-rce-vmware", + "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml" ], "tags": [ @@ -59804,6 +77194,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "179ed852-0f9b-4009-93a7-68475910fd86", "value": "CVE-2021-21972 VSphere Exploitation" }, @@ -59828,6 +77227,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6fdfc796-06b3-46e8-af08-58f3505318af", "value": "Multiple Suspicious Resp Codes Caused by Single Client" }, @@ -59855,6 +77263,15 @@ "cve.2022.46169" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "738cb115-881f-4df3-82cc-56ab02fc5192", "value": "Potential CVE-2022-46169 Exploitation Attempt" }, @@ -59871,12 +77288,12 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.lunasec.io/docs/blog/log4j-zero-day/", - "https://github.com/tangxiaofeng7/apache-log4j-poc", - "https://twitter.com/shutingrz/status/1469255861394866177?s=21", "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", "https://news.ycombinator.com/item?id=29504755", + "https://github.com/tangxiaofeng7/apache-log4j-poc", "https://github.com/YfryTchsGD/Log4jAttackSurface", + "https://twitter.com/shutingrz/status/1469255861394866177?s=21", + "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j_fields.yml" ], "tags": [ @@ -59884,6 +77301,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9be472ed-893c-4ec0-94da-312d2765f654", "value": "Log4j RCE CVE-2021-44228 in Fields" }, @@ -59932,6 +77358,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2dbc10d7-a797-49a8-8776-49efa6442e60", "value": "Pulse Secure Attack CVE-2019-11510" }, @@ -59948,10 +77383,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/httpvoid0x2f/status/1532924261035384832", - "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", + "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", + "https://twitter.com/httpvoid0x2f/status/1532924261035384832", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_java_payload_in_access_logs.yml" ], "tags": [ @@ -59983,6 +77418,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a2a9d722-0acb-4096-bccc-daaf91a5037b", "value": "Exchange Exploitation CVE-2021-28480" }, @@ -60023,8 +77467,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw", "https://twitter.com/pyn3rd/status/1351696768065409026", + "https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml" ], "tags": [ @@ -60033,6 +77477,15 @@ "cve.2021.2109" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "687f6504-7f44-4549-91fc-f07bab065821", "value": "Oracle WebLogic Exploit CVE-2021-2109" }, @@ -60058,6 +77511,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7745c2ea-24a5-4290-b680-04359cb84b35", "value": "Path Traversal Exploitation Attempts" }, @@ -60083,6 +77545,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "20c6ed1c-f7f0-4ea3-aa65-4f198e6acb0f", "value": "Sitecore Pre-Auth RCE CVE-2021-42237" }, @@ -60099,9 +77570,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", - "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", "https://github.com/apache/spark/pull/36315/files", + "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", + "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_33891_spark_shell_command_injection.yml" ], "tags": [ @@ -60110,6 +77581,15 @@ "cve.2022.33891" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a9a04fd-02d1-465c-abad-d733fd409f9c", "value": "Apache Spark Shell Command Injection - Weblogs" }, @@ -60126,9 +77606,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", - "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", + "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", + "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_susp_useragents.yml" ], "tags": [ @@ -60136,6 +77616,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "19aa4f58-94ca-45ff-bc34-92e533c0994a", "value": "Suspicious User-Agents Related To Recon Tools" }, @@ -60161,6 +77650,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "efdb2003-a922-48aa-8f37-8b80021a9706", "value": "CVE-2022-31659 VMware Workspace ONE Access RCE" }, @@ -60185,30 +77683,18 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a2e97350-4285-43f2-a63f-d0daff291738", "value": "Fortinet CVE-2018-13379 Exploitation" }, - { - "description": "Detects an issue in apache logs that reports threading related errors", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/01/22", - "falsepositive": [ - "3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185" - ], - "filename": "web_apache_threading_error.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "No established product", - "refs": [ - "https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_apache_threading_error.yml" - ], - "tags": "No established tags" - }, - "uuid": "e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c", - "value": "Apache Threading Error" - }, { "description": "Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs", "meta": { @@ -60230,6 +77716,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f425637f-891c-4191-a6c4-3bb1b70513b4", "value": "Fortinet CVE-2021-22123 Exploitation" }, @@ -60256,6 +77751,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "23eee45e-933b-49f9-ae1b-df706d2d52ef", "value": "Exchange ProxyShell Pattern" }, @@ -60297,8 +77801,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/sensepost/reGeorg", "https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3", + "https://github.com/sensepost/reGeorg", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_webshell_regeorg.yml" ], "tags": [ @@ -60322,12 +77826,12 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.lunasec.io/docs/blog/log4j-zero-day/", - "https://github.com/tangxiaofeng7/apache-log4j-poc", - "https://twitter.com/shutingrz/status/1469255861394866177?s=21", "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", "https://news.ycombinator.com/item?id=29504755", + "https://github.com/tangxiaofeng7/apache-log4j-poc", "https://github.com/YfryTchsGD/Log4jAttackSurface", + "https://twitter.com/shutingrz/status/1469255861394866177?s=21", + "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j.yml" ], "tags": [ @@ -60335,33 +77839,18 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5ea8faa8-db8b-45be-89b0-151b84c82702", "value": "Log4j RCE CVE-2021-44228 Generic" }, - { - "description": "Detects a segmentation fault error message caused by a creashing apache worker process", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/02/28", - "falsepositive": [ - "Unknown" - ], - "filename": "web_apache_segfault.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "No established product", - "refs": [ - "http://www.securityfocus.com/infocus/1633", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_apache_segfault.yml" - ], - "tags": [ - "attack.impact", - "attack.t1499.004" - ] - }, - "uuid": "1da8ce0b-855d-4004-8860-7d64d42063b1", - "value": "Apache Segmentation Fault" - }, { "description": "Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398", "meta": { @@ -60383,6 +77872,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e9bc39ae-978a-4e49-91ab-5bd481fc668b", "value": "Confluence Exploitation CVE-2019-3398" }, @@ -60407,6 +77905,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "56973b50-3382-4b56-bdf5-f51a3183797a", "value": "CVE-2021-33766 Exchange ProxyToken Exploitation" }, @@ -60424,8 +77931,8 @@ "logsource.product": "No established product", "refs": [ "https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2", - "https://www.tenable.com/security/research/tra-2021-13", "https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild", + "https://www.tenable.com/security/research/tra-2021-13", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml" ], "tags": [ @@ -60435,6 +77942,15 @@ "cve.2021.20091" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f0500377-bc70-425d-ac8c-e956cd906871", "value": "Arcadyan Router Exploitations" }, @@ -60461,6 +77977,15 @@ "cve.2020.28188" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "15c312b9-00d0-4feb-8870-7d940a4bdc5e", "value": "TerraMaster TOS CVE-2020-28188" }, @@ -60485,6 +78010,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5a35116f-43bc-4901-b62d-ef131f42a9af", "value": "CVE-2020-10148 SolarWinds Orion API Auth Bypass" }, @@ -60501,8 +78035,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server", "https://kb.vmware.com/s/article/85717", + "https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22005_vmware_file_upload.yml" ], "tags": [ @@ -60510,6 +78044,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b014ea07-8ea0-4859-b517-50a4e5b7ecec", "value": "VMware vCenter Server File Upload CVE-2021-22005" }, @@ -60526,12 +78069,12 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", "https://twitter.com/bl4sty/status/1445462677824761878", + "https://twitter.com/ptswarm/status/1445376079548624899", "https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782", "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml", - "https://twitter.com/ptswarm/status/1445376079548624899", "https://twitter.com/h4x0r_dz/status/1445401960371429381", + "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_41773_apache_path_traversal.yml" ], "tags": [ @@ -60539,6 +78082,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3007fec6-e761-4319-91af-e32e20ac43f5", "value": "CVE-2021-41773 Exploitation Attempt" }, @@ -60567,6 +78119,15 @@ "cve.2014.6287" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a133193c-2daa-4a29-8022-018695fcf0ae", "value": "Rejetto HTTP File Server RCE" }, @@ -60584,8 +78145,8 @@ "logsource.product": "No established product", "refs": [ "https://github.com/lijiejie/IIS_shortname_Scanner", - "https://www.exploit-db.com/exploits/19525", "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", + "https://www.exploit-db.com/exploits/19525", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_iis_tilt_shortname_scan.yml" ], "tags": [ @@ -60593,6 +78154,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7cb02516-6d95-4ffc-8eee-162075e111ac", "value": "Successful IIS Shortname Fuzzing Scan" }, @@ -60617,6 +78187,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fcf1101d-07c9-49b2-ad81-7e421ff96d80", "value": "CVE-2022-31656 VMware Workspace ONE Access Auth Bypass" }, @@ -60633,8 +78212,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter", "https://twitter.com/aboul3la/status/1286012324722155525", + "https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml" ], "tags": [ @@ -60643,6 +78222,15 @@ "cve.2020.3452" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aba47adc-4847-4970-95c1-61dce62a8b29", "value": "Cisco ASA FTD Exploit CVE-2020-3452" }, @@ -60688,6 +78276,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fce2c2e2-0fb5-41ab-a14c-5391e1fd70a5", "value": "CVE-2020-0688 Exchange Exploitation via Web Log" }, @@ -60729,11 +78326,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://isc.sans.edu/diary/25686", - "https://support.citrix.com/article/CTX267027", "https://support.citrix.com/article/CTX267679", - "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md", + "https://support.citrix.com/article/CTX267027", + "https://isc.sans.edu/diary/25686", "https://twitter.com/mpgn_x64/status/1216787131210829826", + "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_19781_citrix_exploit.yml" ], "tags": [ @@ -60741,6 +78338,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ac5a6409-8c89-44c2-8d64-668c29a2d756", "value": "Citrix Netscaler Attack CVE-2019-19781" }, @@ -60765,6 +78371,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a", "value": "CVE-2020-0688 Exploitation Attempt" }, @@ -60826,8 +78441,8 @@ "logsource.product": "No established product", "refs": [ "https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", - "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", "https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/", + "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml" ], "tags": [ @@ -60837,6 +78452,15 @@ "attack.t1505.003" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fcbb4a77-f368-4945-b046-4499a1da69d1", "value": "CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit" }, @@ -60862,6 +78486,15 @@ "attack.t1037.005" ] }, + "related": [ + { + "dest-uuid": "c0dfe7b0-b873-4618-9ff8-53e31f70907f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dfe8b941-4e54-4242-b674-6b613d521962", "value": "Startup Items" }, @@ -60878,8 +78511,8 @@ "logsource.category": "file_event", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml" ], "tags": [ @@ -60888,6 +78521,15 @@ "attack.t1546.014" ] }, + "related": [ + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "23c43900-e732-45a4-8354-63e4a6c187ce", "value": "MacOS Emond Launch Daemon" }, @@ -60985,6 +78627,15 @@ "attack.t1059.002" ] }, + "related": [ + { + "dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1bc2e6c5-0885-472b-bed6-be5ea8eace55", "value": "MacOS Scripting Interpreter AppleScript" }, @@ -61009,6 +78660,15 @@ "attack.t1553.001" ] }, + "related": [ + { + "dest-uuid": "31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f5141b6d-9f42-41c6-a7bf-2a780678b29b", "value": "Gatekeeper Bypass via Xattr" }, @@ -61049,8 +78709,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml" ], "tags": [ @@ -61067,6 +78727,43 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b83e166d-13d7-4b52-8677-dff90c548fd7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4", "value": "Suspicious Execution via macOS Script Editor" }, @@ -61115,6 +78812,15 @@ "attack.persistence" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "51719bf5-e4fd-4e44-8ba8-b830e7ac0731", "value": "Creation Of A Local User Account" }, @@ -61163,6 +78869,15 @@ "attack.t1564.002" ] }, + "related": [ + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b22a5b36-2431-493a-8be1-0bae56c28ef3", "value": "Hidden User Creation" }, @@ -61188,6 +78903,15 @@ "attack.t1552.003" ] }, + "related": [ + { + "dest-uuid": "8187bd2a-866f-4457-9009-86b0ddedffa3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "508a9374-ad52-4789-b568-fc358def2c65", "value": "Suspicious History File Operations" }, @@ -61212,6 +78936,15 @@ "attack.t1049" ] }, + "related": [ + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9a7a0393-2144-4626-9bf1-7c2f5a7321db", "value": "System Network Connections Discovery - MacOs" }, @@ -61252,8 +78985,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08", + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml" ], "tags": [ @@ -61300,8 +79033,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", "https://www.manpagez.com/man/8/firmwarepasswd/", + "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml" ], @@ -61333,6 +79066,15 @@ "attack.t1070.006" ] }, + "related": [ + { + "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0", "value": "File Time Attribute Change" }, @@ -61362,6 +79104,29 @@ "attack.s0402" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "234dc5df-40b5-49d1-bf53-0d44ce778eca", "value": "Payload Decoded and Decrypted via Built-in Utilities" }, @@ -61410,6 +79175,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "89bb1f97-c7b9-40e8-b52b-7d6afbd67276", "value": "Local Groups Discovery - MacOs" }, @@ -61436,6 +79210,15 @@ "attack.t1053.003" ] }, + "related": [ + { + "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7c3b43d8-d794-47d2-800a-d277715aa460", "value": "Scheduled Cron Task/Job - MacOs" }, @@ -61508,6 +79291,15 @@ "attack.t1030" ] }, + "related": [ + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7f2bb9d5-6395-4de5-969c-70c11fbe6b12", "value": "Split A File Into Pieces" }, @@ -61524,8 +79316,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md", + "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml" ], "tags": [ @@ -61557,6 +79349,15 @@ "attack.t1087.001" ] }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ddf36b67-e872-4507-ab2e-46bda21b842c", "value": "Local System Accounts Discovery - MacOs" }, @@ -61606,6 +79407,15 @@ "attack.t1070.002" ] }, + "related": [ + { + "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "acf61bd8-d814-4272-81f0-a7a269aa69aa", "value": "Indicator Removal on Host - Clear Mac System Logs" }, @@ -61630,6 +79440,15 @@ "attack.t1529" ] }, + "related": [ + { + "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "40b1fbe2-18ea-4ee7-be47-0294285811de", "value": "System Shutdown/Reboot - MacOs" }, @@ -61679,6 +79498,15 @@ "attack.t1555.001" ] }, + "related": [ + { + "dest-uuid": "1eaebf46-e361-4437-bc23-d5d65a3b92e3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b120b587-a4c2-4b94-875d-99c9807d6955", "value": "Credentials from Password Stores - Keychain" }, @@ -61720,9 +79548,9 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" ], @@ -61742,8 +79570,8 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" ], @@ -61765,8 +79593,8 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" ], @@ -61801,6 +79629,29 @@ "attack.t1203" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "045b5f9c-49f7-4419-a236-9854fb3c827a", "value": "OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd" }, @@ -61849,6 +79700,15 @@ "attack.t1222.002" ] }, + "related": [ + { + "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "74c01ace-0152-4094-8ae2-6fd776dd43e5", "value": "File or Folder Permissions Change" }, @@ -61890,7 +79750,6 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md", - "https://attack.mitre.org/techniques/T1543/002/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml" ], "tags": [ @@ -61924,6 +79783,22 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "808146b2-9332-4d78-9416-d7e47012d83d", "value": "BPFDoor Abnormal Process ID or Lock File Accessed" }, @@ -61940,7 +79815,6 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/techniques/T1123/", "https://linux.die.net/man/1/arecord", "https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_audio_capture.yml" @@ -61983,7 +79857,7 @@ "author": "Igor Fits, oscd.community", "creation_date": "2020/10/13", "falsepositive": [ - "Legitimate script work" + "Unknown" ], "filename": "lnx_auditd_binary_padding.yml", "level": "high", @@ -62015,7 +79889,6 @@ "logsource.product": "linux", "refs": [ "https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/", - "https://attack.mitre.org/techniques/T1027/003/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml" ], "tags": [ @@ -62088,7 +79961,6 @@ "refs": [ "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", "https://linux.die.net/man/1/xclip", - "https://attack.mitre.org/techniques/T1115/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml" ], "tags": [ @@ -62113,7 +79985,6 @@ "logsource.product": "linux", "refs": [ "https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/", - "https://attack.mitre.org/techniques/T1027/003/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml" ], "tags": [ @@ -62138,7 +80009,6 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", - "https://attack.mitre.org/techniques/T1547/006/", "https://linux.die.net/man/8/insmod", "https://man7.org/linux/man-pages/man8/kmod.8.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" @@ -62149,6 +80019,15 @@ "attack.t1547.006" ] }, + "related": [ + { + "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "106d7cbd-80ff-4985-b682-a7043e5acb72", "value": "Loading of Kernel Module via Insmod" }, @@ -62190,8 +80069,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/security/cve/CVE-2021-4034", "https://github.com/berdav/CVE-2021-4034", + "https://access.redhat.com/security/cve/CVE-2021-4034", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml" ], @@ -62200,6 +80079,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "40a016ab-4f48-4eee-adde-bbf612695c53", "value": "Potential CVE-2021-4034 Exploitation Attempt" }, @@ -62216,10 +80104,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://linux.die.net/man/1/import", "https://imagemagick.org/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", - "https://attack.mitre.org/techniques/T1113/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" ], "tags": [ @@ -62243,7 +80130,6 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/techniques/T1562/004/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", "https://firewalld.org/documentation/man-pages/firewall-cmd.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml" @@ -62253,6 +80139,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "53059bc0-1472-438b-956a-7508a94a91f0", "value": "Disable System Firewall" }, @@ -62270,7 +80165,6 @@ "logsource.product": "linux", "refs": [ "https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/", - "https://attack.mitre.org/techniques/T1027/003/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml" ], "tags": [ @@ -62296,8 +80190,8 @@ "refs": [ "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", "https://mn3m.info/posts/suid-vs-capabilities/", - "https://man7.org/linux/man-pages/man8/getcap.8.html", "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", + "https://man7.org/linux/man-pages/man8/getcap.8.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" ], "tags": [ @@ -62307,6 +80201,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fe10751f-1995-40a5-aaa2-c97ccb4123fe", "value": "Linux Capabilities Discovery" }, @@ -62372,8 +80275,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md", "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml" ], "tags": [ @@ -62403,6 +80306,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9d4548fa-bba0-4e88-bd66-5d5bf516cda0", "value": "Masquerading as Linux Crond Process" }, @@ -62420,7 +80332,6 @@ "logsource.product": "linux", "refs": [ "https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/", - "https://attack.mitre.org/techniques/T1027/003/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml" ], "tags": [ @@ -62453,6 +80364,15 @@ "attack.t1552.003" ] }, + "related": [ + { + "dest-uuid": "8187bd2a-866f-4457-9009-86b0ddedffa3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eae8ce9f-bde9-47a6-8e79-f20d18419910", "value": "Suspicious History File Operations - Linux" }, @@ -62477,6 +80397,15 @@ "attack.t1070.006" ] }, + "related": [ + { + "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b", "value": "File Time Attribute Change - Linux" }, @@ -62501,6 +80430,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed", "value": "Possible Coin Miner CPU Priority Param" }, @@ -62526,6 +80464,15 @@ "cve.2021.3156" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b9748c98-9ea7-4fdb-80b6-29bed6ba71d2", "value": "CVE-2021-3156 Exploitation Attempt Bruteforcing" }, @@ -62567,7 +80514,6 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/tactics/TA0010/", "https://linux.die.net/man/1/wget", "https://gtfobins.github.io/gtfobins/wget/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml" @@ -62577,6 +80523,15 @@ "attack.t1048.003" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cb39d16b-b3b6-4a7a-8222-1cf24b686ffc", "value": "Data Exfiltration with Wget" }, @@ -62595,7 +80550,6 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md", - "https://attack.mitre.org/techniques/T1543/002/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml" ], "tags": [ @@ -62627,6 +80581,15 @@ "attack.t1030" ] }, + "related": [ + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2dad0cba-c62a-4a4f-949f-5f6ecd619769", "value": "Split A File Into Pieces - Linux" }, @@ -62644,7 +80607,6 @@ "logsource.product": "linux", "refs": [ "https://linux.die.net/man/1/xclip", - "https://attack.mitre.org/techniques/T1115/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml" ], "tags": [ @@ -62677,6 +80639,15 @@ "cve.2021.3156" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5ee37487-4eb8-4ac2-9be1-d7d14cdc559f", "value": "CVE-2021-3156 Exploitation Attempt" }, @@ -62702,6 +80673,15 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "70b4156e-50fc-4523-aa50-c9dddf1993fc", "value": "Bpfdoor TCP Ports Redirect" }, @@ -62728,6 +80708,22 @@ "attack.resource_development" ] }, + "related": [ + { + "dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7e3beebd-8bfe-4e7b-a892-e44ab06a75f9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc", "value": "Program Executions in Suspicious Folders" }, @@ -62752,6 +80748,15 @@ "attack.t1222.002" ] }, + "related": [ + { + "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a5b977d6-8a81-4475-91b9-49dbfcd941f7", "value": "Remove Immutable File Attribute - Auditd" }, @@ -62776,6 +80781,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a3b5e3e9-1b49-4119-8b8e-0344a01f21ee", "value": "Data Compressed" }, @@ -62818,7 +80832,6 @@ "refs": [ "https://linux.die.net/man/1/xwd", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture", - "https://attack.mitre.org/techniques/T1113/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml" ], "tags": [ @@ -62850,6 +80863,15 @@ "attack.t1529" ] }, + "related": [ + { + "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f", "value": "System Shutdown/Reboot - Linux" }, @@ -62875,6 +80897,15 @@ "attack.t1006" ] }, + "related": [ + { + "dest-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fb0647d7-371a-4553-8e20-33bbbe122956", "value": "Use of Debugfs to Access a Raw Disk" }, @@ -62891,10 +80922,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", "https://man7.org/linux/man-pages/man1/passwd.1.html", - "https://attack.mitre.org/techniques/T1201/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", "https://linux.die.net/man/1/chage", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" ], @@ -62903,6 +80933,15 @@ "attack.t1201" ] }, + "related": [ + { + "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ca94a6db-8106-4737-9ed2-3e3bb826af0a", "value": "Password Policy Discovery" }, @@ -62920,7 +80959,6 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md", - "https://attack.mitre.org/techniques/T1082/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_info_discovery.yml" ], "tags": [ @@ -62953,6 +80991,15 @@ "attack.t1546.004" ] }, + "related": [ + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9", "value": "Edit of .bash_profile and .bashrc" }, @@ -62978,6 +81025,15 @@ "attack.t1485" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "37222991-11e9-4b6d-8bdf-60fbe48f753e", "value": "Overwriting the File with Dev Zero or Null" }, @@ -62994,11 +81050,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/techniques/T1003/", - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://linux.die.net/man/8/pam_tty_audit", - "https://access.redhat.com/articles/4409591#audit-record-types-2", + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", + "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], "tags": [ @@ -63007,6 +81062,15 @@ "attack.t1056.001" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "49aae26c-450e-448b-911d-b3c13d178dfc", "value": "Linux Keylogging with Pam.d" }, @@ -63031,6 +81095,15 @@ "attack.t1059.004" ] }, + "related": [ + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1543ae20-cbdf-4ec1-8d12-7664d667a825", "value": "Suspicious Commands Linux" }, @@ -63047,7 +81120,6 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/techniques/T1564/001/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml" ], @@ -63056,6 +81128,15 @@ "attack.t1564.001" ] }, + "related": [ + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d08722cd-3d09-449a-80b4-83ea2d9d4616", "value": "Hidden Files and Directories" }, @@ -63073,8 +81154,8 @@ "logsource.product": "linux", "refs": [ "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", - "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", + "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" ], "tags": [ @@ -63082,6 +81163,15 @@ "attack.persistence" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "759d0d51-bc99-4b5e-9add-8f5b2c8e7512", "value": "Creation Of An User Account" }, @@ -63099,8 +81189,8 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", - "https://book.hacktricks.xyz/shells/shells/linux", "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", + "https://book.hacktricks.xyz/shells/shells/linux", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" ], "tags": [ @@ -63156,6 +81246,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7a14080d-a048-4de8-ae58-604ce58a795b", "value": "Remote File Copy" }, @@ -63181,6 +81280,15 @@ "attack.t1059.004" ] }, + "related": [ + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "41e5c73d-9983-4b69-bd03-e13b67e9623c", "value": "Equation Group Indicators" }, @@ -63205,6 +81313,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c67fc22a-0be5-4b4f-aad5-2b32c4b69523", "value": "Symlink Etc Passwd" }, @@ -63229,6 +81346,15 @@ "attack.t1565.001" ] }, + "related": [ + { + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e09eb557-96d2-4de9-ba2d-30f712a5afd3", "value": "Commands to Clear or Remove the Syslog - Builtin" }, @@ -63253,6 +81379,15 @@ "attack.privilege_escalation" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781", "value": "Buffer Overflow Attempts" }, @@ -63277,6 +81412,15 @@ "attack.t1059.004" ] }, + "related": [ + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "738d9bcf-6999-4fdb-b4ac-3033037db8ab", "value": "Suspicious Reverse Shell Command Line" }, @@ -63326,6 +81470,22 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0ac15ec3-d24f-4246-aa2a-3077bb1cf90e", "value": "Privileged User Has Been Created" }, @@ -63351,6 +81511,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8", "value": "Nimbuspwn Exploitation" }, @@ -63375,6 +81544,15 @@ "attack.t1059.004" ] }, + "related": [ + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8ec2c8b4-557a-4121-b87c-5dfb3a602fae", "value": "JexBoss Command Sequence" }, @@ -63439,10 +81617,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://artkond.com/2017/03/23/pivoting-guide/", - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", "http://pastebin.com/FtygZ1cg", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", "http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", + "https://artkond.com/2017/03/23/pivoting-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" ], "tags": [ @@ -63450,6 +81628,15 @@ "attack.t1059.004" ] }, + "related": [ + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2aa1440c-9ae9-4d92-84a7-a9e5f5e31695", "value": "Suspicious Activity in Shell Commands" }, @@ -63466,9 +81653,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/uber-common/metta/blob/master/MITRE/Privilege_Escalation/privesc_linux_filesystemweakness.yml", "https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/", "https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/", - "https://github.com/uber-common/metta/blob/master/MITRE/Privilege_Escalation/privesc_linux_filesystemweakness.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_priv_esc_prep.yml" ], "tags": [ @@ -63476,6 +81663,15 @@ "attack.t1059.004" ] }, + "related": [ + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "444ade84-c362-4260-b1f3-e45e20e1a905", "value": "Privilege Escalation Preparation" }, @@ -63494,7 +81690,6 @@ "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", "https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics", - "https://attack.mitre.org/techniques/T1070/003/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml" ], "tags": [ @@ -63502,6 +81697,15 @@ "attack.t1070.003" ] }, + "related": [ + { + "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fdc88d25-96fb-4b7c-9633-c0e417fdbd4e", "value": "Clear Command History" }, @@ -63513,19 +81717,28 @@ "falsepositive": [ "Unknown" ], - "filename": "lnx_susp_guacamole.yml", + "filename": "lnx_guacamole_susp_guacamole.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://research.checkpoint.com/2020/apache-guacamole-rce/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/guacamole/lnx_susp_guacamole.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/guacamole/lnx_guacamole_susp_guacamole.yml" ], "tags": [ "attack.credential_access", "attack.t1212" ] }, + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1edd77db-0669-4fef-9598-165bda82826d", "value": "Guacamole Two Users Sharing Session Anomaly" }, @@ -63537,19 +81750,28 @@ "falsepositive": [ "Unknown" ], - "filename": "lnx_susp_vsftp.yml", + "filename": "lnx_vsftpd_susp_error_messages.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/dagwieers/vsftpd/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/vsftpd/lnx_susp_vsftp.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml" ], "tags": [ "attack.initial_access", "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "377f33a1-4b36-4ee1-acee-1dbe4b43cfbe", "value": "Suspicious VSFTPD Error Messages" }, @@ -63561,19 +81783,28 @@ "falsepositive": [ "Unknown" ], - "filename": "lnx_clamav.yml", + "filename": "lnx_clamav_relevant_message.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/clamav/lnx_clamav.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml" ], "tags": [ "attack.resource_development", "attack.t1588.001" ] }, + "related": [ + { + "dest-uuid": "7807d3a4-a885-4639-a786-c1ed41484970", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb", "value": "Relevant ClamAV Message" }, @@ -63585,19 +81816,28 @@ "falsepositive": [ "Legitimate modification of crontab" ], - "filename": "lnx_crontab_file_modification.yml", + "filename": "lnx_cron_crontab_file_modification.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/cron/lnx_crontab_file_modification.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml" ], "tags": [ "attack.persistence", "attack.t1053.003" ] }, + "related": [ + { + "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "af202fd3-7bff-4212-a25a-fb34606cfcbe", "value": "Modifying Crontab" }, @@ -63609,19 +81849,28 @@ "falsepositive": [ "Unknown" ], - "filename": "lnx_pwnkit_local_privilege_escalation.yml", + "filename": "lnx_auth_pwnkit_local_privilege_escalation.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://twitter.com/wdormann/status/1486161836961579020", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/auth/lnx_pwnkit_local_privilege_escalation.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml" ], "tags": [ "attack.privilege_escalation", "attack.t1548.001" ] }, + "related": [ + { + "dest-uuid": "6831414d-bb70-42b7-8030-d4e06b2660c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0506a799-698b-43b4-85a1-ac4c84c720e9", "value": "PwnKit Local Privilege Escalation" }, @@ -63635,12 +81884,12 @@ "Jump servers", "Workstations with frequently changing users" ], - "filename": "lnx_susp_failed_logons_single_source.yml", + "filename": "lnx_auth_susp_failed_logons_single_source.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/auth/lnx_susp_failed_logons_single_source.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/auth/lnx_auth_susp_failed_logons_single_source.yml" ], "tags": [ "attack.credential_access", @@ -63658,19 +81907,28 @@ "falsepositive": [ "Unknown" ], - "filename": "lnx_ssh_cve_2018_15473.yml", + "filename": "lnx_sshd_ssh_cve_2018_15473.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/Rhynorater/CVE-2018-15473-Exploit", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_ssh_cve_2018_15473.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml" ], "tags": [ "attack.reconnaissance", "attack.t1589" ] }, + "related": [ + { + "dest-uuid": "5282dd9a-d26d-4e16-88b7-7c0f4553daf4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4c9d903d-4939-4094-ade0-3cb748f4d7da", "value": "SSHD Error Message CVE-2018-15473" }, @@ -63682,47 +81940,32 @@ "falsepositive": [ "Unknown" ], - "filename": "lnx_susp_ssh.yml", + "filename": "lnx_sshd_susp_ssh.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_susp_ssh.yml" + "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml" ], "tags": [ "attack.initial_access", "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e76b413a-83d0-4b94-8e4c-85db4a5b8bdc", "value": "Suspicious OpenSSH Daemon Error" }, - { - "description": "Detects multiple blocks by the mod_security module (Web Application Firewall)", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/02/28", - "falsepositive": [ - "Vulnerability scanners", - "Frequent attacks if system faces Internet" - ], - "filename": "modsec_mulitple_blocks.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/modsecurity/modsec_mulitple_blocks.yml" - ], - "tags": [ - "attack.impact", - "attack.t1499" - ] - }, - "uuid": "a06eea10-d932-4aa6-8ba9-186df72c8d23", - "value": "Multiple Modsecurity Blocks" - }, { "description": "Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287", "meta": { @@ -63736,9 +81979,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/security/cve/cve-2019-14287", "https://twitter.com/matthieugarin/status/1183970598210412546", "https://www.openwall.com/lists/oss-security/2019/10/14/1", + "https://access.redhat.com/security/cve/cve-2019-14287", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml" ], "tags": [ @@ -63748,33 +81991,25 @@ "cve.2019.14287" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7fcc54cb-f27d-4684-84b7-436af096f858", "value": "Sudo Privilege Escalation CVE-2019-14287 - Builtin" }, - { - "description": "Detects disabling security tools", - "meta": { - "author": "Ömer Günal, Alejandro Ortuno, oscd.community", - "creation_date": "2020/06/17", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "lnx_security_tools_disabling_syslog.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/syslog/lnx_security_tools_disabling_syslog.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.004" - ] - }, - "uuid": "49f5dfc1-f92e-4d34-96fa-feba3f6acf36", - "value": "Disabling Security Tools - Builtin" - }, { "description": "Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", "meta": { @@ -63783,22 +82018,64 @@ "falsepositive": [ "Unknown" ], - "filename": "lnx_susp_named.yml", + "filename": "lnx_syslog_susp_named.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/syslog/lnx_susp_named.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/syslog/lnx_syslog_susp_named.yml" ], "tags": [ "attack.initial_access", "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c8e35e96-19ce-4f16-aeb6-fd5588dc5365", "value": "Suspicious Named Error" }, + { + "description": "Detects disabling security tools", + "meta": { + "author": "Ömer Günal, Alejandro Ortuno, oscd.community", + "creation_date": "2020/06/17", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "lnx_syslog_security_tools_disabling_syslog.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] + }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "49f5dfc1-f92e-4d34-96fa-feba3f6acf36", + "value": "Disabling Security Tools - Builtin" + }, { "description": "Detects creation of cron file or files in Cron directories which could indicates potential persistence.", "meta": { @@ -63820,6 +82097,15 @@ "attack.t1053.003" ] }, + "related": [ + { + "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6c4e2f43-d94d-4ead-b64d-97e53fa2bd05", "value": "Persistence Via Cron Files" }, @@ -63844,6 +82130,15 @@ "attack.t1053.003" ] }, + "related": [ + { + "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ddb26b76-4447-4807-871f-1b035b2bfa5d", "value": "Persistence Via Sudoers Files" }, @@ -63892,6 +82187,15 @@ "attack.t1053.003" ] }, + "related": [ + { + "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a2ea919-d11d-4d1e-8535-06cda13be20f", "value": "Triple Cross eBPF Rootkit Default Persistence" }, @@ -63917,6 +82221,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "00eee2a5-fdb0-4746-a21d-e43fbdea5681", "value": "Linux Doas Conf File Creation" }, @@ -63948,6 +82261,43 @@ "attack.s0508" ] }, + "related": [ + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "19bf6fdb-7721-4f3d-867f-53467f6a5db6", "value": "Communication To Ngrok Tunneling Service - Linux" }, @@ -64006,9 +82356,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/security/cve/cve-2019-14287", "https://twitter.com/matthieugarin/status/1183970598210412546", "https://www.openwall.com/lists/oss-security/2019/10/14/1", + "https://access.redhat.com/security/cve/cve-2019-14287", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml" ], "tags": [ @@ -64018,6 +82368,22 @@ "cve.2019.14287" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f74107df-b6c6-4e80-bf00-4170b658162b", "value": "Sudo Privilege Escalation CVE-2019-14287" }, @@ -64090,6 +82456,15 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e3a8a052-111f-4606-9aee-f28ebeb76776", "value": "Disabling Security Tools" }, @@ -64130,8 +82505,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/vim/", "https://gtfobins.github.io/gtfobins/vimdiff/", + "https://gtfobins.github.io/gtfobins/vim/", "https://gtfobins.github.io/gtfobins/rvim/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml" ], @@ -64257,6 +82632,15 @@ "attack.t1087.001" ] }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b45e3d6f-42c6-47d8-a478-df6bd6cf534c", "value": "Local System Accounts Discovery - Linux" }, @@ -64283,6 +82667,15 @@ "attack.t1552.001" ] }, + "related": [ + { + "dest-uuid": "774ad5bb-2366-4c13-a8a9-65e50b292e7c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0cf7a157-8879-41a2-8f55-388dd23746b7", "value": "Linux Recon Indicators" }, @@ -64308,6 +82701,15 @@ "attack.t1222.002" ] }, + "related": [ + { + "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6419afd1-3742-47a5-a7e6-b50386cd15f8", "value": "Chmod Suspicious Directory" }, @@ -64332,6 +82734,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c4042d54-110d-45dd-a0e1-05c47822c937", "value": "Python Spawning Pretty TTY" }, @@ -64359,6 +82770,22 @@ "cve.2022.26134" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7fb14105-530e-4e2e-8cfb-99f7d8700b66", "value": "Atlassian Confluence CVE-2022-26134" }, @@ -64375,11 +82802,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://twitter.com/d1r4c/status/1279042657508081664", - "https://curl.se/docs/manpage.html", "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", + "https://twitter.com/d1r4c/status/1279042657508081664", "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", + "https://curl.se/docs/manpage.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" ], "tags": [ @@ -64388,6 +82815,22 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "00b90cc1-17ec-402c-96ad-3a8117d7a582", "value": "Suspicious Curl File Upload - Linux" }, @@ -64404,8 +82847,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", + "https://gtfobins.github.io/gtfobins/apt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml" ], "tags": [ @@ -64429,10 +82872,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", - "https://linux.die.net/man/8/userdel", "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://linuxize.com/post/how-to-delete-group-in-linux/", + "https://linux.die.net/man/8/userdel", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" ], "tags": [ @@ -64440,6 +82883,15 @@ "attack.t1531" ] }, + "related": [ + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "08f26069-6f80-474b-8d1f-d971c6fedea0", "value": "User Has Been Deleted Via Userdel" }, @@ -64509,6 +82961,15 @@ "attack.t1485" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2953194b-e33c-4859-b9e8-05948c167447", "value": "DD File Overwrite" }, @@ -64559,6 +83020,15 @@ "attack.t1053.003" ] }, + "related": [ + { + "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6b14bac8-3e3a-4324-8109-42f0546a347f", "value": "Scheduled Cron Task/Job - Linux" }, @@ -64583,6 +83053,15 @@ "attack.t1049" ] }, + "related": [ + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4c519226-f0cd-4471-bd2f-6fbb2bb68a79", "value": "System Network Connections Discovery - Linux" }, @@ -64632,6 +83111,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b86d356d-6093-443d-971c-9b07db583c68", "value": "Suspicious Curl Change User Agents - Linux" }, @@ -64648,8 +83136,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", + "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml" ], "tags": [ @@ -64681,6 +83169,15 @@ "attack.t1053.002" ] }, + "related": [ + { + "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d2d642d7-b393-43fe-bae4-e81ed5915c4b", "value": "Scheduled Task/Job At" }, @@ -64706,6 +83203,15 @@ "attack.t1592.004" ] }, + "related": [ + { + "dest-uuid": "774ad5bb-2366-4c13-a8a9-65e50b292e7c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d7821ff1-4527-4e33-9f84-d0d57fa2fb66", "value": "Print History File Contents" }, @@ -64722,8 +83228,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://bpftrace.org/", + "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml" ], "tags": [ @@ -64731,6 +83237,15 @@ "attack.t1059.004" ] }, + "related": [ + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f8341cb2-ee25-43fa-a975-d8a5a9714b39", "value": "BPFtrace Unsafe Option Usage" }, @@ -64760,6 +83275,29 @@ "attack.t1203" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6eea1bf6-f8d2-488a-a742-e6ef6c1b67db", "value": "OMIGOD SCX RunAsProvider ExecuteScript" }, @@ -64784,6 +83322,15 @@ "attack.t1140" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ba592c6d-6888-43c3-b8c6-689b8fe47337", "value": "Linux Base64 Encoded Pipe to Shell" }, @@ -64808,6 +83355,15 @@ "attack.t1070.002" ] }, + "related": [ + { + "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "80915f59-9b56-4616-9de0-fd0dea6c12fe", "value": "Clear Linux Logs" }, @@ -64824,10 +83380,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linuxize.com/post/how-to-delete-group-in-linux/", - "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://linux.die.net/man/8/groupdel", + "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" ], "tags": [ @@ -64835,6 +83391,15 @@ "attack.t1531" ] }, + "related": [ + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8a46f16c-8c4c-82d1-b121-0fdd3ba70a84", "value": "Group Has Been Deleted Via Groupdel" }, @@ -64860,6 +83425,15 @@ "attack.t1140" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fe2f9663-41cb-47e2-b954-8a228f3b9dff", "value": "Linux Base64 Encoded Shebang In CLI" }, @@ -64876,8 +83450,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", "https://github.com/carlospolop/PEASS-ng", + "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", "https://github.com/diego-treitos/linux-smart-enumeration", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml" ], @@ -64910,6 +83484,15 @@ "attack.t1140" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "880973f3-9708-491c-a77b-2a35a1921158", "value": "Linux Shell Pipe to Shell" }, @@ -64935,6 +83518,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ea34fb97-e2c4-4afb-810f-785e4459b194", "value": "Curl Usage on Linux" }, @@ -65006,6 +83598,15 @@ "attack.t1070.002" ] }, + "related": [ + { + "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3fcc9b35-39e4-44c0-a2ad-9e82b6902b31", "value": "Commands to Clear or Remove the Syslog" }, @@ -65030,6 +83631,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d292e0af-9a18-420c-9525-ec0ac3936892", "value": "Suspicious Java Children Processes" }, @@ -65078,6 +83688,15 @@ "attack.t1222.002" ] }, + "related": [ + { + "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "34979410-e4b5-4e5d-8cfb-389fdff05c12", "value": "Remove Immutable File Attribute" }, @@ -65107,6 +83726,29 @@ "attack.t1203" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "21541900-27a9-4454-9c4c-3f0a4240344a", "value": "OMIGOD SCX RunAsProvider ExecuteShellCommand" }, @@ -65123,8 +83765,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/nohup/", "https://www.computerhope.com/unix/unohup.htm", + "https://gtfobins.github.io/gtfobins/nohup/", "https://en.wikipedia.org/wiki/Nohup", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" ], @@ -65201,6 +83843,15 @@ "attack.t1090" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "72f4ab3f-787d-495d-a55d-68c2ff46cf4c", "value": "Connection Proxy" }, @@ -65248,6 +83899,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "30aed7b6-d2c1-4eaf-9382-b6bc43e50c57", "value": "File Deletion" }, @@ -65264,8 +83924,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://research.splunk.com/endpoint/linux_doas_tool_execution/", "https://www.makeuseof.com/how-to-install-and-use-doas/", + "https://research.splunk.com/endpoint/linux_doas_tool_execution/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml" ], "tags": [ @@ -65273,6 +83933,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "067d8238-7127-451c-a9ec-fa78045b618b", "value": "Linux Doas Tool Execution" }, @@ -65298,6 +83967,15 @@ "attack.t1565.001" ] }, + "related": [ + { + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1182f3b3-e716-4efa-99ab-d2685d04360f", "value": "History File Deletion" }, @@ -65322,6 +84000,15 @@ "attack.t1592.004" ] }, + "related": [ + { + "dest-uuid": "774ad5bb-2366-4c13-a8a9-65e50b292e7c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0f79c4d2-4e1f-4683-9c36-b5469a665e06", "value": "Cat Sudoers" }, @@ -65346,6 +84033,15 @@ "attack.t1593.003" ] }, + "related": [ + { + "dest-uuid": "70910fbd-58dc-4c1c-8c48-814d11fcd022", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cfec9d29-64ec-4a0f-9ffe-0fdb856d5446", "value": "Suspicious Git Clone - Linux" }, @@ -65362,14 +84058,24 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", "https://attack.mitre.org/techniques/T1548/001/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml" ], "tags": [ - "attack.persistence" + "attack.persistence", + "attack.t1548.001" ] }, + "related": [ + { + "dest-uuid": "6831414d-bb70-42b7-8030-d4e06b2660c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c21c4eaa-ba2e-419a-92b2-8371703cbe21", "value": "Setuid and Setgid" }, @@ -65386,9 +84092,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", - "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", "https://github.com/apache/spark/pull/36315/files", + "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", + "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" ], "tags": [ @@ -65397,6 +84103,15 @@ "cve.2022.33891" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c8a5f584-cdc8-42cc-8cce-0398e4265de3", "value": "Apache Spark Shell Command Injection - ProcessCreation" }, @@ -65421,6 +84136,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "676381a6-15ca-4d73-a9c8-6a22e970b90d", "value": "Local Groups Discovery - Linux" }, @@ -65437,8 +84161,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/", "https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/", + "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml" ], "tags": [