From caceb504fe2707211116e8a57ce1991e31126294 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 15 Jul 2023 11:29:17 +0200 Subject: [PATCH] chg: [sigma] updated to the latest rules --- clusters/sigma-rules.json | 3909 ++++++++++++++++++++----------------- 1 file changed, 2134 insertions(+), 1775 deletions(-) diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index e56067f..066c4b2 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -99,8 +99,8 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195", "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", + "https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml" ], "tags": [ @@ -134,8 +134,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://core.telegram.org/bots/faq", + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" @@ -212,8 +212,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_mal_cobaltstrike.yml" ], "tags": [ @@ -246,8 +246,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://twitter.com/stvemillertime/status/1024707932447854592", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", + "https://twitter.com/stvemillertime/status/1024707932447854592", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_txt_exec_strings.yml" ], "tags": [ @@ -322,7 +322,7 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://www.fireeye.com/blog/products-and-services/2017/05/wannacry-ransomware-campaign.html", + "https://www.mandiant.com/resources/blog/wannacry-ransomware-campaign", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_wannacry_killswitch_domain.yml" ], "tags": [ @@ -1210,9 +1210,9 @@ "logsource.product": "zeek", "refs": [ "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", - "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", - "https://threatpost.com/microsoft-petitpotam-poc/168163/", "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", + "https://threatpost.com/microsoft-petitpotam-poc/168163/", + "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" ], "tags": [ @@ -1590,9 +1590,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://github.com/nknorg/nkn-sdk-go", "https://github.com/Maka8ka/NGLite", "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", - "https://github.com/nknorg/nkn-sdk-go", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" ], "tags": [ @@ -1649,9 +1649,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://twitter.com/_dirkjan/status/1309214379003588608", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", + "https://twitter.com/_dirkjan/status/1309214379003588608", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -1726,12 +1726,12 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/corelight/CVE-2021-1675", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", - "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", + "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", + "https://github.com/corelight/CVE-2021-1675", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" ], "tags": [ @@ -1864,9 +1864,9 @@ "logsource.product": "zeek", "refs": [ "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", + "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", "https://twitter.com/neu5ron/status/1346245602502443009", "https://tools.ietf.org/html/rfc2929#section-2.1", - "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" ], "tags": [ @@ -1974,7 +1974,7 @@ "logsource.category": "application", "logsource.product": "spring", "refs": [ - "https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html", + "https://docs.spring.io/spring-security/site/docs/current/api/overview-tree.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/spring/spring_application_exceptions.yml" ], "tags": [ @@ -2007,8 +2007,8 @@ "logsource.category": "application", "logsource.product": "spring", "refs": [ - "https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection", "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", + "https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/spring/spring_spel_injection.yml" ], "tags": [ @@ -2176,8 +2176,8 @@ "logsource.product": "jvm", "refs": [ "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", - "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", "https://rules.sonarsource.com/java/RSPEC-2755", + "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_xxe_exploitation_attempt.yml" ], "tags": [ @@ -2277,10 +2277,10 @@ "logsource.category": "application", "logsource.product": "ruby_on_rails", "refs": [ - "http://edgeguides.rubyonrails.org/security.html", - "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", - "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", "http://guides.rubyonrails.org/action_controller_overview.html", + "http://edgeguides.rubyonrails.org/security.html", + "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", + "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" ], "tags": [ @@ -2313,10 +2313,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" ], "tags": [ @@ -2349,10 +2349,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" ], "tags": [ @@ -2375,9 +2375,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" ], @@ -2401,8 +2401,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" @@ -2437,9 +2437,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" ], @@ -2481,9 +2481,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" ], @@ -2517,7 +2517,7 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml" ], @@ -2541,9 +2541,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" ], @@ -2585,8 +2585,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" ], @@ -2628,9 +2628,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" ], @@ -2672,12 +2672,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" ], "tags": [ @@ -2701,9 +2701,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" ], "tags": [ @@ -2735,10 +2735,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], "tags": [ @@ -2761,9 +2761,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" ], @@ -2787,10 +2787,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" ], "tags": [ @@ -2823,10 +2823,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" ], "tags": [ @@ -2849,9 +2849,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" ], @@ -2876,8 +2876,8 @@ "logsource.category": "application", "logsource.product": "velocity", "refs": [ - "https://antgarsil.github.io/posts/velocity/", "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", + "https://antgarsil.github.io/posts/velocity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/velocity/velocity_ssti_injection.yml" ], "tags": [ @@ -2945,9 +2945,9 @@ "refs": [ "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml" ], "tags": [ @@ -3060,8 +3060,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611", "https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/", + "https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml" ], "tags": [ @@ -3116,7 +3116,7 @@ "value": "Credential Dumping by Pypykatz" }, { - "description": "Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.", + "description": "Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM Windows event logging service.", "meta": { "author": "Tim Burrell", "creation_date": "2020/01/02", @@ -3162,9 +3162,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1460597833917251595", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://twitter.com/_xpn_/status/1491557187168178176", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://twitter.com/mrd0x/status/1460597833917251595", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml" ], "tags": [ @@ -3418,10 +3418,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", + "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", + "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" ], "tags": [ @@ -3455,10 +3455,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml" ], "tags": [ @@ -3495,9 +3495,9 @@ "refs": [ "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml" ], "tags": [ @@ -3533,9 +3533,9 @@ "refs": [ "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml" ], "tags": [ @@ -3635,8 +3635,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/D1rkMtr/UnhookingPatch", "https://twitter.com/D1rkMtr/status/1611471891193298944?s=20", + "https://github.com/D1rkMtr/UnhookingPatch", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml" ], "tags": [ @@ -3752,8 +3752,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://twitter.com/_xpn_/status/1491557187168178176", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml" ], "tags": [ @@ -3787,9 +3787,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ + "https://github.com/codewhitesec/SysmonEnte/", "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", - "https://github.com/codewhitesec/SysmonEnte/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hack_sysmonente.yml" ], "tags": [ @@ -3822,8 +3822,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/boku7/spawn", "https://github.com/boku7/injectAmsiBypass", + "https://github.com/boku7/spawn", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml" ], "tags": [ @@ -3866,8 +3866,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/SBousseaden/status/1541920424635912196", - "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", + "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_seclogon.yml" ], "tags": [ @@ -3946,8 +3946,8 @@ "logsource.category": "process_tampering", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/", "https://twitter.com/SecurePeacock/status/1486054048390332423?s=20", + "https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_process_hollowing.yml" ], "tags": [ @@ -3981,8 +3981,8 @@ "logsource.category": "sysmon_error", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_error.yml" ], "tags": [ @@ -4015,8 +4015,8 @@ "logsource.category": "sysmon_status", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml" ], "tags": [ @@ -4049,8 +4049,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", + "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml" ], "tags": [ @@ -4084,8 +4084,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", + "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml" ], "tags": [ @@ -4177,9 +4177,9 @@ "logsource.product": "windows", "refs": [ "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", + "https://twitter.com/d4rksystem/status/1357010969264873472", "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", "https://github.com/SigmaHQ/sigma/issues/253", - "https://twitter.com/d4rksystem/status/1357010969264873472", "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml" ], @@ -4214,8 +4214,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/groups/G0010/", "Internal Research", + "https://attack.mitre.org/groups/G0010/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml" ], "tags": [ @@ -4249,8 +4249,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html", + "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml" ], "tags": [ @@ -4372,8 +4372,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html", + "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml" ], "tags": [ @@ -4406,8 +4406,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_default_pipe_from_susp_location.yml" ], "tags": [ @@ -4441,8 +4441,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1429530155291193354?s=20", "https://github.com/zcgonvh/EfsPotato", + "https://twitter.com/SBousseaden/status/1429530155291193354?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml" ], "tags": [ @@ -4518,18 +4518,18 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ + "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://securelist.com/faq-the-projectsauron-apt/75533/", + "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://www.us-cert.gov/ncas/alerts/TA17-117A", "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", - "https://github.com/RiccardoAncarani/LiquidSnake", - "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", - "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", - "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", - "https://securelist.com/faq-the-projectsauron-apt/75533/", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml" ], "tags": [ @@ -4563,8 +4563,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml" ], "tags": [ @@ -4599,8 +4599,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/Azure/SimuLand", - "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", "https://o365blog.com/post/adfs/", + "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml" ], "tags": [ @@ -4726,7 +4726,7 @@ "value": "Mimikatz Use" }, { - "description": "Detects when a rule has been modified in the windows firewall exception list", + "description": "Detects when a rule has been modified in the Windows firewall exception list", "meta": { "author": "frack113", "creation_date": "2022/02/19", @@ -4757,8 +4757,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", + "https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml" ], "tags": "No established tags" @@ -4881,7 +4881,7 @@ "value": "New Firewall Rule Added In Windows Firewall Exception List" }, { - "description": "Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.", + "description": "Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.", "meta": { "author": "Patrick Bareiss", "creation_date": "2019/04/18", @@ -5073,9 +5073,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/MsftSecIntel/status/1257324139515269121", "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", - "https://twitter.com/MsftSecIntel/status/1257324139515269121", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" ], "tags": [ @@ -5108,8 +5109,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml" ], "tags": [ @@ -5228,7 +5229,7 @@ "logsource.product": "windows", "refs": [ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml" ], "tags": [ @@ -5260,8 +5261,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/jpalanco/alienvault-ossim/blob/f74359c0c027e42560924b5cff25cdf121e5505a/os-sim/agent/src/ParserUtil.py#L951", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661", + "https://github.com/jpalanco/alienvault-ossim/blob/f74359c0c027e42560924b5cff25cdf121e5505a/os-sim/agent/src/ParserUtil.py#L951", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_password_policy_enumerated.yml" ], "tags": [ @@ -5294,8 +5295,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_device_installation_blocked.yml" ], "tags": "No established tags" @@ -5349,9 +5350,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_logon.yml" ], "tags": "No established tags" @@ -5406,8 +5407,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://twitter.com/mattifestation/status/899646620148539397", + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml" ], "tags": [ @@ -5462,8 +5463,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.secureworks.com/blog/ransomware-as-a-distraction", "https://twitter.com/menasec1/status/1106899890377052160", + "https://www.secureworks.com/blog/ransomware-as-a-distraction", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml" ], "tags": [ @@ -5530,11 +5531,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", "https://github.com/sensepost/ruler", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", - "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", - "https://github.com/sensepost/ruler/issues/47", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", + "https://github.com/sensepost/ruler/issues/47", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" ], "tags": [ @@ -5731,6 +5732,39 @@ "uuid": "586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3", "value": "Remote Service Activity via SVCCTL Named Pipe" }, + { + "description": "Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.\n", + "meta": { + "author": "@neu5ron, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2017/11/19", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_disable_event_auditing.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_auditing.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "69aeb277-f15f-4d2d-b32a-55e883609563", + "value": "Windows Event Auditing Disabled" + }, { "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", "meta": { @@ -5786,9 +5820,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" ], "tags": "No established tags" @@ -5842,8 +5876,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", - "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" ], "tags": [ @@ -5962,9 +5996,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/_dirkjan/status/1309214379003588608", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", + "https://twitter.com/_dirkjan/status/1309214379003588608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -6089,9 +6123,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", - "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html", + "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", + "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml" ], "tags": [ @@ -6304,8 +6338,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", + "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/fox-it/LDAPFragger", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" ], @@ -6447,9 +6481,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", - "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" ], "tags": [ @@ -6515,8 +6549,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", "https://twitter.com/matthewdunwoody/status/1352356685982146562", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml" ], "tags": [ @@ -6593,9 +6627,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", "Live environment caused by malware", - "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" ], "tags": [ @@ -6809,8 +6843,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/menasec1/status/1111556090137903104", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", + "https://twitter.com/menasec1/status/1111556090137903104", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml" ], "tags": [ @@ -6896,6 +6930,40 @@ "uuid": "941e5c45-cda7-4864-8cea-bbb7458d194a", "value": "Suspicious Remote Logon with Explicit Credentials" }, + { + "description": "Detects scenarios where system auditing for important events such as \"Process Creation\" or \"Logon\" events is disabled.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/06/20", + "falsepositive": [ + "Unlikely" + ], + "filename": "win_security_disable_event_auditing_critical.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit", + "https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1", + "value": "Important Windows Event Auditing Disabled" + }, { "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", "meta": { @@ -7105,8 +7173,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_replay_attack_detected.yml" ], "tags": "No established tags" @@ -7128,8 +7196,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/SecurityJosh/status/1283027365770276866", - "https://twitter.com/Flangvik/status/1283054508084473861", "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", + "https://twitter.com/Flangvik/status/1283054508084473861", "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" ], @@ -7444,8 +7512,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/topotam/PetitPotam", - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" ], "tags": [ @@ -7554,8 +7622,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" ], "tags": [ @@ -7619,7 +7687,7 @@ "value": "Suspicious Kerberos RC4 Ticket Encryption" }, { - "description": "Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender", + "description": "Detects scenarios where an Windows Defender exclusion was added in registry where an entity would want to bypass antivirus scanning from Windows Defender", "meta": { "author": "@BarryShooshooga", "creation_date": "2019/10/26", @@ -7685,7 +7753,7 @@ "value": "Suspicious Access to Sensitive File Extensions" }, { - "description": "Detects external diskdrives or plugged in USB devices , EventID 6416 on windows 10 or later", + "description": "Detects external diskdrives or plugged in USB devices, EventID 6416 on Windows 10 or later", "meta": { "author": "Keith Wright", "creation_date": "2019/11/20", @@ -7738,9 +7806,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml" ], "tags": "No established tags" @@ -8042,9 +8110,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", - "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html", + "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", + "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml" ], "tags": [ @@ -8099,8 +8167,8 @@ "logsource.product": "windows", "refs": [ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml" ], @@ -8122,16 +8190,16 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" ], "tags": [ @@ -8282,8 +8350,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx", "https://twitter.com/SBousseaden/status/1096148422984384514", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml" ], "tags": [ @@ -8436,8 +8504,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", "https://adsecurity.org/?p=2053", - "https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml" ], "tags": [ @@ -8565,8 +8633,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file", "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", + "https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml" ], "tags": [ @@ -8654,39 +8722,6 @@ "uuid": "1ce8c8a3-2723-48ed-8246-906ac91061a6", "value": "Possible PetitPotam Coerce Authentication Attempt" }, - { - "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.\n", - "meta": { - "author": "@neu5ron", - "creation_date": "2017/11/19", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_disable_event_logging.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_logging.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ] - }, - "related": [ - { - "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "69aeb277-f15f-4d2d-b32a-55e883609563", - "value": "Disabling Windows Event Auditing" - }, { "description": "Detects access to a domain user from a non-machine account", "meta": { @@ -8700,9 +8735,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", + "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" ], "tags": [ @@ -8735,7 +8770,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/", + "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", "https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://adsecurity.org/?p=3466", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" @@ -8770,9 +8805,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", "https://twitter.com/SBousseaden/status/1581300963650187264?", - "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" ], "tags": [ @@ -8805,8 +8840,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml" ], "tags": [ @@ -8841,8 +8876,8 @@ "logsource.product": "windows", "refs": [ "https://www.sans.org/webcasts/119395", - "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" ], "tags": [ @@ -8926,10 +8961,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/gentilkiwi/status/1003236624925413376", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" ], "tags": [ @@ -9000,8 +9035,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", "https://twitter.com/SBousseaden/status/1490608838701166596", + "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml" ], "tags": [ @@ -9034,7 +9069,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", + "https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml" ], "tags": [ @@ -9067,8 +9102,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", "https://twitter.com/malmoeb/status/1511760068743766026", + "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" ], @@ -9205,8 +9240,8 @@ "logsource.product": "windows", "refs": [ "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", - "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", + "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml" ], "tags": [ @@ -9260,8 +9295,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", + "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_krbrelayup.yml" ], "tags": [ @@ -9421,10 +9456,10 @@ "logsource.product": "windows", "refs": [ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml" ], "tags": "No established tags" @@ -9514,10 +9549,10 @@ "logsource.product": "windows", "refs": [ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", "https://www.cisecurity.org/controls/cis-controls-list/", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml" ], "tags": "No established tags" @@ -9607,8 +9642,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/zerosum0x0/CVE-2019-0708", "https://twitter.com/AdamTheAnalyst/status/1134394070045003776", + "https://github.com/zerosum0x0/CVE-2019-0708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml" ], "tags": [ @@ -9693,7 +9728,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html", + "https://web.archive.org/web/20220419045003/https://cyberwardog.blogspot.com/2017/04/chronicles-of-threat-hunter-hunting-for.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml" ], "tags": [ @@ -9727,11 +9762,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml" ], "tags": "No established tags" @@ -9985,11 +10020,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/FlemmingRiis/status/1217147415482060800", - "https://twitter.com/VM_vivisector/status/1217190929330655232", - "https://www.youtube.com/watch?v=ebmW42YYveI", - "https://nullsec.us/windows-event-log-audit-cve/", "https://twitter.com/DidierStevens/status/1217533958096924676", + "https://twitter.com/FlemmingRiis/status/1217147415482060800", + "https://nullsec.us/windows-event-log-audit-cve/", + "https://www.youtube.com/watch?v=ebmW42YYveI", + "https://twitter.com/VM_vivisector/status/1217190929330655232", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml" ], "tags": [ @@ -10067,8 +10102,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx", "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml" ], "tags": [ @@ -10124,8 +10159,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/security/4022344", "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", + "https://technet.microsoft.com/en-us/library/security/4022344", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml" ], "tags": [ @@ -10166,8 +10201,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/security/4022344", "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", + "https://technet.microsoft.com/en-us/library/security/4022344", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml" ], "tags": [ @@ -10196,7 +10231,7 @@ "value": "Microsoft Malware Protection Engine Crash" }, { - "description": "Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential", + "description": "Detects Windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/07", @@ -10208,8 +10243,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml" ], @@ -10243,8 +10278,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/", "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/", + "https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/msexchange_control_panel/win_vul_cve_2020_0688.yml" ], "tags": [ @@ -10311,9 +10346,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", - "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", + "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", + "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/Other/win_av_relevant_match.yml" ], "tags": [ @@ -10637,8 +10672,8 @@ "logsource.product": "windows", "refs": [ "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", - "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", + "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml" ], "tags": [ @@ -11088,8 +11123,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", "https://twitter.com/KevTheHermit/status/1410203844064301056", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/afwu/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml" ], @@ -11148,8 +11183,8 @@ "refs": [ "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", "https://winaero.com/enable-openssh-server-windows-10/", - "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" ], @@ -11183,9 +11218,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", - "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml", + "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", + "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml" ], "tags": [ @@ -11268,8 +11303,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_disabled.yml" ], "tags": [ @@ -11336,8 +11371,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/duff22b/status/1280166329660497920", "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands", + "https://twitter.com/duff22b/status/1280166329660497920", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_psexec_wmi_asr.yml" ], "tags": [ @@ -11412,9 +11447,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346", "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "Internal Research", - "https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml" ], "tags": [ @@ -11558,7 +11593,7 @@ "value": "Windows Defender Threat Detected" }, { - "description": "Detects suspicious changes to the windows defender configuration", + "description": "Detects suspicious changes to the Windows Defender configuration", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/12/06", @@ -11570,8 +11605,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml" ], "tags": [ @@ -11775,9 +11810,9 @@ "logsource.product": "windows", "refs": [ "https://isc.sans.edu/diary/22264", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml" ], "tags": [ @@ -11845,9 +11880,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://twitter.com/malmoeb/status/1535142803075960832", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml" ], "tags": [ @@ -11981,9 +12016,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", - "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://twitter.com/gentilkiwi/status/861641945944391680", + "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", + "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml" ], "tags": [ @@ -12113,8 +12148,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Ekultek/BlueKeep", "https://github.com/zerosum0x0/CVE-2019-0708", + "https://github.com/Ekultek/BlueKeep", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml" ], "tags": [ @@ -12136,7 +12171,7 @@ "value": "Potential RDP Exploit CVE-2019-0708" }, { - "description": "Detects volume shadow copy mount via windows event log", + "description": "Detects volume shadow copy mount via Windows event log", "meta": { "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "creation_date": "2020/10/20", @@ -12204,8 +12239,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/jonasLyk/status/1347900440000811010", "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", + "https://twitter.com/jonasLyk/status/1347900440000811010", "https://twitter.com/wdormann/status/1347958161609809921", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml" ], @@ -12423,8 +12458,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" ], "tags": [ @@ -12550,7 +12585,7 @@ "value": "Anydesk Remote Access Software Service Installation" }, { - "description": "Detects important or interesting windows services that got terminated unexpectedly.", + "description": "Detects important or interesting Windows services that got terminated unexpectedly.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/04/14", @@ -12756,7 +12791,7 @@ "value": "Service Installed By Unusual Client - System" }, { - "description": "Detects windows services that got terminated for whatever reason", + "description": "Detects Windows services that got terminated for whatever reason", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/04/14", @@ -12825,8 +12860,8 @@ "logsource.product": "windows", "refs": [ "https://www.sans.org/webcasts/119395", - "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml" ], "tags": [ @@ -13336,8 +13371,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml" ], "tags": [ @@ -13434,7 +13469,7 @@ "value": "Turla PNG Dropper Service" }, { - "description": "Detects important or interesting windows services that got terminated for whatever reason", + "description": "Detects important or interesting Windows services that got terminated for whatever reason", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/04/14", @@ -13733,7 +13768,7 @@ "value": "Tap Driver Installation" }, { - "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)", + "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)", "meta": { "author": "Sittikorn S, Tim Shelton", "creation_date": "2022/05/11", @@ -13904,8 +13939,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_psexec.yml" ], "tags": [ @@ -14066,8 +14101,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.secura.com/blog/zero-logon", "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", + "https://www.secura.com/blog/zero-logon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" ], "tags": [ @@ -14417,8 +14452,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://twitter.com/mattifestation/status/899646620148539397", + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml" ], "tags": [ @@ -14584,8 +14619,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml" ], "tags": [ @@ -14691,11 +14726,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", - "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", - "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", + "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", + "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", + "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], "tags": [ @@ -14744,10 +14779,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "Internal Research", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml" ], "tags": [ @@ -14770,10 +14805,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "Internal Research", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml" ], "tags": [ @@ -14796,10 +14831,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "Internal Research", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml" ], "tags": [ @@ -14822,10 +14857,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "Internal Research", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "Internal Research", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml" ], "tags": [ @@ -14848,8 +14883,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml" ], "tags": [ @@ -14873,8 +14908,8 @@ "logsource.product": "windows", "refs": [ "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml" ], "tags": [ @@ -14897,8 +14932,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml" ], "tags": [ @@ -15185,8 +15220,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml" ], "tags": [ @@ -15219,8 +15254,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/", "https://twitter.com/cyb3rops/status/1659175181695287297", + "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml" ], "tags": [ @@ -15243,8 +15278,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml" ], "tags": [ @@ -15302,8 +15337,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml" ], @@ -15573,8 +15608,8 @@ "logsource.product": "windows", "refs": [ "https://adepts.of0x.cc/netsh-portproxy-code/", - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://www.dfirnotes.net/portproxy_detection/", + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" ], "tags": [ @@ -15609,9 +15644,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ + "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", "https://persistence-info.github.io/Data/recyclebin.html", "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", - "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml" ], "tags": [ @@ -15644,8 +15679,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1183745981189427200", "https://blog.xpnsec.com/exploring-mimikatz-part-1/", + "https://twitter.com/SBousseaden/status/1183745981189427200", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml" ], "tags": [ @@ -15679,8 +15714,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", + "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml" ], "tags": [ @@ -15714,11 +15749,11 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://nvd.nist.gov/vuln/detail/cve-2021-1675", "https://nvd.nist.gov/vuln/detail/cve-2021-34527", + "https://nvd.nist.gov/vuln/detail/cve-2021-1675", + "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", - "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" ], "tags": [ @@ -15773,6 +15808,41 @@ "uuid": "9c5037d1-c568-49b3-88c7-9846a5bdc2be", "value": "Suspicious Run Key from Download" }, + { + "description": "Alerts on trust record modification within the registry, indicating usage of macros", + "meta": { + "author": "Antonlovesdnb, Trent Liffick (@tliffick)", + "creation_date": "2020/02/19", + "falsepositive": [ + "This will alert on legitimate macro usage as well, additional tuning is required" + ], + "filename": "registry_event_office_trust_record_modification.yml", + "level": "medium", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", + "https://twitter.com/inversecos/status/1494174785621819397", + "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566.001" + ] + }, + "related": [ + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "295a59c1-7b79-4b47-a930-df12c15fc9c2", + "value": "Windows Registry Trust Record Modification" + }, { "description": "Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup", "meta": { @@ -15820,8 +15890,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html", + "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml" ], "tags": [ @@ -16059,8 +16129,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", "https://github.com/eset/malware-ioc/tree/master/oceanlotus", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml" ], "tags": [ @@ -16081,7 +16151,7 @@ "value": "OceanLotus Registry Activity" }, { - "description": "Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.", + "description": "Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.", "meta": { "author": "oscd.community, Dmitry Uchakin", "creation_date": "2020/10/07", @@ -16093,8 +16163,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset", "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml" ], "tags": [ @@ -16169,8 +16239,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml" ], "tags": [ @@ -16389,40 +16459,6 @@ "uuid": "b6d235fc-1d38-4b12-adbe-325f06728f37", "value": "CMSTP Execution Registry Event" }, - { - "description": "Alerts on trust record modification within the registry, indicating usage of macros", - "meta": { - "author": "Antonlovesdnb", - "creation_date": "2020/02/19", - "falsepositive": [ - "Alerts on legitimate macro usage as well, will need to filter as appropriate" - ], - "filename": "registry_event_trust_record_modification.yml", - "level": "medium", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", - "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_trust_record_modification.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1566.001" - ] - }, - "related": [ - { - "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "295a59c1-7b79-4b47-a930-df12c15fc9c2", - "value": "Windows Registry Trust Record Modification" - }, { "description": "Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'", "meta": { @@ -16436,8 +16472,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", + "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml" ], "tags": [ @@ -16612,9 +16648,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", - "https://github.com/hfiref0x/UACME", "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" ], "tags": [ @@ -16689,8 +16725,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", + "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml" ], "tags": [ @@ -16723,8 +16759,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://wikileaks.org/vault7/#Pandemic", "https://twitter.com/MalwareJake/status/870349480356454401", + "https://wikileaks.org/vault7/#Pandemic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml" ], "tags": [ @@ -16758,8 +16794,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", - "http://woshub.com/how-to-clear-rdp-connections-history/", "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", + "http://woshub.com/how-to-clear-rdp-connections-history/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml" ], "tags": [ @@ -16933,9 +16969,9 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/7", - "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", "https://docs.microsoft.com/en-us/windows/win32/shell/launch", "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" @@ -17095,10 +17131,10 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", - "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", + "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", + "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_netwire.yml" ], @@ -17165,8 +17201,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", "https://persistence-info.github.io/Data/amsi.html", + "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml" ], "tags": [ @@ -17299,8 +17335,8 @@ "logsource.product": "windows", "refs": [ "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", - "https://twitter.com/Hexacorn/status/991447379864932352", "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", + "https://twitter.com/Hexacorn/status/991447379864932352", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml" ], "tags": [ @@ -17366,8 +17402,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN", + "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml" ], "tags": [ @@ -17388,7 +17424,7 @@ "value": "Potential Persistence Via App Paths Default Property" }, { - "description": "Detect set Notification_Suppress to 1 to disable the windows security center notification", + "description": "Detect set Notification_Suppress to 1 to disable the Windows security center notification", "meta": { "author": "frack113", "creation_date": "2022/08/19", @@ -17480,8 +17516,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/rootm0s/WinPwnage", "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/", + "https://github.com/rootm0s/WinPwnage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml" ], "tags": [ @@ -17655,10 +17691,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/", - "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", + "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6", + "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml" ], @@ -17717,9 +17753,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" ], "tags": [ @@ -17752,11 +17788,11 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" @@ -17825,8 +17861,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1560536653709598721", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://twitter.com/malmoeb/status/1560536653709598721", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml" ], "tags": [ @@ -17850,9 +17886,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" ], "tags": [ @@ -18015,8 +18051,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml" ], "tags": [ @@ -18036,41 +18072,6 @@ "uuid": "83314318-052a-4c90-a1ad-660ece38d276", "value": "Blackbyte Ransomware Registry" }, - { - "description": "Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)", - "meta": { - "author": "Trent Liffick (@tliffick)", - "creation_date": "2020/05/22", - "falsepositive": [ - "Valid Macros and/or internal documents" - ], - "filename": "registry_set_office_security.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/inversecos/status/1494174785621819397", - "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_security.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "related": [ - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd", - "value": "Office Security Settings Changed" - }, { "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", "meta": { @@ -18204,9 +18205,9 @@ "logsource.product": "windows", "refs": [ "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" ], "tags": [ @@ -18306,8 +18307,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", "https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials", + "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", "https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml" ], @@ -18341,8 +18342,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/dottor_morte/status/1544652325570191361", "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", + "https://twitter.com/dottor_morte/status/1544652325570191361", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml" ], "tags": [ @@ -18486,9 +18487,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" ], "tags": [ @@ -18608,6 +18609,40 @@ "uuid": "9827ae57-3802-418f-994b-d5ecf5cd974b", "value": "Potential Registry Persistence Attempt Via DbgManagedDebugger" }, + { + "description": "Detects changes to registry keys related to \"Trusted Location\" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/06/21", + "falsepositive": [ + "Other unknown legitimate or custom paths need to be filtered to avoid false positives" + ], + "filename": "registry_set_office_trusted_location_uncommon.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01", + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f742bde7-9528-42e5-bd82-84f51a8387d2", + "value": "Uncommon Microsoft Office Trusted Location Added" + }, { "description": "Detects registry modifications that disable Privacy Settings Experience", "meta": { @@ -18732,7 +18767,7 @@ "value": "New File Association Using Exefile" }, { - "description": "Detects tampering with the \"Enabled\" registry key in order to disable windows logging of a windows event channel", + "description": "Detects tampering with the \"Enabled\" registry key in order to disable Windows logging of a Windows event channel", "meta": { "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/04", @@ -18744,8 +18779,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", "https://twitter.com/WhichbufferArda/status/1543900539280293889", + "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml" ], "tags": [ @@ -18778,8 +18813,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml" ], "tags": [ @@ -18841,10 +18876,44 @@ "uuid": "4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", "value": "Scheduled TaskCache Change by Uncommon Program" }, + { + "description": "Detects registry changes to Office trust records where the path is located in a potentially suspicious location", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/06/21", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_office_trust_record_susp_location.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://twitter.com/inversecos/status/1494174785621819397", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd", + "value": "Macro Enabled In A Potentially Suspicious Document" + }, { "description": "Detects potential PowerShell commands or code within registry run keys", "meta": { - "author": "frack113, Florian Roth", + "author": "frack113, Florian Roth (Nextron Systems)", "creation_date": "2022/03/17", "falsepositive": [ "Legitimate admin or third party scripts. Baseline according to your environment" @@ -18921,8 +18990,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", + "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml" ], "tags": [ @@ -18982,8 +19051,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", + "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_xll.yml" ], "tags": [ @@ -19207,9 +19276,9 @@ "logsource.product": "windows", "refs": [ "https://persistence-info.github.io/Data/userinitmprlogonscript.html", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" ], "tags": [ @@ -19349,11 +19418,11 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" @@ -19423,9 +19492,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" ], "tags": [ @@ -19459,9 +19528,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" ], "tags": [ @@ -19578,8 +19647,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190", "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml" ], "tags": [ @@ -19713,9 +19782,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", - "https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise", "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", + "https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise", + "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml" ], "tags": [ @@ -19783,7 +19852,7 @@ "value": "Windows Defender Exclusions Added - Registry" }, { - "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to windows event channel", + "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel", "meta": { "author": "frack113", "creation_date": "2022/09/17", @@ -19795,9 +19864,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", - "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml" ], "tags": [ @@ -19831,9 +19900,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" ], "tags": [ @@ -19868,8 +19937,8 @@ "refs": [ "https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine", "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html", - "https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html", "https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection", + "https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml" ], "tags": [ @@ -19972,7 +20041,7 @@ "value": "Enable Local Manifest Installation With Winget" }, { - "description": "Detect set EnableFirewall to 0 to disable the windows firewall", + "description": "Detect set EnableFirewall to 0 to disable the Windows firewall", "meta": { "author": "frack113", "creation_date": "2022/08/19", @@ -20145,7 +20214,7 @@ "value": "Changing RDP Port to Non Standard Number" }, { - "description": "Detects when attackers or tools disable Windows Defender functionalities via the windows registry", + "description": "Detects when attackers or tools disable Windows Defender functionalities via the Windows registry", "meta": { "author": "AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel", "creation_date": "2022/08/01", @@ -20157,13 +20226,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", - "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" ], "tags": [ @@ -20300,8 +20369,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml" ], "tags": [ @@ -20338,6 +20407,41 @@ "uuid": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", "value": "Outlook Macro Execution Without Warning Setting Enabled" }, + { + "description": "Detects registry changes to Microsoft Office \"AccessVBOM\" to a value of \"1\" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.", + "meta": { + "author": "Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2020/05/22", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_office_access_vbom_tamper.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", + "https://twitter.com/inversecos/status/1494174785621819397", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1a5c46e9-f32f-42f7-b2bc-6e9084db7fbf", + "value": "Trust Access Disable For VBApplications" + }, { "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", "meta": { @@ -20541,8 +20645,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", + "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_security_zones.yml" ], "tags": [ @@ -20669,9 +20773,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" ], "tags": [ @@ -20729,9 +20833,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" ], "tags": [ @@ -20797,8 +20901,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", "https://persistence-info.github.io/Data/aedebug.html", + "https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml" ], "tags": [ @@ -20855,9 +20959,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" ], "tags": [ @@ -20890,8 +20994,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md", + "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml" ], "tags": [ @@ -20989,6 +21093,42 @@ "uuid": "9d3436ef-9476-4c43-acca-90ce06bdf33a", "value": "DHCP Callout DLL Installation" }, + { + "description": "Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.", + "meta": { + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2021/06/08", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_office_disable_protected_view_features.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", + "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a5c7a43f-6009-4a8c-80c5-32abf1c53ecc", + "value": "Microsoft Office Protected View Disabled" + }, { "description": "Detects modifications to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.", "meta": { @@ -21002,8 +21142,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_special_accounts.yml" ], "tags": [ @@ -21036,9 +21176,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", - "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml" ], "tags": [ @@ -21137,9 +21277,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", - "https://twitter.com/jamieantisocial/status/1304520651248668673", "https://www.sans.org/cyber-security-summit/archives", + "https://twitter.com/jamieantisocial/status/1304520651248668673", + "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" ], "tags": [ @@ -21266,8 +21406,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/dottor_morte/status/1544652325570191361", "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", + "https://twitter.com/dottor_morte/status/1544652325570191361", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml" ], "tags": [ @@ -21333,8 +21473,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", + "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml" ], "tags": [ @@ -21387,6 +21527,41 @@ "uuid": "bf9e1387-b040-4393-9851-1598f8ecfae9", "value": "Disable Exploit Guard Network Protection on Windows Defender" }, + { + "description": "Detects registry changes to Microsoft Office \"VBAWarning\" to a value of \"1\" which enables the execution of all macros, whether signed or unsigned.", + "meta": { + "author": "Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2020/05/22", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_office_vba_warnings_tamper.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", + "https://twitter.com/inversecos/status/1494174785621819397", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "91239011-fe3c-4b54-9f24-15c86bb65913", + "value": "Office Macros Auto-Enabled" + }, { "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", "meta": { @@ -21400,8 +21575,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1476286368385019906", "https://persistence-info.github.io/Data/lsaaextension.html", + "https://twitter.com/0gtweet/status/1476286368385019906", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml" ], "tags": [ @@ -21528,8 +21703,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/1", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml" ], "tags": [ @@ -21562,8 +21737,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml" ], "tags": [ @@ -21722,8 +21897,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://youtu.be/zSihR3lTf7g", "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650", + "https://youtu.be/zSihR3lTf7g", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml" ], "tags": [ @@ -21758,9 +21933,9 @@ "logsource.product": "windows", "refs": [ "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" ], "tags": [ @@ -21901,8 +22076,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", + "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml" ], "tags": [ @@ -21923,41 +22098,6 @@ "uuid": "724ea201-6514-4f38-9739-e5973c34f49a", "value": "Bypass UAC Using SilentCleanup Task" }, - { - "description": "Disable Microsoft Office Security Features by registry", - "meta": { - "author": "frack113", - "creation_date": "2021/06/08", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_disable_microsoft_office_security_features.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "related": [ - { - "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7c637634-c95d-4bbf-b26c-a82510874b34", - "value": "Disable Microsoft Office Security Features" - }, { "description": "Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.", "meta": { @@ -22039,8 +22179,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", - "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", + "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" ], "tags": [ @@ -22064,9 +22204,9 @@ "logsource.product": "windows", "refs": [ "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", - "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", "https://github.com/elastic/detection-rules/issues/1371", + "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" ], "tags": [ @@ -22095,7 +22235,7 @@ "value": "DNS-over-HTTPS Enabled by Registry" }, { - "description": "Detect set UseActionCenterExperience to 0 to disable the windows security center notification", + "description": "Detect set UseActionCenterExperience to 0 to disable the Windows security center notification", "meta": { "author": "frack113", "creation_date": "2022/08/19", @@ -22140,9 +22280,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md", - "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks", "https://twitter.com/nas_bench/status/1626648985824788480", + "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks", + "https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md", "https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml" ], @@ -22210,9 +22350,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" ], "tags": [ @@ -22235,17 +22375,17 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" ], "tags": [ @@ -22320,9 +22460,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" ], "tags": [ @@ -22422,8 +22562,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" ], @@ -22491,10 +22631,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1468548924600459267", - "https://github.com/gtworek/PSBits/tree/master/IFilter", - "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", "https://persistence-info.github.io/Data/ifilters.html", + "https://twitter.com/0gtweet/status/1468548924600459267", + "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", + "https://github.com/gtworek/PSBits/tree/master/IFilter", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml" ], "tags": [ @@ -22610,9 +22750,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", + "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml" ], "tags": [ @@ -22647,7 +22787,7 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html", + "https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html", "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://twitter.com/dez_/status/986614411711442944", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" @@ -22746,6 +22886,48 @@ "uuid": "b6188d2f-b3c4-4d2c-a17d-9706e0851af0", "value": "Potential Goopdate.DLL Sideloading" }, + { + "description": "Detects potential DLL sideloading of \"appverifUI.dll\"", + "meta": { + "author": "X__Junior (Nextron Systems)", + "creation_date": "2023/06/20", + "falsepositive": [ + "Unlikely" + ], + "filename": "image_load_side_load_appverifui.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_appverifui.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "related": [ + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ee6cea48-c5b6-4304-a332-10fc6446f484", + "value": "Potential appverifUI.DLL Sideloading" + }, { "description": "Detects potential DLL sideloading of \"7za.dll\"", "meta": { @@ -22883,8 +23065,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/binderlabs/DirCreate2System", + "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_comctl32.yml" ], "tags": [ @@ -22928,8 +23110,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", - "https://github.com/bohops/WSMan-WinRM", "https://twitter.com/chadtilbury/status/1275851297770610688", + "https://github.com/bohops/WSMan-WinRM", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" ], @@ -22959,6 +23141,48 @@ "uuid": "ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94", "value": "Suspicious WSMAN Provider Image Loads" }, + { + "description": "Detects potential DLL sideloading of \"ShellDispatch.dll\"", + "meta": { + "author": "X__Junior (Nextron Systems)", + "creation_date": "2023/06/20", + "falsepositive": [ + "Some installers may trigger some false positives" + ], + "filename": "image_load_side_load_shelldispatch.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_shelldispatch.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "related": [ + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "844f8eb2-610b-42c8-89a4-47596e089663", + "value": "Potential ShellDispatch.DLL Sideloading" + }, { "description": "Detects loading of \"RjvPlatform.dll\" by the \"SystemResetPlatform.exe\" binary which can be abused as a method of DLL side loading since the \"$SysReset\" directory isn't created by default.", "meta": { @@ -23354,9 +23578,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://infosecwriteups.com/amsi-bypass-new-way-2023-d506345944e9", - "https://github.com/TheD1rkMtr/AMSI_patch", "https://github.com/surya-dev-singh/AmsiBypass-OpenSession", + "https://github.com/TheD1rkMtr/AMSI_patch", + "https://infosecwriteups.com/amsi-bypass-new-way-2023-d506345944e9", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_amsi_uncommon_process.yml" ], "tags": [ @@ -23508,12 +23732,12 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", - "https://github.com/Wh04m1001/SysmonEoP", - "https://decoded.avast.io/martinchlumecky/png-steganography/", - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://github.com/Wh04m1001/SysmonEoP", + "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", + "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" ], "tags": [ @@ -23599,8 +23823,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/", "Internal Research", + "https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml" ], "tags": [ @@ -23742,10 +23966,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", + "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", "https://hijacklibs.net/", "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", - "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", - "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" ], "tags": [ @@ -23788,8 +24012,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/am0nsec/status/1412232114980982787", "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add", + "https://twitter.com/am0nsec/status/1412232114980982787", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml" ], "tags": [ @@ -23908,8 +24132,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/p3nt4/PowerShdll", "https://adsecurity.org/?p=2921", + "https://github.com/p3nt4/PowerShdll", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml" ], "tags": [ @@ -24063,8 +24287,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/", + "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml" ], "tags": [ @@ -24248,10 +24472,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/tyranid/DotNetToJScript", "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://thewover.github.io/Introducing-Donut/", + "https://github.com/tyranid/DotNetToJScript", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" ], "tags": [ @@ -24318,9 +24542,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", + "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml" ], "tags": [ @@ -24353,8 +24577,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/", "https://securelist.com/apt-luminousmoth/103332/", + "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/", "https://twitter.com/WhichbufferArda/status/1658829954182774784", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_wwlib.yml" ], @@ -24397,8 +24621,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/rbmaslen/status/1321859647091970051", "https://twitter.com/tifkin_/status/1321916444557365248", + "https://twitter.com/rbmaslen/status/1321859647091970051", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_pcre_dotnet_dll_load.yml" ], "tags": [ @@ -24519,8 +24743,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/StopMalvertisin/status/1648604148848549888", - "https://www.roboform.com/", "https://twitter.com/t3ft3lb/status/1656194831830401024", + "https://www.roboform.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_robform.yml" ], "tags": [ @@ -24794,8 +25018,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.qurium.org/alerts/targeted-malware-against-crph/", "https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/", + "https://www.qurium.org/alerts/targeted-malware-against-crph/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_smadhook.yml" ], "tags": [ @@ -24903,7 +25127,7 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html", + "https://web.archive.org/web/20220815065318/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_uncommon_image_load.yml" ], "tags": [ @@ -25011,8 +25235,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://mobile.twitter.com/0gtweet/status/1564131230941122561", "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", + "https://mobile.twitter.com/0gtweet/status/1564131230941122561", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_shell_chrome_api.yml" ], "tags": [ @@ -25239,8 +25463,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", "https://github.com/ly4k/SpoolFool", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml" ], "tags": [ @@ -25439,9 +25663,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", + "https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", - "https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html", + "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml" ], "tags": [ @@ -25508,9 +25732,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/oulusoyum/status/1191329746069655553", "https://twitter.com/mattifestation/status/1196390321783025666", "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", + "https://twitter.com/oulusoyum/status/1191329746069655553", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_tttracer_mod_load.yml" ], "tags": [ @@ -25627,8 +25851,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", - "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", "https://github.com/RiccardoAncarani/LiquidSnake", + "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" ], "tags": [ @@ -25661,9 +25885,9 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/besimorhino/powercat", "https://nmap.org/ncat/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" ], "tags": [ @@ -25696,8 +25920,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/bohops/WSMan-WinRM", "https://twitter.com/chadtilbury/status/1275851297770610688", + "https://github.com/bohops/WSMan-WinRM", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" ], @@ -25918,8 +26142,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml" ], "tags": [ @@ -25978,7 +26202,7 @@ "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021/06/07", "falsepositive": [ - "Unknown" + "Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated." ], "filename": "posh_pc_tamper_windows_defender_set_mp.yml", "level": "high", @@ -26261,9 +26485,9 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ + "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", "https://www.mdeditor.tw/pl/pgRt", - "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml" ], "tags": [ @@ -26296,9 +26520,9 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/ADModule", - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", + "https://github.com/samratashok/ADModule", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml" ], "tags": [ @@ -26357,8 +26581,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/8", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/8", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml" ], "tags": [ @@ -26650,24 +26874,24 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/samratashok/nishang", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://adsecurity.org/?p=2921", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/besimorhino/powercat", + "https://github.com/samratashok/nishang", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/Kevin-Robertson/Powermad", - "https://github.com/adrecon/ADRecon", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://adsecurity.org/?p=2921", + "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/adrecon/AzureADRecon", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/adrecon/ADRecon", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/besimorhino/powercat", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml" ], "tags": [ @@ -27032,23 +27256,23 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/NetSPI/PowerUpSQL", - "https://github.com/HarmJ0y/DAMP", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/samratashok/nishang", - "https://github.com/PowerShellMafia/PowerSploit", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/besimorhino/powercat", - "https://github.com/AlsidOfficial/WSUSpendu/", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/samratashok/nishang", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/CsEnox/EventViewer-UACBypass", - "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/HarmJ0y/DAMP", "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/besimorhino/powercat", + "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/AlsidOfficial/WSUSpendu/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml" ], "tags": [ @@ -27262,8 +27486,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml" ], "tags": [ @@ -27562,8 +27786,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", + "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -27738,8 +27962,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml" ], "tags": [ @@ -27826,20 +28050,20 @@ "value": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script" }, { - "description": "Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.", + "description": "Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.", "meta": { - "author": "frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel", + "author": "frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/01/16", "falsepositive": [ - "Legitimate PowerShell scripts" + "Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated." ], "filename": "posh_ps_tamper_windows_defender_set_mp.yml", "level": "high", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml" ], @@ -27906,9 +28130,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", + "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" ], "tags": [ @@ -28059,10 +28283,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2277", - "https://powersploit.readthedocs.io/en/stable/Recon/README", - "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", "https://thedfirreport.com/2020/10/08/ryuks-return", + "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", + "https://powersploit.readthedocs.io/en/stable/Recon/README", + "https://adsecurity.org/?p=2277", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" ], "tags": [ @@ -28239,9 +28463,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", - "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -28476,11 +28700,11 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", - "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "http://woshub.com/manage-windows-firewall-powershell/", "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", + "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", + "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" ], "tags": [ @@ -28513,8 +28737,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell", + "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml" ], "tags": [ @@ -28603,8 +28827,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml" ], "tags": [ @@ -28670,8 +28894,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://youtu.be/5mqid-7zp8k?t=2481", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" @@ -28762,8 +28986,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.fortypoundhead.com/showcontent.asp?artid=24022", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://www.fortypoundhead.com/showcontent.asp?artid=24022", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml" ], "tags": [ @@ -29001,8 +29225,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://adsecurity.org/?p=2604", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" ], @@ -29199,7 +29423,7 @@ "value": "Invoke-Obfuscation Via Use Rundll32 - PowerShell" }, { - "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", + "description": "Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/05", @@ -29476,8 +29700,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml" ], "tags": [ @@ -29510,8 +29734,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://t.co/ezOTGy1a1G", "https://twitter.com/JohnLaTwC/status/850381440629981184", + "https://t.co/ezOTGy1a1G", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml" ], "tags": [ @@ -29579,8 +29803,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps", "https://twitter.com/NathanMcNulty/status/1569497348841287681", + "https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml" ], "tags": [ @@ -29606,10 +29830,10 @@ "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "creation_date": "2017/03/05", "falsepositive": [ - "Unknown" + "Depending on the scripts, this rule might require some initial tunning to fit the environment" ], "filename": "posh_ps_malicious_keywords.yml", - "level": "high", + "level": "medium", "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ @@ -29744,9 +29968,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/ADModule", - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", + "https://github.com/samratashok/ADModule", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml" ], "tags": [ @@ -29771,8 +29995,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", + "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml" ], "tags": [ @@ -29840,8 +30064,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", + "https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml" ], "tags": [ @@ -29874,8 +30098,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_localuser.yml" ], "tags": [ @@ -30002,8 +30226,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml" ], "tags": [ @@ -30269,8 +30493,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml" ], "tags": [ @@ -30336,8 +30560,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", "http://www.powertheshell.com/ntfsstreams/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml" ], "tags": [ @@ -30379,8 +30603,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml" ], "tags": [ @@ -30548,8 +30772,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml" ], "tags": [ @@ -30640,8 +30864,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml" ], "tags": [ @@ -30685,7 +30909,7 @@ "value": "Suspicious PowerShell Mailbox SMTP Forward Rule" }, { - "description": "Detects usage of known powershell cmdlets such as \"Clear-EventLog\" to clear the windows event logs", + "description": "Detects usage of known powershell cmdlets such as \"Clear-EventLog\" to clear the Windows event logs", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/12", @@ -30819,8 +31043,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" ], @@ -30854,8 +31078,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", + "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml" ], @@ -30924,8 +31148,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", + "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml" ], "tags": [ @@ -30991,8 +31215,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml" ], "tags": [ @@ -31195,8 +31419,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1537919885031772161", "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", + "https://twitter.com/nas_bench/status/1537919885031772161", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml" ], "tags": [ @@ -31229,8 +31453,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/995111125447577600", "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", + "https://twitter.com/pabraeken/status/995111125447577600", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml" ], "tags": [ @@ -31251,7 +31475,7 @@ "value": "Execution via CL_Mutexverifiers.ps1" }, { - "description": "Detects usage of the \"Get-AdComputer\" to enumerate Computers within Active Directory.", + "description": "Detects usage of the \"Get-AdComputer\" to enumerate Computers or properties within Active Directory.", "meta": { "author": "frack113", "creation_date": "2022/03/17", @@ -31263,12 +31487,15 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer", + "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml" ], "tags": [ "attack.discovery", - "attack.t1018" + "attack.t1018", + "attack.t1087.002" ] }, "related": [ @@ -31278,10 +31505,17 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "36bed6b2-e9a0-4fff-beeb-413a92b86138", - "value": "Active Directory Computers Enumeration with Get-AdComputer" + "value": "Active Directory Computers Enumeration With Get-AdComputer" }, { "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", @@ -31405,8 +31639,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", + "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml" ], "tags": [ @@ -31440,9 +31674,9 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", - "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", + "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" ], "tags": [ @@ -31600,8 +31834,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml" ], "tags": [ @@ -31842,10 +32076,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", - "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", "https://twitter.com/ScumBots/status/1610626724257046529", + "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", + "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" ], "tags": [ @@ -31879,8 +32113,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml" ], "tags": [ @@ -32042,24 +32276,24 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/samratashok/nishang", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://adsecurity.org/?p=2921", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/besimorhino/powercat", + "https://github.com/samratashok/nishang", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/Kevin-Robertson/Powermad", - "https://github.com/adrecon/ADRecon", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://adsecurity.org/?p=2921", + "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/adrecon/AzureADRecon", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/adrecon/ADRecon", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/besimorhino/powercat", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" ], "tags": [ @@ -32191,9 +32425,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", "https://www.shellhacks.com/clear-history-powershell/", - "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" ], "tags": [ @@ -32234,9 +32468,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/GhostPack/Rubeus", - "https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", + "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", + "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml" ], "tags": [ @@ -32393,8 +32627,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml" ], @@ -32557,8 +32791,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", "https://github.com/Arno0x/DNSExfiltrator", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml" ], "tags": [ @@ -32792,8 +33026,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml" ], "tags": [ @@ -33355,8 +33589,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "Personal research, statistical analysis", "https://lolbas-project.github.io", + "Personal research, statistical analysis", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml" ], "tags": [ @@ -33423,8 +33657,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1090588499517079552", "https://github.com/mdsecactivebreach/CACTUSTORCH", + "https://twitter.com/SBousseaden/status/1090588499517079552", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml" ], "tags": [ @@ -33623,11 +33857,11 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1551449425842786306", - "https://github.com/fengjixuchui/gdrv-loader", - "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b", + "https://github.com/fengjixuchui/gdrv-loader", + "https://twitter.com/malmoeb/status/1551449425842786306", "https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details", + "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml" ], "tags": [ @@ -33802,8 +34036,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", "https://github.com/xmrig/xmrig/tree/master/bin/WinRing0", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml" ], "tags": [ @@ -33836,8 +34070,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://reqrypt.org/windivert-doc.html", "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/", + "https://reqrypt.org/windivert-doc.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_windivert.yml" ], "tags": [ @@ -34311,9 +34545,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", "https://content.fireeye.com/apt-41/rpt-apt41", + "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml" ], "tags": [ @@ -34511,8 +34745,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", + "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml" ], "tags": [ @@ -34639,8 +34873,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling", + "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_to_http.yml" ], "tags": [ @@ -34753,11 +34987,11 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/M_haggis/status/900741347035889665", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://twitter.com/M_haggis/status/1032799638213066752", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://twitter.com/M_haggis/status/900741347035889665", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_susp_com.yml" ], "tags": [ @@ -34790,8 +35024,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", + "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_tunnel.yml" ], "tags": [ @@ -35016,11 +35250,11 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/", - "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf", - "https://youtu.be/n2dFlSaBBKo", "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/", "https://github.com/looCiprian/GC2-sheet", + "https://youtu.be/n2dFlSaBBKo", + "https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/", + "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_google_api_non_browser_access.yml" ], "tags": [ @@ -35271,9 +35505,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al", "https://github.com/kleiton0x00/RedditC2", "https://twitter.com/kleiton0x7e/status/1600567316810551296", - "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_reddit_api_non_browser_access.yml" ], "tags": [ @@ -35450,8 +35684,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", "https://twitter.com/forensicitguy/status/1513538712986079238", + "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml" ], "tags": [ @@ -35484,10 +35718,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md", - "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a", + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", + "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml" ], "tags": [ @@ -35576,8 +35810,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_msiexec.yml" ], "tags": [ @@ -35610,8 +35844,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/binderlabs/DirCreate2System", + "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml" ], "tags": [ @@ -35636,8 +35870,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", + "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml" ], @@ -35737,10 +35971,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/GossiTheDog/HiveNightmare", "https://github.com/WiredPulse/Invoke-HiveNightmare", "https://github.com/FireFart/hivenightmare/", "https://twitter.com/cube0x0/status/1418920190759378944", + "https://github.com/GossiTheDog/HiveNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml" ], "tags": [ @@ -35774,8 +36008,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "Internal Research", + "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml" ], "tags": [ @@ -35799,8 +36033,8 @@ "logsource.product": "windows", "refs": [ "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml" ], "tags": [ @@ -35850,11 +36084,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", - "https://twitter.com/luc4m/status/1073181154126254080", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", + "https://twitter.com/luc4m/status/1073181154126254080", + "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", + "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], "tags": [ @@ -35920,8 +36154,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy", "https://twitter.com/0gtweet/status/1465282548494487554", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml" ], "tags": [ @@ -36034,12 +36268,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", - "https://github.com/CCob/MirrorDump", - "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", - "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", "https://www.google.com/search?q=procdump+lsass", "https://github.com/helpsystems/nanodump", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://github.com/CCob/MirrorDump", + "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_dump.yml" ], "tags": [ @@ -36106,8 +36340,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml" ], "tags": [ @@ -36131,12 +36365,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/", "https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/", - "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", "https://twitter.com/MaD_c4t/status/1623414582382567424", "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://labs.withsecure.com/publications/detecting-onenote-abuse", + "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", + "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml" ], "tags": [ @@ -36159,8 +36393,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_tool_psexec.yml" ], "tags": [ @@ -36195,9 +36429,9 @@ "logsource.product": "windows", "refs": [ "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml" ], "tags": [ @@ -36230,8 +36464,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://aboutdfir.com/the-key-to-identify-psexec/", "https://twitter.com/davisrichardg/status/1616518800584704028", + "https://aboutdfir.com/the-key-to-identify-psexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml" ], "tags": [ @@ -36296,7 +36530,7 @@ "value": "Suspicious File Creation In Uncommon AppData Folder" }, { - "description": "Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", + "description": "Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "creation_date": "2022/06/19", @@ -36308,11 +36542,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", - "https://twitter.com/luc4m/status/1073181154126254080", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", + "https://twitter.com/luc4m/status/1073181154126254080", + "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", + "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], "tags": [ @@ -36378,10 +36612,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer", - "https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks", "https://github.com/Yaxser/Backstab", + "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer", "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/", + "https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml" ], "tags": [ @@ -36523,39 +36757,6 @@ "uuid": "1277f594-a7d1-4f28-a2d3-73af5cbeab43", "value": "Windows Shell/Scripting Application File Write to Suspicious Folder" }, - { - "description": "Detects programs on a Windows system that should not write executables to disk", - "meta": { - "author": "frack113, Florian Roth", - "creation_date": "2022/08/21", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_legitimate_app_dropping_exe.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_exe.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "related": [ - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "f0540f7e-2db3-4432-b9e0-3965486744bc", - "value": "Legitimate Application Dropped Executable" - }, { "description": "Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe", "meta": { @@ -36590,8 +36791,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", + "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml" ], @@ -36612,6 +36813,75 @@ "uuid": "8e1cb247-6cf6-42fa-b440-3f27d57e9936", "value": "Potential Persistence Via Microsoft Office Add-In" }, + { + "description": "Detects programs on a Windows system that should not write scripts to disk", + "meta": { + "author": "frack113, Florian Roth (Nextron Systems)", + "creation_date": "2022/08/21", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_susp_legitimate_app_dropping_script.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7d604714-e071-49ff-8726-edeb95a70679", + "value": "Legitimate Application Dropped Script" + }, + { + "description": "Detects the creation of a file with an uncommon extension in an Office application startup folder", + "meta": { + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/06/05", + "falsepositive": [ + "Other legitimate extensions used by either excel or word" + ], + "filename": "file_event_win_office_uncommon_file_startup.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "http://addbalance.com/word/startup.htm", + "https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", + "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", + "https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587.001" + ] + }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d", + "value": "Uncommon File Created In Office Startup Folder" + }, { "description": "Detects the creation of binaries in the WinSxS folder by non-system processes", "meta": { @@ -36648,8 +36918,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/", "https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae", + "https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml" ], "tags": [ @@ -36811,9 +37081,9 @@ "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79", - "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form", "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76", + "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml" ], "tags": [ @@ -36881,8 +37151,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", + "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" ], "tags": [ @@ -36925,8 +37195,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://persistence-info.github.io/Data/wpbbin.html", + "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml" ], "tags": [ @@ -37088,40 +37358,6 @@ "uuid": "28a452f3-786c-4fd8-b8f2-bddbe9d616d1", "value": "Creation of an WerFault.exe in Unusual Folder" }, - { - "description": "Detects creation of template files for Microsoft Office from outside Office", - "meta": { - "author": "Max Altgelt (Nextron Systems)", - "creation_date": "2022/06/02", - "falsepositive": [ - "Loading a user environment from a backup or a domain controller", - "Synchronization of templates" - ], - "filename": "file_event_win_word_template_creation.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_word_template_creation.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1137" - ] - }, - "related": [ - { - "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "0e20c89d-2264-44ae-8238-aeeaba609ece", - "value": "Office Template Creation" - }, { "description": "Detects Octopus Scanner Malware.", "meta": { @@ -37283,11 +37519,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" ], "tags": [ @@ -37354,26 +37590,26 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/HarmJ0y/DAMP", - "https://github.com/samratashok/nishang", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/adrecon/ADRecon", - "https://github.com/AlsidOfficial/WSUSpendu/", - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/besimorhino/powercat", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/Kevin-Robertson/Powermad", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/adrecon/AzureADRecon", "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/PowerShellMafia/PowerSploit", "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/AlsidOfficial/WSUSpendu/", + "https://github.com/samratashok/nishang", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/adrecon/ADRecon", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/HarmJ0y/DAMP", "https://github.com/CsEnox/EventViewer-UACBypass", + "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/besimorhino/powercat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" ], "tags": [ @@ -37407,8 +37643,8 @@ "logsource.product": "windows", "refs": [ "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" ], "tags": [ @@ -37549,8 +37785,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/rbmaslen/status/1321859647091970051", "https://twitter.com/tifkin_/status/1321916444557365248", + "https://twitter.com/rbmaslen/status/1321859647091970051", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml" ], "tags": [ @@ -37770,6 +38006,41 @@ "uuid": "93a19907-d4f9-4deb-9f91-aac4692776a6", "value": "UAC Bypass Using .NET Code Profiler on MMC" }, + { + "description": "Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.", + "meta": { + "author": "Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/06/02", + "falsepositive": [ + "Loading a user environment from a backup or a domain controller", + "Synchronization of templates" + ], + "filename": "file_event_win_office_startup_persistence.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders", + "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1137" + ] + }, + "related": [ + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "0e20c89d-2264-44ae-8238-aeeaba609ece", + "value": "Potential Persistence Via Microsoft Office Startup Folder" + }, { "description": "Detects Rclone config file being created", "meta": { @@ -37996,8 +38267,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/14", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/14", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml" ], "tags": [ @@ -38066,8 +38337,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/klinix5/InstallerFileTakeOver", "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", + "https://github.com/klinix5/InstallerFileTakeOver", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml" ], "tags": [ @@ -38087,41 +38358,6 @@ "uuid": "3be82d5d-09fe-4d6a-a275-0d40d234d324", "value": "InstallerFileTakeOver LPE CVE-2021-41379 File Create Event" }, - { - "description": "Detects the creation of an file in user Word Startup", - "meta": { - "author": "frack113", - "creation_date": "2022/06/05", - "falsepositive": [ - "Addition of legitimate plugins" - ], - "filename": "file_event_win_office_winword_startup.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", - "Malware Sandbox https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", - "http://addbalance.com/word/startup.htm", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_winword_startup.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1587.001" - ] - }, - "related": [ - { - "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d", - "value": "Creation In User Word Startup Folder" - }, { "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.", "meta": { @@ -38136,9 +38372,9 @@ "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", - "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", - "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", + "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", + "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" ], "tags": [ @@ -38171,9 +38407,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml" ], "tags": [ @@ -38206,9 +38442,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", - "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", + "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", + "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -38233,8 +38469,8 @@ "logsource.product": "windows", "refs": [ "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" ], "tags": [ @@ -38307,8 +38543,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/outflanknl/Dumpert", "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", + "https://github.com/outflanknl/Dumpert", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_dumpert.yml" ], "tags": [ @@ -38442,8 +38678,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://cobalt.io/blog/kerberoast-attack-techniques", "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/", + "https://cobalt.io/blog/kerberoast-attack-techniques", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml" ], "tags": [ @@ -38650,8 +38886,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml" ], "tags": [ @@ -38671,40 +38907,6 @@ "uuid": "b1c50487-1967-4315-a026-6491686d860e", "value": "Office Macro File Creation From Suspicious Process" }, - { - "description": "This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.", - "meta": { - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", - "creation_date": "2021/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_script_creation_by_office_using_file_ext.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_script_creation_by_office_using_file_ext.yml" - ], - "tags": [ - "attack.t1204.002", - "attack.execution" - ] - }, - "related": [ - { - "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", - "value": "Created Files by Office Applications" - }, { "description": "When C# is compiled dynamically, a .cmdline file will be created as a part of the process.\nCertain processes are not typically observed compiling C# code, but can do so without touching disk.\nThis can be used to unpack a payload for execution\n", "meta": { @@ -38751,8 +38953,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/12", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml" ], "tags": [ @@ -38819,8 +39021,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" ], @@ -38841,40 +39043,6 @@ "uuid": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", "value": "NTDS Exfiltration Filename Patterns" }, - { - "description": "Detects file creation patterns noticeable during the exploitation of CVE-2021-40444", - "meta": { - "author": "Florian Roth (Nextron Systems), Sittikorn S", - "creation_date": "2021/09/10", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_winword_cve_2021_40444.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", - "https://twitter.com/vanitasnk/status/1437329511142420483?s=21", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1587" - ] - }, - "related": [ - { - "dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "60c0a111-787a-4e8a-9262-ee485f3ef9d5", - "value": "Suspicious Word Cab File Write CVE-2021-40444" - }, { "description": "Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context", "meta": { @@ -38932,6 +39100,39 @@ "uuid": "48ea844d-19b1-4642-944e-fe39c2cc1fec", "value": "UAC Bypass Using IDiagnostic Profile - File" }, + { + "description": "Detects programs on a Windows system that should not write an archive to disk", + "meta": { + "author": "frack113, Florian Roth", + "creation_date": "2022/08/21", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_susp_legitimate_app_dropping_archive.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_archive.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "654fcc6d-840d-4844-9b07-2c3300e54a26", + "value": "Legitimate Application Dropped Archive" + }, { "description": "Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension", "meta": { @@ -39013,8 +39214,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "Internal Research", + "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml" ], "tags": [ @@ -39037,11 +39238,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/HuskyHacks/ShadowSteal", "https://github.com/cube0x0/CVE-2021-36934", - "https://www.google.com/search?q=%22reg.exe+save%22+sam", - "https://github.com/search?q=CVE-2021-36934", + "https://github.com/HuskyHacks/ShadowSteal", "https://github.com/FireFart/hivenightmare", + "https://github.com/search?q=CVE-2021-36934", + "https://www.google.com/search?q=%22reg.exe+save%22+sam", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], "tags": [ @@ -39425,6 +39626,40 @@ "uuid": "e15b518d-b4ce-4410-a9cd-501f23ce4a18", "value": "Suspicious Creation with Colorcpl" }, + { + "description": "Detects the creation of files with an executable or script extension by an Office application.", + "meta": { + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_office_susp_file_extension.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml" + ], + "tags": [ + "attack.t1204.002", + "attack.execution" + ] + }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", + "value": "File With Uncommon Extension Created By An Office Application" + }, { "description": "Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder", "meta": { @@ -39549,7 +39784,7 @@ "value": "SafetyKatz Default Dump Filename" }, { - "description": "Detects windows executables that writes files with suspicious extensions", + "description": "Detects Windows executables that writes files with suspicious extensions", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/12", @@ -39616,10 +39851,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", - "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", + "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" ], "tags": "No established tags" @@ -39694,6 +39929,39 @@ "uuid": "fec96f39-988b-4586-b746-b93d59fd1922", "value": "ScreenConnect Temporary Installation Artefact" }, + { + "description": "Detects programs on a Windows system that should not write executables to disk", + "meta": { + "author": "frack113, Florian Roth (Nextron Systems)", + "creation_date": "2022/08/21", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_susp_legitimate_app_dropping_exe.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f0540f7e-2db3-4432-b9e0-3965486744bc", + "value": "Legitimate Application Dropped Executable" + }, { "description": "Detects the creation of an executable by another executable", "meta": { @@ -39775,8 +40043,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/last-byte/PersistenceSniper", "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/", + "https://github.com/last-byte/PersistenceSniper", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_errorhandler_persistence.yml" ], "tags": [ @@ -39799,8 +40067,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", + "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/fox-it/LDAPFragger", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml" ], @@ -39834,8 +40102,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", "https://twitter.com/Sam0x90/status/1552011547974696960", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", + "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml" ], "tags": [ @@ -39902,8 +40171,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml" ], "tags": [ @@ -40002,8 +40271,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", "https://www.joesandbox.com/analysis/465533/0/html", + "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_get_variable.yml" ], "tags": [ @@ -40078,8 +40347,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml" ], "tags": [ @@ -40265,39 +40534,6 @@ "uuid": "9433ff9c-5d3f-4269-99f8-95fc826ea489", "value": "CrackMapExec File Creation Patterns" }, - { - "description": "Detects programs on a Windows system that should not write an archive to disk", - "meta": { - "author": "frack113, Florian Roth", - "creation_date": "2022/08/21", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_legitimate_app_dropping_archive.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_archive.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "related": [ - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "654fcc6d-840d-4844-9b07-2c3300e54a26", - "value": "Legitimate Application Dropped Archive" - }, { "description": "Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\nIn it's default mode, it builds a self deleting .bat file which executes malicious command.\nThe detection rule relies on creation of the malicious bat file (debug.bat by default).\n", "meta": { @@ -40347,11 +40583,11 @@ "logsource.product": "windows", "refs": [ "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc", - "https://github.com/Wh04m1001/SysmonEoP", - "https://decoded.avast.io/martinchlumecky/png-steganography/", - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://github.com/Wh04m1001/SysmonEoP", "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", + "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" ], "tags": [ @@ -40423,39 +40659,6 @@ "uuid": "614a7e17-5643-4d89-b6fe-f9df1a79641c", "value": "Wmiprvse Wbemcomn DLL Hijack - File" }, - { - "description": "Detects programs on a Windows system that should not write scripts to disk", - "meta": { - "author": "frack113, Florian Roth", - "creation_date": "2022/08/21", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_legitimate_app_dropping_script.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_script.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "related": [ - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7d604714-e071-49ff-8726-edeb95a70679", - "value": "Legitimate Application Dropped Script" - }, { "description": "Detects the creation of a new PowerShell module \".psm1\", \".psd1\", \".dll\", \".ps1\", etc. by a non-PowerShell process", "meta": { @@ -40469,8 +40672,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "Internal Research", + "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml" ], "tags": [ @@ -40563,8 +40766,8 @@ "logsource.category": "file_rename", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", + "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml" ], "tags": [ @@ -40686,8 +40889,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", "https://github.com/cube0x0/CVE-2021-1675", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml" ], "tags": [ @@ -40822,8 +41025,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/9", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/9", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml" ], "tags": [ @@ -40989,8 +41192,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml" ], "tags": [ @@ -41023,7 +41226,7 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20181130065817/http://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", + "http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml" ], @@ -41094,8 +41297,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.passcape.com/windows_password_recovery_dpapi_credhist", "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist", + "https://www.passcape.com/windows_password_recovery_dpapi_credhist", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml" ], "tags": [ @@ -41330,8 +41533,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", + "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml" ], "tags": [ @@ -41439,8 +41642,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml" ], "tags": [ @@ -41541,8 +41744,8 @@ "logsource.product": "windows", "refs": [ "https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update", - "https://www.virustotal.com/gui/file/0e2854753d17b1bb534de8e765d5813c9fb584a745978b3d92bc6ca78e3e7735/relations", "https://www.virustotal.com/gui/file/d5661009c461a8b20e1ad22f48609cc84dd90aee9182e026659dde4d46aaf25e/relations", + "https://www.virustotal.com/gui/file/0e2854753d17b1bb534de8e765d5813c9fb584a745978b3d92bc6ca78e3e7735/relations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_malware_socgholish_second_stage_c2.yml" ], "tags": [ @@ -41608,8 +41811,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://twitter.com/neonprimetime/status/1436376497980428318", + "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_ipify.yml" ], @@ -41643,10 +41846,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", - "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", + "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", + "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml" @@ -41873,8 +42076,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml" ], @@ -41895,39 +42098,6 @@ "uuid": "84232095-ecca-4015-b0d7-7726507ee793", "value": "Suspicious DLL Loaded via CertOC.EXE" }, - { - "description": "An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver", - "meta": { - "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec", - "creation_date": "2022/04/28", - "falsepositive": [ - "Legitimate installation of a new screensaver" - ], - "filename": "proc_creation_win_lolbin_rundll32_installscreensaver.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Desk/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml" - ], - "tags": [ - "attack.t1218.011", - "attack.defense_evasion" - ] - }, - "related": [ - { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "15bd98ea-55f4-4d37-b09a-e7caa0fa2221", - "value": "Rundll32 InstallScreenSaver Execution" - }, { "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", "meta": { @@ -41975,8 +42145,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cobaltstrike.com/help-windows-executable", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://www.cobaltstrike.com/help-windows-executable", "https://redcanary.com/threat-detection-report/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" ], @@ -42091,12 +42261,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://www.joeware.net/freetools/tools/adfind/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml" ], "tags": [ @@ -42269,8 +42439,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", + "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_loadassembly.yml" ], "tags": [ @@ -42337,8 +42507,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml" ], "tags": [ @@ -42479,8 +42649,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/countuponsec/status/910977826853068800", - "https://twitter.com/countuponsec/status/910969424215232518", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", + "https://twitter.com/countuponsec/status/910969424215232518", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" ], "tags": [ @@ -42500,6 +42670,41 @@ "uuid": "23ceaf5c-b6f1-4a32-8559-f2ff734be516", "value": "Dumping Process via Sqldumper.exe" }, + { + "description": "Detects suspicious execution of Regasm/Regsvcs utilities", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_regasm_suspicious_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", + "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", + "https://www.fortiguard.com/threat-signal-report/4718?s=09", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regasm_suspicious_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.009" + ] + }, + "related": [ + { + "dest-uuid": "c48a67ee-b657-45c1-91bf-6cdbe27205f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "cc368ed0-2411-45dc-a222-510ace303cb2", + "value": "Regasm/Regsvcs Suspicious Execution" + }, { "description": "Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files", "meta": { @@ -42604,39 +42809,6 @@ "uuid": "c74c0390-3e20-41fd-a69a-128f0275a5ea", "value": "Wusa Extracting Cab Files From Suspicious Paths" }, - { - "description": "Tools to Capture Network Packets on the windows 10 with October 2018 Update or later.", - "meta": { - "author": "frack113", - "creation_date": "2022/03/17", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_lolbin_pktmon.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Pktmon/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1040" - ] - }, - "related": [ - { - "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "f956c7c1-0f60-4bc5-b7d7-b39ab3c08908", - "value": "Use of PktMon.exe" - }, { "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.", "meta": { @@ -42650,8 +42822,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml" ], "tags": [ @@ -42774,8 +42946,8 @@ "logsource.product": "windows", "refs": [ "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", - "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml" ], "tags": [ @@ -42809,8 +42981,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", "https://github.com/shantanu561993/SharpChisel", + "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml" ], "tags": [ @@ -42844,8 +43016,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", - "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://twitter.com/Hexacorn/status/1420053502554951689", + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml" ], "tags": [ @@ -42887,8 +43059,8 @@ "logsource.product": "windows", "refs": [ "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", - "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml" ], "tags": [ @@ -42956,13 +43128,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/xorJosh/status/1598646907802451969", - "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", - "https://www.softwaretestinghelp.com/how-to-use-ngrok/", - "https://ngrok.com/docs", - "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", + "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", + "https://www.softwaretestinghelp.com/how-to-use-ngrok/", + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://twitter.com/xorJosh/status/1598646907802451969", + "https://ngrok.com/docs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml" ], "tags": [ @@ -43029,8 +43201,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/1ZRR4H/status/1534259727059787783", "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", + "https://twitter.com/1ZRR4H/status/1534259727059787783", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml" ], "tags": [ @@ -43063,13 +43235,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", - "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest", + "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" ], "tags": [ @@ -43110,9 +43283,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/hFireF0X/status/897640081053364225", - "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", "https://github.com/hfiref0x/UACME", + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", + "https://twitter.com/hFireF0X/status/897640081053364225", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml" ], @@ -43182,7 +43355,7 @@ "value": "CMSTP Execution Process Creation" }, { - "description": "Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary linux and windows commands", + "description": "Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary Linux or Windows commands", "meta": { "author": "oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2020/10/05", @@ -43195,8 +43368,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1535431474429808642", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", + "https://twitter.com/nas_bench/status/1535431474429808642", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml" ], "tags": [ @@ -43238,8 +43411,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2023/03/06/2022-year-in-review/", "https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product", + "https://thedfirreport.com/2023/03/06/2022-year-in-review/", "https://www.yeahhub.com/list-installed-programs-version-path-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml" ], @@ -43273,10 +43446,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://zero2auto.com/2020/05/19/netwalker-re/", - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", - "https://mez0.cc/posts/cobaltstrike-powershell-exec/", "https://redcanary.com/blog/yellow-cockatoo/", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", + "https://zero2auto.com/2020/05/19/netwalker-re/", + "https://mez0.cc/posts/cobaltstrike-powershell-exec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml" ], "tags": [ @@ -43434,9 +43607,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.joeware.net/freetools/tools/adfind/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://www.joeware.net/freetools/tools/adfind/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml" ], "tags": [ @@ -43469,8 +43642,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md", "https://www.pdq.com/pdq-deploy/", + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml" ], "tags": [ @@ -43582,8 +43755,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Gal_B1t/status/1062971006078345217", "https://twitter.com/hexacorn/status/1448037865435320323", + "https://twitter.com/Gal_B1t/status/1062971006078345217", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml" ], "tags": [ @@ -43704,16 +43877,16 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml" ], "tags": [ @@ -43780,9 +43953,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml" ], "tags": [ @@ -43816,9 +43989,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://www.poweradmin.com/paexec/", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml" ], "tags": [ @@ -43851,8 +44024,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml" ], "tags": [ @@ -43963,8 +44136,8 @@ "logsource.product": "windows", "refs": [ "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://twitter.com/jonasLyk/status/1555914501802921984", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://twitter.com/jonasLyk/status/1555914501802921984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml" ], "tags": [ @@ -43984,42 +44157,6 @@ "uuid": "dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795", "value": "Use NTFS Short Name in Command Line" }, - { - "description": "The \"AdPlus.exe\" binary that is part of the Windows SDK can be used as a lolbin to dump process memory and execute arbitrary commands", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/06/09", - "falsepositive": [ - "Legitimate usage of Adplus" - ], - "filename": "proc_creation_win_lolbin_adplus.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/nas_bench/status/1534915321856917506", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", - "https://twitter.com/nas_bench/status/1534916659676422152", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1003.001" - ] - }, - "related": [ - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "2f869d59-7f6a-4931-992c-cce556ff2d53", - "value": "Use of Adplus.exe" - }, { "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", "meta": { @@ -44250,8 +44387,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://twitter.com/0gtweet/status/1628720819537936386", + "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml" ], @@ -44651,10 +44788,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/splinter_code/status/1483815103279603714", - "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", - "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://twitter.com/splinter_code/status/1483815103279603714", + "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", + "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml" ], "tags": "No established tags" @@ -44742,9 +44879,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/GhostPack/Rubeus", - "https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", + "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", + "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml" ], "tags": [ @@ -44849,8 +44986,8 @@ "logsource.product": "windows", "refs": [ "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", "https://twitter.com/Z3Jpa29z/status/1317545798981324801", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csi_execution.yml" ], @@ -44956,6 +45093,40 @@ "uuid": "f89b08d0-77ad-4728-817b-9b16c5a69c7a", "value": "HackTool - SharpImpersonation Execution" }, + { + "description": "An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver", + "meta": { + "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec", + "creation_date": "2022/04/28", + "falsepositive": [ + "Legitimate installation of a new screensaver" + ], + "filename": "proc_creation_win_rundll32_installscreensaver.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Libraries/Desk/", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml" + ], + "tags": [ + "attack.t1218.011", + "attack.defense_evasion" + ] + }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "15bd98ea-55f4-4d37-b09a-e7caa0fa2221", + "value": "Rundll32 InstallScreenSaver Execution" + }, { "description": "Detect the use of \"sc.exe\" to change the startup type of a service to \"disabled\" or \"demand\"", "meta": { @@ -45003,8 +45174,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml" ], "tags": [ @@ -45159,8 +45330,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", + "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml" ], @@ -45243,8 +45414,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/dsacls.html", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", + "https://ss64.com/nt/dsacls.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml" ], "tags": [ @@ -45394,8 +45565,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shutdown_execution.yml" ], "tags": [ @@ -45493,10 +45664,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/splinter_code/status/1483815103279603714", - "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", - "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://twitter.com/splinter_code/status/1483815103279603714", + "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", + "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml" ], "tags": "No established tags" @@ -45517,9 +45688,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", "https://github.com/dsnezhkov/TruffleSnout", + "https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml" ], "tags": [ @@ -45552,9 +45723,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml" ], "tags": [ @@ -45588,10 +45759,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", + "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", "https://twitter.com/EricaZelic/status/1614075109827874817", "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", - "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml" ], "tags": [ @@ -45709,8 +45880,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/pabraeken/status/995837734379032576", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", "https://twitter.com/pabraeken/status/999090532839313408", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml" ], "tags": [ @@ -45777,8 +45948,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1206692239839289344", "https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/", + "https://twitter.com/0gtweet/status/1206692239839289344", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml" ], "tags": [ @@ -45846,8 +46017,8 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml" ], "tags": [ @@ -45880,9 +46051,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md", - "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/", + "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", + "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml" ], "tags": [ @@ -45916,8 +46087,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.uptycs.com/blog/lolbins-are-no-laughing-matter", "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", + "https://www.uptycs.com/blog/lolbins-are-no-laughing-matter", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml" ], "tags": [ @@ -46051,9 +46222,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/right-to-left-override/", "https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method", "https://unicode-explorer.com/c/202E", + "https://redcanary.com/blog/right-to-left-override/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml" ], "tags": [ @@ -46086,9 +46257,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", - "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml" ], "tags": [ @@ -46129,10 +46300,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", - "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", + "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", + "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml" ], "tags": [ @@ -46165,8 +46336,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml" ], "tags": "No established tags" @@ -46220,14 +46391,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://github.com/SigmaHQ/sigma/issues/3742", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://github.com/SigmaHQ/sigma/issues/3742", "https://twitter.com/Hexacorn/status/776122138063409152", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" ], "tags": [ @@ -46269,9 +46440,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" ], "tags": [ @@ -46523,8 +46694,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml" ], @@ -46626,11 +46797,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/885553465417756673", - "https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", + "https://twitter.com/Hexacorn/status/885570278637678592", "https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques", "https://twitter.com/vysecurity/status/885545634958385153", - "https://twitter.com/Hexacorn/status/885570278637678592", + "https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", + "https://twitter.com/Hexacorn/status/885553465417756673", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml" ], "tags": [ @@ -46788,9 +46959,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/dsacls.html", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", + "https://ss64.com/nt/dsacls.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" ], "tags": [ @@ -46823,8 +46994,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", "https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows", + "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml" ], "tags": [ @@ -46919,7 +47090,7 @@ "value": "Potential DLL Injection Or Execution Using Tracker.exe" }, { - "description": "Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.", + "description": "Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges.", "meta": { "author": "frack113, Tim Shelton (update fp)", "creation_date": "2022/12/05", @@ -47022,8 +47193,8 @@ "logsource.product": "windows", "refs": [ "https://adepts.of0x.cc/netsh-portproxy-code/", - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://www.dfirnotes.net/portproxy_detection/", + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml" ], "tags": [ @@ -47244,9 +47415,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1222095963789111296", - "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://twitter.com/gN3mes1s/status/1222088214581825540", + "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dctask64_proc_inject.yml" ], "tags": [ @@ -47279,8 +47450,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://twitter.com/orange_8361/status/1518970259868626944", + "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml" ], "tags": [ @@ -47304,8 +47475,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml" ], "tags": [ @@ -47338,8 +47509,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign", "https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57", + "https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml" ], "tags": [ @@ -47416,10 +47587,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", + "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", "https://github.com/defaultnamehere/cookie_crimes/", - "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", + "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml" ], "tags": [ @@ -47560,8 +47731,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/", "https://twitter.com/_felamos/status/1179811992841797632", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml" ], "tags": [ @@ -47594,8 +47765,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode.yml" ], @@ -47629,8 +47800,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml" ], "tags": [ @@ -47663,8 +47834,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", + "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml" ], "tags": [ @@ -47721,8 +47892,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://pentestlab.blog/2017/03/30/weak-service-permissions/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" ], "tags": [ @@ -47824,8 +47995,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml" ], "tags": [ @@ -47858,8 +48029,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/mandiant/SharPersist", "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", + "https://github.com/mandiant/SharPersist", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml" ], "tags": [ @@ -47892,8 +48063,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection", "https://securelist.com/muddywater/88059/", + "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml" ], "tags": [ @@ -47922,7 +48093,7 @@ "Unknown" ], "filename": "proc_creation_win_wscript_cscript_uncommon_extension_exec.yml", - "level": "medium", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ @@ -48198,8 +48369,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://nsudo.m2team.org/en-us/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml" ], "tags": [ @@ -48283,15 +48454,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/2017/05/wannacry.html", - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://blog.talosintelligence.com/2017/05/wannacry.html", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", - "https://github.com/Neo23x0/Raccine#the-process", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", + "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://github.com/Neo23x0/Raccine#the-process", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml" ], "tags": [ @@ -48401,11 +48572,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files", - "https://gtfobins.github.io/gtfobins/ssh/", - "https://lolbas-project.github.io/lolbas/Binaries/Ssh/", "https://man.openbsd.org/ssh_config#ProxyCommand", "https://man.openbsd.org/ssh_config#LocalCommand", + "https://lolbas-project.github.io/lolbas/Binaries/Ssh/", + "https://gtfobins.github.io/gtfobins/ssh/", + "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml" ], "tags": [ @@ -48438,8 +48609,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", + "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_secedit_execution.yml" ], "tags": [ @@ -48580,9 +48751,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" ], "tags": [ @@ -48607,8 +48778,8 @@ "logsource.product": "windows", "refs": [ "https://isc.sans.edu/diary/22264", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" ], "tags": [ @@ -48638,6 +48809,42 @@ "uuid": "d059842b-6b9d-4ed1-b5c3-5b89143c6ede", "value": "File Download Via Bitsadmin" }, + { + "description": "Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/06/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_office_exec_from_trusted_locations.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Max_Mal_/status/1633863678909874176", + "Internal Research", + "https://twitter.com/_JohnHammond/status/1588155401752788994", + "https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f99abdf0-6283-4e71-bd2b-b5c048a94743", + "value": "Potentially Suspicious Office Document Executed From Trusted Location" + }, { "description": "Detects code execution via the Windows Update client (wuauclt)", "meta": { @@ -48825,13 +49032,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", - "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", "https://www.cobaltstrike.com/help-opsec", "https://twitter.com/CyberRaiju/status/1251492025678983169", + "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" ], "tags": [ @@ -48864,11 +49071,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", - "https://twitter.com/egre55/status/1087685529016193025", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://twitter.com/egre55/status/1087685529016193025", + "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml" ], "tags": [ @@ -49195,9 +49402,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/", - "https://www.scythe.io/library/threat-emulation-qakbot", "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://www.scythe.io/library/threat-emulation-qakbot", + "https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml" ], "tags": [ @@ -49220,8 +49427,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2020/07/06/indirect-command-execution/", "https://lolbas-project.github.io/lolbas/Binaries/Pcalua/", + "https://pentestlab.blog/2020/07/06/indirect-command-execution/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml" ], "tags": [ @@ -49255,8 +49462,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install", - "https://lolbas-project.github.io/lolbas/Binaries/Winget/", "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", + "https://lolbas-project.github.io/lolbas/Binaries/Winget/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml" ], "tags": [ @@ -49323,9 +49530,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", - "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -49392,8 +49599,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", "https://twitter.com/x86matthew/status/1505476263464607744?s=12", + "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml" ], "tags": "No established tags" @@ -49416,8 +49623,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", + "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" ], "tags": [ @@ -49473,8 +49680,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1183756892952248325", "https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", + "https://twitter.com/cglyer/status/1183756892952248325", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml" ], "tags": [ @@ -49540,9 +49747,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_st0pp3r_/status/1583914515996897281", - "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", + "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml" ], "tags": [ @@ -49662,8 +49869,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", + "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_export.yml" ], @@ -49777,9 +49984,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/ADModule", - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", + "https://github.com/samratashok/ADModule", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml" ], "tags": [ @@ -49804,8 +50011,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", + "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml" ], "tags": [ @@ -49882,10 +50089,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml" ], "tags": [ @@ -50170,8 +50377,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", "https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yml" ], "tags": [ @@ -50239,8 +50446,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)", "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", + "https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml" ], "tags": [ @@ -50296,9 +50503,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://www.poweradmin.com/paexec/", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" ], "tags": [ @@ -50331,8 +50538,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", "https://twitter.com/Moriarty_Meng/status/984380793383370752", + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml" ], "tags": [ @@ -50401,9 +50608,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html", "https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", - "https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml" ], @@ -50538,9 +50745,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", - "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", + "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml" ], "tags": [ @@ -50641,10 +50848,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://twitter.com/ForensicITGuy/status/1334734244120309760", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://twitter.com/ForensicITGuy/status/1334734244120309760", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml" ], "tags": [ @@ -50696,8 +50903,8 @@ "refs": [ "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", - "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", + "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml" ], "tags": [ @@ -50787,8 +50994,8 @@ "logsource.product": "windows", "refs": [ "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://twitter.com/jonasLyk/status/1555914501802921984", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://twitter.com/jonasLyk/status/1555914501802921984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml" ], "tags": [ @@ -50844,9 +51051,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html", + "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dump.yml" ], "tags": [ @@ -51056,8 +51263,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows", + "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml" ], "tags": [ @@ -51101,9 +51308,9 @@ "refs": [ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", - "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml" ], "tags": [ @@ -51188,8 +51395,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://tools.thehacker.recipes/mimikatz/modules", "Internal Research", + "https://tools.thehacker.recipes/mimikatz/modules", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml" ], "tags": "No established tags" @@ -51277,8 +51484,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/wdormann/status/1478011052130459653?s=20", "https://twitter.com/0gtweet/status/1477925112561209344", + "https://twitter.com/wdormann/status/1478011052130459653?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_format.yml" ], "tags": [ @@ -51344,11 +51551,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml" ], "tags": [ @@ -51391,8 +51598,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_execution.yml" ], "tags": [ @@ -51413,7 +51620,7 @@ "value": "Registry Modification Via Regini.EXE" }, { - "description": "Detects inline windows shell commands redirecting output via the \">\" symbol to a suspicious location", + "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/07/12", @@ -51459,9 +51666,9 @@ "logsource.product": "windows", "refs": [ "https://isc.sans.edu/diary/22264", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" ], "tags": [ @@ -51701,8 +51908,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", + "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" ], "tags": [ @@ -51735,8 +51942,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml" ], "tags": [ @@ -51787,9 +51994,9 @@ "logsource.product": "windows", "refs": [ "https://isc.sans.edu/diary/22264", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" ], "tags": [ @@ -51974,8 +52181,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/software/S0108/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", + "https://attack.mitre.org/software/S0108/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml" ], "tags": [ @@ -52011,8 +52218,8 @@ "logsource.product": "windows", "refs": [ "https://isc.sans.edu/diary/22264", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml" ], "tags": [ @@ -52042,6 +52249,42 @@ "uuid": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", "value": "File With Suspicious Extension Downloaded Via Bitsadmin" }, + { + "description": "Detects execution of \"AdPlus.exe\", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/06/09", + "falsepositive": [ + "Legitimate usage of Adplus for debugging purposes" + ], + "filename": "proc_creation_win_adplus_memory_dump.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", + "https://twitter.com/nas_bench/status/1534916659676422152", + "https://twitter.com/nas_bench/status/1534915321856917506", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1003.001" + ] + }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "2f869d59-7f6a-4931-992c-cce556ff2d53", + "value": "Potential Adplus.EXE Abuse" + }, { "description": "Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.", "meta": { @@ -52246,10 +52489,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", - "https://twitter.com/nas_bench/status/1537896324837781506", - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", + "https://twitter.com/nas_bench/status/1537896324837781506", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml" ], "tags": [ @@ -52385,8 +52628,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/outflanknl/Dumpert", "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", + "https://github.com/outflanknl/Dumpert", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml" ], "tags": [ @@ -52604,9 +52847,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/oulusoyum/status/1191329746069655553", "https://twitter.com/mattifestation/status/1196390321783025666", "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", + "https://twitter.com/oulusoyum/status/1191329746069655553", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" ], "tags": [ @@ -52649,8 +52892,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", - "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://redcanary.com/threat-detection-report/threats/qbot/", + "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" ], "tags": [ @@ -52684,8 +52927,8 @@ "logsource.product": "windows", "refs": [ "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", - "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml" ], "tags": [ @@ -52742,8 +52985,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml" @@ -52766,10 +53009,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", - "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://adsecurity.org/?p=2604", + "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -52825,8 +53068,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compress_data.yml" ], "tags": [ @@ -52909,8 +53152,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", "https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs", + "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml" ], "tags": [ @@ -52994,8 +53237,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", "https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ditsnap.yml" ], "tags": [ @@ -53028,8 +53271,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing", "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml" ], "tags": [ @@ -53289,10 +53532,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", - "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", "https://github.com/wunderwuzzi23/firefox-cookiemonster", "https://github.com/defaultnamehere/cookie_crimes/", + "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", + "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml" ], "tags": [ @@ -53325,8 +53568,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace", "https://twitter.com/0gtweet/status/1474899714290208777?s=12", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml" ], "tags": "No established tags" @@ -53380,8 +53623,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/blackorbird/status/1140519090961825792", "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", + "https://twitter.com/blackorbird/status/1140519090961825792", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml" ], "tags": [ @@ -53415,9 +53658,9 @@ "logsource.product": "windows", "refs": [ "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", - "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", + "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml" ], "tags": [ @@ -53483,8 +53726,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml" ], "tags": [ @@ -53650,8 +53893,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml" ], "tags": [ @@ -53717,9 +53960,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/RedDrip7/status/1506480588827467785", "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", "https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/", - "https://twitter.com/RedDrip7/status/1506480588827467785", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml" ], "tags": [ @@ -53894,9 +54137,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf", "https://redcanary.com/blog/child-processes/", "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", + "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml" ], "tags": [ @@ -53929,8 +54172,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bopin2020/status/1366400799199272960", "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://twitter.com/bopin2020/status/1366400799199272960", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml" ], "tags": [ @@ -53971,8 +54214,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://github.com/cloudflare/cloudflared", + "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml" ], "tags": [ @@ -54331,9 +54574,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.revshells.com/", - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.php.net/manual/en/features.commandline.php", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml" ], "tags": [ @@ -54425,8 +54668,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/mrd0x/status/1511415432888131586", - "https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", + "https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f", "https://twitter.com/mrd0x/status/1511489821247684615", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml" ], @@ -54501,10 +54744,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", + "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml" ], @@ -54707,8 +54950,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=Ie831jF0bb0", "https://twitter.com/_xpn_/status/1491557187168178176", + "https://www.youtube.com/watch?v=Ie831jF0bb0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml" ], "tags": [ @@ -54852,8 +55095,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1182391019633029120", "https://twitter.com/cglyer/status/1182389676876980224", + "https://twitter.com/cglyer/status/1182391019633029120", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" ], "tags": [ @@ -54958,8 +55201,8 @@ "logsource.product": "windows", "refs": [ "https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac", - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml" ], "tags": [ @@ -55033,14 +55276,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://github.com/SigmaHQ/sigma/issues/3742", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://github.com/SigmaHQ/sigma/issues/3742", "https://twitter.com/Hexacorn/status/776122138063409152", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" ], "tags": [ @@ -55115,8 +55358,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/skelsec/pypykatz", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz", + "https://github.com/skelsec/pypykatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pypykatz.yml" ], "tags": [ @@ -55182,8 +55425,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" ], @@ -55294,8 +55537,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll", + "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml" ], "tags": [ @@ -55329,8 +55572,8 @@ "logsource.product": "windows", "refs": [ "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://twitter.com/frack113/status/1555830623633375232", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://twitter.com/frack113/status/1555830623633375232", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml" ], "tags": [ @@ -55467,12 +55710,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", - "https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py", - "https://twitter.com/Wietze/status/1542107456507203586", - "https://twitter.com/shantanukhande/status/1229348874298388484", - "https://twitter.com/SBousseaden/status/1167417096374050817", "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", + "https://twitter.com/shantanukhande/status/1229348874298388484", + "https://twitter.com/Wietze/status/1542107456507203586", + "https://twitter.com/SBousseaden/status/1167417096374050817", + "https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py", "https://twitter.com/Hexacorn/status/1224848930795552769", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml" ], @@ -55503,41 +55746,6 @@ "uuid": "646ea171-dded-4578-8a4d-65e9822892e3", "value": "Process Memory Dump Via Comsvcs.DLL" }, - { - "description": "Detects suspicious execution of Regasm/Regsvcs utilities", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/25", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_regasm.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", - "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", - "https://www.fortiguard.com/threat-signal-report/4718?s=09", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.009" - ] - }, - "related": [ - { - "dest-uuid": "c48a67ee-b657-45c1-91bf-6cdbe27205f8", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "cc368ed0-2411-45dc-a222-510ace303cb2", - "value": "Regasm/Regsvcs Suspicious Execution" - }, { "description": "Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera", "meta": { @@ -55619,11 +55827,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", - "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", "https://twitter.com/christophetd/status/1164506034720952320", - "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", + "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", + "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" ], "tags": [ @@ -55725,11 +55933,11 @@ "logsource.product": "windows", "refs": [ "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml" ], "tags": [ @@ -55844,11 +56052,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/eral4m/status/1479106975967240209", - "https://twitter.com/eral4m/status/1479080793003671557", - "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", - "https://twitter.com/Hexacorn/status/885258886428725250", "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", + "https://twitter.com/eral4m/status/1479080793003671557", + "https://twitter.com/eral4m/status/1479106975967240209", + "https://twitter.com/Hexacorn/status/885258886428725250", "https://twitter.com/nas_bench/status/1433344116071583746", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml" ], @@ -55882,8 +56090,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2288", "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100", + "https://adsecurity.org/?p=2288", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml" ], "tags": [ @@ -55916,8 +56124,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml" ], "tags": [ @@ -55950,9 +56158,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" ], "tags": [ @@ -56053,8 +56261,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/993383596244258816", "https://twitter.com/_st0pp3r_/status/1560072680887525378", + "https://twitter.com/Oddvarmoe/status/993383596244258816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pester.yml" ], "tags": [ @@ -56130,9 +56338,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", + "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml" ], "tags": [ @@ -56165,8 +56373,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml" ], "tags": [ @@ -56233,8 +56441,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml" ], "tags": [ @@ -56360,8 +56569,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1460815932402679809", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/", + "https://twitter.com/mrd0x/status/1460815932402679809", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml" ], "tags": [ @@ -56463,11 +56672,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://en.wikipedia.org/wiki/Hangul_(word_processor)", - "https://twitter.com/cyberwar_15/status/1187287262054076416", "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", "https://blog.alyac.co.kr/1901", + "https://en.wikipedia.org/wiki/Hangul_(word_processor)", "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", + "https://twitter.com/cyberwar_15/status/1187287262054076416", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" ], "tags": [ @@ -56584,8 +56793,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution", + "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml" ], "tags": [ @@ -56651,8 +56860,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml" ], @@ -56673,6 +56882,29 @@ "uuid": "242301bc-f92f-4476-8718-78004a6efd9f", "value": "DLL Loaded via CertOC.EXE" }, + { + "description": "Detects execution of \"Tpmvscmgr.exe\" to create a new virtual smart card.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/06/15", + "falsepositive": [ + "Legitimate usage by an administrator" + ], + "filename": "proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "c633622e-cab9-4eaa-bb13-66a1d68b3e47", + "value": "New Virtual Smart Card Created Via TpmVscMgr.EXE" + }, { "description": "Detects usage of \"cdb.exe\" to launch 64-bit shellcode or arbitrary processes or commands from a debugger script file", "meta": { @@ -56686,9 +56918,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", - "https://twitter.com/nas_bench/status/1534957360032120833", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", + "https://twitter.com/nas_bench/status/1534957360032120833", + "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml" ], "tags": [ @@ -56807,9 +57039,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.nirsoft.net/utils/nircmd.html", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd2.html#using", - "https://www.nirsoft.net/utils/nircmd.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml" ], "tags": [ @@ -57042,8 +57274,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_bginfo.yml" ], "tags": [ @@ -57126,8 +57358,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", + "https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml" ], "tags": [ @@ -57160,9 +57392,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", + "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml" ], "tags": [ @@ -57187,8 +57419,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml" ], "tags": [ @@ -57454,9 +57686,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", - "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_finger_usage.yml" ], "tags": [ @@ -57717,9 +57949,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/SBousseaden/status/1211636381086339073", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" ], "tags": [ @@ -57837,8 +58069,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysprep_appdata.yml" ], "tags": [ @@ -57937,12 +58169,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://www.joeware.net/freetools/tools/adfind/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml" ], "tags": [ @@ -58083,8 +58316,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26", "https://twitter.com/subTee/status/1216465628946563073", + "https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml" ], "tags": [ @@ -58153,10 +58386,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", - "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", + "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", + "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml" ], "tags": [ @@ -58223,9 +58456,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", - "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", + "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml" ], "tags": [ @@ -58313,9 +58546,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml" ], "tags": [ @@ -58531,10 +58764,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", - "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", + "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", + "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" ], "tags": [ @@ -58658,8 +58891,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" ], "tags": [ @@ -58793,9 +59026,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml" ], "tags": [ @@ -58828,8 +59061,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml" ], "tags": [ @@ -58875,8 +59108,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/4985c746-601e-401a-9ccf-ae350ac2e887/", "https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_30.09.2022.txt", + "https://app.any.run/tasks/4985c746-601e-401a-9ccf-ae350ac2e887/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml" ], "tags": [ @@ -59030,11 +59263,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", - "https://twitter.com/egre55/status/1087685529016193025", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://twitter.com/egre55/status/1087685529016193025", + "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml" ], "tags": [ @@ -59258,8 +59491,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system32.yml" ], "tags": [ @@ -59292,8 +59525,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", + "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml" ], @@ -59315,9 +59548,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib", "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system.yml" ], "tags": [ @@ -59407,9 +59640,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", + "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml" ], "tags": [ @@ -59477,8 +59710,8 @@ "logsource.product": "windows", "refs": [ "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", - "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", + "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml" ], "tags": [ @@ -59587,10 +59820,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://twitter.com/cglyer/status/1355171195654709249", - "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml" ], @@ -59624,9 +59857,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/frgnca/AudioDeviceCmdlets", "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", - "https://github.com/frgnca/AudioDeviceCmdlets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml" ], "tags": [ @@ -59659,9 +59892,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", - "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -59694,10 +59927,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", + "https://nodejs.org/api/cli.html", "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://nodejs.org/api/cli.html", - "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" ], "tags": [ @@ -59730,9 +59963,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", "https://github.com/hfiref0x/UACME", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" ], "tags": [ @@ -59866,8 +60099,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml" ], "tags": [ @@ -60085,9 +60318,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "http://www.xuetr.com/", "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", - "http://www.xuetr.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml" ], "tags": "No established tags" @@ -60178,6 +60411,39 @@ "uuid": "502b42de-4306-40b4-9596-6f590c81f073", "value": "Local Accounts Discovery" }, + { + "description": "Detects findstring commands with a suspicious ParentCommandLine", + "meta": { + "author": "frack113", + "creation_date": "2023/07/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_findstr_susp_parent.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1057" + ] + }, + "related": [ + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ccb5742c-c248-4982-8c5c-5571b9275ad3", + "value": "Findstr Suspicious ParentCommandLine" + }, { "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", "meta": { @@ -60266,8 +60532,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/wmic-for-incident-response/", "https://github.com/redcanaryco/atomic-red-team/blob/84215139ee5127f8e3a117e063b604812bd71928/atomics/T1047/T1047.md#atomic-test-5---wmi-execute-local-process", + "https://www.sans.org/blog/wmic-for-incident-response/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml" ], "tags": [ @@ -60301,8 +60567,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/answers/questions/739120/how-to-add-re-write-global-rule-with-action-type-r", "https://twitter.com/malmoeb/status/1616702107242971144", + "https://learn.microsoft.com/en-us/answers/questions/739120/how-to-add-re-write-global-rule-with-action-type-r", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml" ], "tags": [ @@ -60360,8 +60626,8 @@ "logsource.product": "windows", "refs": [ "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml" ], "tags": [ @@ -60634,9 +60900,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", + "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml" ], "tags": [ @@ -60659,10 +60925,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1299071304805560321?s=21", + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://www.pureid.io/dumping-abusing-windows-credentials-part-1/", "https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/", - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://twitter.com/0gtweet/status/1299071304805560321?s=21", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml" ], "tags": [ @@ -60696,9 +60962,9 @@ "logsource.product": "windows", "refs": [ "https://isc.sans.edu/diary/22264", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml" ], "tags": [ @@ -60764,8 +61030,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://en.wikipedia.org/wiki/HTML_Application", "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://en.wikipedia.org/wiki/HTML_Application", "https://www.echotrail.io/insights/search/mshta.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml" ], @@ -60799,10 +61065,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", - "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", + "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", + "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml" ], "tags": [ @@ -60835,8 +61101,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", + "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" ], "tags": [ @@ -60877,8 +61143,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/eral4m/status/1451112385041911809", "https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html", + "https://twitter.com/eral4m/status/1451112385041911809", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml" ], "tags": [ @@ -60911,9 +61177,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.nirsoft.net/utils/nircmd.html", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd2.html#using", - "https://www.nirsoft.net/utils/nircmd.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml" ], "tags": [ @@ -61136,8 +61402,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md", + "https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml" ], "tags": [ @@ -61172,8 +61438,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md", - "https://github.com/swagkarna/Defeat-Defender-V1.2.0", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)", + "https://github.com/swagkarna/Defeat-Defender-V1.2.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml" ], "tags": [ @@ -61272,8 +61538,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/danielbohannon/Invoke-DOSfuscation", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf", + "https://github.com/danielbohannon/Invoke-DOSfuscation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml" ], "tags": [ @@ -61382,8 +61648,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter", "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/", + "https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml" ], "tags": [ @@ -61403,6 +61669,30 @@ "uuid": "b7966f4a-b333-455b-8370-8ca53c229762", "value": "Dropping Of Password Filter DLL" }, + { + "description": "Detects potential \"ShellDispatch.dll\" functionality abuse to execute arbitrary binaries via \"ShellExecute\"", + "meta": { + "author": "X__Junior (Nextron Systems)", + "creation_date": "2023/06/20", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_rundll32_shelldispatch_potential_abuse.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion" + ] + }, + "uuid": "82343930-652f-43f5-ab70-2ee9fdd6d5e9", + "value": "Potential ShellDispatch.DLL Functionality Abuse" + }, { "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", "meta": { @@ -61416,10 +61706,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", - "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file", "https://twitter.com/max_mal_/status/1542461200797163522", + "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", + "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml" ], "tags": [ @@ -61595,9 +61886,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.intrinsec.com/apt27-analysis/", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" ], "tags": [ @@ -61789,9 +62080,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", - "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", + "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" ], "tags": [ @@ -61884,17 +62175,20 @@ { "description": "Detects potential arbitrary file download using a Microsoft Office application", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", + "author": "Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community", "creation_date": "2022/05/17", "falsepositive": [ "Unknown" ], "filename": "proc_creation_win_office_arbitrary_cli_download.yml", - "level": "medium", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", + "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml" ], "tags": [ @@ -61992,8 +62286,8 @@ "logsource.product": "windows", "refs": [ "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://twitter.com/frack113/status/1555830623633375232", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://twitter.com/frack113/status/1555830623633375232", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml" ], "tags": [ @@ -62027,9 +62321,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", - "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", + "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml" ], "tags": [ @@ -62162,8 +62456,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml" ], "tags": [ @@ -62254,9 +62548,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://blog.reconinfosec.com/emergence-of-akira-ransomware-group", "https://github.com/cloudflare/cloudflared", + "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml" ], "tags": [ @@ -62305,12 +62599,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://twitter.com/JohnLaTwC/status/835149808817991680", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", - "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://twitter.com/JohnLaTwC/status/835149808817991680", + "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_decode.yml" ], "tags": [ @@ -62343,9 +62637,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", "https://github.com/antonioCoco/RogueWinRM", + "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" ], @@ -62441,8 +62735,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", + "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml" ], @@ -62511,8 +62805,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records", - "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", + "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" ], "tags": [ @@ -62579,8 +62873,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/", + "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml" ], "tags": [ @@ -62622,8 +62916,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/malcomvetter/CSExec", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://github.com/malcomvetter/CSExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_csexec.yml" ], "tags": [ @@ -62738,8 +63032,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1535431474429808642", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", + "https://twitter.com/nas_bench/status/1535431474429808642", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml" ], "tags": [ @@ -62952,8 +63246,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", + "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml" ], "tags": [ @@ -62986,9 +63280,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/fireeye/DueDLLigence", "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", + "https://github.com/fireeye/DueDLLigence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" ], "tags": [ @@ -63054,8 +63348,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/993497996179492864", "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", + "https://twitter.com/pabraeken/status/993497996179492864", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml" ], "tags": [ @@ -63285,8 +63579,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml" ], "tags": [ @@ -63378,8 +63672,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/mattifestation/status/986280382042595328", - "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://atomicredteam.io/defense-evasion/T1220/", + "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml" ], @@ -63505,8 +63799,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/", "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/", + "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml" ], "tags": [ @@ -63563,9 +63857,9 @@ "logsource.product": "windows", "refs": [ "https://vms.drweb.fr/virus/?i=24144899", - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://twitter.com/JohnLaTwC/status/1415295021041979392", "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml" ], "tags": [ @@ -63598,8 +63892,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://sourceforge.net/projects/mouselock/", "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", + "https://sourceforge.net/projects/mouselock/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml" ], "tags": [ @@ -63633,8 +63927,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml" ], "tags": [ @@ -63702,9 +63996,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml" ], "tags": [ @@ -63728,9 +64022,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", "https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors", - "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml" ], "tags": [ @@ -64134,8 +64428,8 @@ "logsource.product": "windows", "refs": [ "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml" ], @@ -64172,9 +64466,9 @@ "logsource.product": "windows", "refs": [ "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", - "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], "tags": [ @@ -64207,8 +64501,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", + "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml" ], "tags": [ @@ -64307,8 +64601,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bopin2020/status/1366400799199272960", "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://twitter.com/bopin2020/status/1366400799199272960", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yml" ], "tags": [ @@ -64382,10 +64676,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", - "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", + "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml" ], "tags": [ @@ -64452,8 +64746,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/_felamos/status/1204705548668555264", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dotnet.yml" ], "tags": [ @@ -64476,16 +64770,17 @@ { "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", "meta": { - "author": "behops, Bhabesh Raj", + "author": "bohops, Bhabesh Raj", "creation_date": "2021/10/08", "falsepositive": [ - "Legitimate use by administrator" + "Legitimate use by VM administrator" ], "filename": "proc_creation_win_vmware_vmtoolsd_susp_child_process.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png", "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" ], @@ -64727,10 +65022,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", + "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml" ], "tags": [ @@ -64763,10 +65058,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", - "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml" ], "tags": [ @@ -64943,9 +65238,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", "https://twitter.com/bohops/status/1477717351017680899?s=12", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml" ], "tags": [ @@ -64968,8 +65263,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://twitter.com/0gtweet/status/1564968845726580736", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" ], @@ -65013,16 +65308,16 @@ "logsource.product": "windows", "refs": [ "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html", - "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", - "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", - "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", + "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", + "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml" ], "tags": [ @@ -65209,11 +65504,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", + "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar", "https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/", + "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/", "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic", - "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_discovery.yml" ], "tags": [ @@ -65301,8 +65596,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml" ], @@ -65422,8 +65717,8 @@ "refs": [ "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml" ], "tags": [ @@ -65456,11 +65751,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/ohpe/juicy-potato", - "https://www.localpotato.com/", - "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", "https://pentestlab.blog/2017/04/13/hot-potato/", + "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", + "https://github.com/ohpe/juicy-potato", "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", + "https://www.localpotato.com/", "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml" ], @@ -65568,8 +65863,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w", "https://www.autoitscript.com/site/", + "https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml" ], "tags": [ @@ -65602,11 +65897,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://twitter.com/0gtweet/status/1628720819537936386", - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", - "https://twitter.com/Alh4zr3d/status/1580925761996828672", - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml" ], "tags": [ @@ -65628,6 +65923,39 @@ "uuid": "98c5aeef-32d5-492f-b174-64a691896d25", "value": "Service Security Descriptor Tampering Via Sc.EXE" }, + { + "description": "Detects execution of PktMon, a tool that captures network packets.", + "meta": { + "author": "frack113", + "creation_date": "2022/03/17", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_pktmon_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Pktmon/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pktmon_execution.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1040" + ] + }, + "related": [ + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f956c7c1-0f60-4bc5-b7d7-b39ab3c08908", + "value": "PktMon.EXE Execution" + }, { "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", "meta": { @@ -65683,9 +66011,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1222095963789111296", - "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://twitter.com/gN3mes1s/status/1222088214581825540", + "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml" ], "tags": [ @@ -65766,10 +66094,10 @@ "logsource.product": "windows", "refs": [ "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", - "http://blog.sevagas.com/?Hacking-around-HTA-files", "https://twitter.com/mattifestation/status/1326228491302563846", - "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", + "http://blog.sevagas.com/?Hacking-around-HTA-files", "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", + "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml" ], "tags": [ @@ -65911,8 +66239,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml" ], @@ -66001,8 +66329,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://persistence-info.github.io/Data/wpbbin.html", + "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml" ], "tags": [ @@ -66197,9 +66525,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", - "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", + "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml" ], "tags": [ @@ -66298,9 +66626,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://www.poweradmin.com/paexec/", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml" ], "tags": [ @@ -66376,10 +66704,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", "https://twitter.com/gN3mes1s/status/1206874118282448897", "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", - "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_folder.yml" ], "tags": [ @@ -66648,8 +66976,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", + "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml" ], "tags": [ @@ -66978,8 +67306,8 @@ "logsource.product": "windows", "refs": [ "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" ], @@ -67013,8 +67341,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules", "https://ss64.com/nt/netsh.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml" ], "tags": [ @@ -67169,8 +67497,8 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml" ], "tags": [ @@ -67203,8 +67531,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49", "https://github.com/sensepost/ruler", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml" ], @@ -67246,11 +67574,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/", - "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/", - "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/", "https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png", "https://twitter.com/aceresponder/status/1636116096506818562", + "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/", + "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/", + "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml" ], "tags": [ @@ -67284,8 +67612,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1618021838407495681", "https://twitter.com/nas_bench/status/1618021415852335105", + "https://twitter.com/nas_bench/status/1618021838407495681", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml" ], "tags": [ @@ -67360,8 +67688,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", "https://redcanary.com/blog/child-processes/", + "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_scrcons_susp_child_process.yml" ], "tags": [ @@ -67394,8 +67722,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hashcat.net/wiki/doku.php?id=hashcat", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat", + "https://hashcat.net/wiki/doku.php?id=hashcat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml" ], "tags": [ @@ -67429,8 +67757,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", - "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", + "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml" ], "tags": [ @@ -67474,8 +67802,8 @@ "refs": [ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", - "https://twitter.com/vysecurity/status/974806438316072960", "https://twitter.com/vysecurity/status/873181705024266241", + "https://twitter.com/vysecurity/status/974806438316072960", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml" ], "tags": [ @@ -67582,8 +67910,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" ], @@ -67650,8 +67978,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", + "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", "https://github.com/tevora-threat/SharpView/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml" ], @@ -67718,8 +68046,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", - "https://github.com/hfiref0x/UACME", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" ], "tags": [ @@ -67863,8 +68191,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml" ], "tags": [ @@ -67940,8 +68268,8 @@ "logsource.product": "windows", "refs": [ "https://www.revshells.com/", - "https://nmap.org/ncat/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", + "https://nmap.org/ncat/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netcat.yml" ], "tags": [ @@ -67974,11 +68302,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", - "https://twitter.com/egre55/status/1087685529016193025", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://twitter.com/egre55/status/1087685529016193025", + "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml" ], "tags": [ @@ -68079,9 +68407,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://ss64.com/nt/for.html", - "https://ss64.com/ps/foreach-object.htmll", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://ss64.com/ps/foreach-object.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml" ], "tags": [ @@ -68146,8 +68474,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md", + "https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml" ], "tags": [ @@ -68414,8 +68742,8 @@ "logsource.product": "windows", "refs": [ "https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2", - "https://github.com/swagkarna/Defeat-Defender-V1.2.0", "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", + "https://github.com/swagkarna/Defeat-Defender-V1.2.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml" ], "tags": [ @@ -68448,9 +68776,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/livekd", - "https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/", "https://kb.acronis.com/content/60892", + "https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/", + "https://learn.microsoft.com/en-us/sysinternals/downloads/livekd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml" ], "tags": [ @@ -68648,8 +68976,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup", "https://twitter.com/Oddvarmoe/status/1641712700605513729", + "https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml" ], "tags": [ @@ -68674,11 +69002,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", - "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", + "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" ], "tags": [ @@ -68741,7 +69069,7 @@ "value": "Suspicious Certreq Command to Download" }, { - "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", + "description": "Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/08/05", @@ -68826,8 +69154,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", + "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml" ], "tags": [ @@ -68940,8 +69268,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", "https://github.com/GhostPack/Seatbelt", + "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml" ], "tags": [ @@ -68990,8 +69318,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/Kevin-Robertson/Inveigh", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml" ], "tags": [ @@ -69059,8 +69387,8 @@ "logsource.product": "windows", "refs": [ "https://www.echotrail.io/insights/search/regsvr32.exe", - "https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo", "https://redcanary.com/blog/intelligence-insights-april-2022/", + "https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml" ], "tags": [ @@ -69093,8 +69421,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shutdown_logoff.yml" ], "tags": [ @@ -69262,7 +69590,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/GfxDownloadWrapper/", + "https://lolbas-project.github.io/lolbas/HonorableMentions/GfxDownloadWrapper/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml" ], "tags": [ @@ -69295,11 +69623,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml" ], "tags": [ @@ -69342,10 +69670,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", "https://twitter.com/nao_sec/status/1530196847679401984", + "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" ], "tags": [ @@ -69407,9 +69735,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", + "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml" ], "tags": [ @@ -69442,8 +69770,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://asec.ahnlab.com/en/39828/", "https://twitter.com/GelosSnake/status/934900723426439170", + "https://asec.ahnlab.com/en/39828/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml" ], "tags": [ @@ -69599,9 +69927,9 @@ "value": "Sysmon Configuration Update" }, { - "description": "Detects a suspicious script executions in temporary folders or folders accessible by environment variables", + "description": "Detects a suspicious script execution in temporary folders or folders accessible by environment variables", "meta": { - "author": "Florian Roth (Nextron Systems)", + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/02/08", "falsepositive": [ "Unknown" @@ -69611,6 +69939,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/shell/csidl", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military", "https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml" ], @@ -69645,8 +69975,8 @@ "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/lateral-movement-winrm-wmi/", - "https://lolbas-project.github.io/lolbas/Scripts/Winrm/", "https://twitter.com/bohops/status/994405551751815170", + "https://lolbas-project.github.io/lolbas/Scripts/Winrm/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml" ], "tags": [ @@ -69766,7 +70096,7 @@ "value": "Process Creation Using Sysnative Folder" }, { - "description": "Detects Crassus a windows privilege escalation discovery tool based on PE metadata characteristics.", + "description": "Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.", "meta": { "author": "pH-T (Nextron Systems)", "creation_date": "2023/04/17", @@ -69922,8 +70252,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/", "https://securityxploded.com/", + "https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml" ], "tags": [ @@ -70057,8 +70387,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://youtu.be/5mqid-7zp8k?t=2481", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml" @@ -70084,8 +70414,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml" ], "tags": [ @@ -70186,8 +70516,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml" ], "tags": [ @@ -70443,8 +70773,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml" ], "tags": [ @@ -70477,9 +70807,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml" ], "tags": [ @@ -70512,9 +70842,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml" ], "tags": [ @@ -70547,8 +70877,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", "https://twitter.com/kmkz_security/status/1220694202301976576", + "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml" ], "tags": [ @@ -70581,8 +70911,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml" ], "tags": [ @@ -70615,8 +70945,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.exploit-db.com/exploits/37525", "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", + "https://www.exploit-db.com/exploits/37525", "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" ], @@ -70734,8 +71064,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/med0x2e/status/1520402518685200384", "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", + "https://twitter.com/med0x2e/status/1520402518685200384", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml" ], "tags": [ @@ -70880,7 +71210,7 @@ "value": "Suspicious Tasklist Discovery Command" }, { - "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced", + "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/04/26", @@ -71011,10 +71341,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", - "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", + "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" ], @@ -71123,11 +71453,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", - "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml" ], "tags": [ @@ -71160,9 +71490,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://abuse.io/lockergoga.txt", "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml" ], "tags": [ @@ -71305,9 +71635,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://github.com/SigmaHQ/sigma/issues/1009", "https://redcanary.com/blog/raspberry-robin/", - "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml" ], "tags": [ @@ -71497,8 +71827,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml" ], "tags": [ @@ -71565,8 +71895,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/", "https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/", + "https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml" ], "tags": [ @@ -71600,9 +71930,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", - "https://www.echotrail.io/insights/search/wermgr.exe", "https://github.com/binderlabs/DirCreate2System", + "https://www.echotrail.io/insights/search/wermgr.exe", + "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml" ], "tags": "No established tags" @@ -71671,8 +72001,8 @@ "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml" ], "tags": [ @@ -71790,8 +72120,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", "https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon", + "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml" ], "tags": [ @@ -71874,8 +72204,8 @@ "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml" ], "tags": [ @@ -71975,24 +72305,24 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/samratashok/nishang", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://adsecurity.org/?p=2921", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/besimorhino/powercat", + "https://github.com/samratashok/nishang", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/Kevin-Robertson/Powermad", - "https://github.com/adrecon/ADRecon", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://adsecurity.org/?p=2921", + "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/adrecon/AzureADRecon", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/adrecon/ADRecon", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/besimorhino/powercat", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml" ], "tags": [ @@ -72115,9 +72445,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_st0pp3r_/status/1583914244344799235", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml" ], "tags": [ @@ -72150,8 +72480,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/", + "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_rdp_redirect.yml" ], @@ -72278,8 +72608,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md", + "https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml" ], "tags": [ @@ -72312,8 +72642,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_anomaly.yml" ], "tags": [ @@ -72368,6 +72698,29 @@ "uuid": "f1086bf7-a0c4-4a37-9102-01e573caf4a0", "value": "Renamed Whoami Execution" }, + { + "description": "Detects the execution of \"lodctr.exe\" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/06/15", + "falsepositive": [ + "Legitimate usage by an administrator" + ], + "filename": "proc_creation_win_lodctr_performance_counter_tampering.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "cc9d3712-6310-4320-b2df-7cb408274d53", + "value": "Rebuild Performance Counter Values Via Lodctr.EXE" + }, { "description": "Detects a set of suspicious network related commands often used in recon stages", "meta": { @@ -72637,9 +72990,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf", - "https://lolbas-project.github.io/lolbas/Binaries/Psr/", + "https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://lolbas-project.github.io/lolbas/Binaries/Psr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml" ], "tags": [ @@ -72674,8 +73027,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.poweradmin.com/paexec/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://www.poweradmin.com/paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml" ], "tags": [ @@ -72775,8 +73128,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ilasm/", "https://www.echotrail.io/insights/search/ilasm.exe", + "https://lolbas-project.github.io/lolbas/Binaries/Ilasm/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml" ], "tags": [ @@ -73101,10 +73454,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", - "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml" ], "tags": [ @@ -73228,8 +73581,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://emkc.org/s/RJjuLa", + "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://redcanary.com/blog/chromeloader/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml" ], @@ -73332,8 +73685,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mobile.twitter.com/0gtweet/status/1564131230941122561", "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", + "https://mobile.twitter.com/0gtweet/status/1564131230941122561", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml" ], "tags": [ @@ -73366,11 +73719,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/1223292479270600706", "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", - "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://twitter.com/bohops/status/980659399495741441", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", + "https://twitter.com/JohnLaTwC/status/1223292479270600706", + "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml" ], "tags": [ @@ -73450,11 +73803,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", + "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", - "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_susp_execution.yml" ], "tags": [ @@ -73561,9 +73914,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", - "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml" ], "tags": [ @@ -73596,9 +73949,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", "https://twitter.com/pabraeken/status/993298228840992768", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", - "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" ], "tags": [ @@ -73828,8 +74181,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", + "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csvde_export.yml" ], @@ -73854,8 +74207,8 @@ "logsource.product": "windows", "refs": [ "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", - "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml" ], "tags": [ @@ -73991,10 +74344,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://twitter.com/lefterispan/status/1286259016436514816", - "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", + "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml" ], "tags": [ @@ -74015,7 +74368,7 @@ "value": "Suspicious AgentExecutor PowerShell Execution" }, { - "description": "Detects usage of the \"dir\" command that's part of windows batch/cmd to collect information about directories", + "description": "Detects usage of the \"dir\" command that is part of Windows batch/cmd to collect information about directories", "meta": { "author": "frack113", "creation_date": "2021/12/13", @@ -74136,8 +74489,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/985518877076541440", "https://lolbas-project.github.io/lolbas/Binaries/Print/", + "https://twitter.com/Oddvarmoe/status/985518877076541440", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml" ], "tags": [ @@ -74170,8 +74523,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", "https://pentestlab.blog/2020/07/06/indirect-command-execution/", + "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml" ], "tags": [ @@ -74204,8 +74557,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1550836225652686848", "https://persistence-info.github.io/Data/windowsterminalprofile.html", + "https://twitter.com/nas_bench/status/1550836225652686848", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml" ], "tags": [ @@ -74229,8 +74582,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/BloodHound", "https://github.com/BloodHoundAD/SharpHound", + "https://github.com/BloodHoundAD/BloodHound", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml" ], "tags": [ @@ -74337,13 +74690,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/tag/ntds-dit/", - "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://github.com/zcgonvh/NTDSDumpEx", - "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", + "https://pentestlab.blog/tag/ntds-dit/", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", + "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", + "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", + "https://github.com/zcgonvh/NTDSDumpEx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" ], "tags": [ @@ -74548,8 +74901,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", "https://ss64.com/nt/mklink.html", + "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml" ], "tags": [ @@ -74807,8 +75160,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", "https://twitter.com/pabraeken/status/991335019833708544", + "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml" ], "tags": [ @@ -74896,8 +75249,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", + "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml" ], "tags": [ @@ -75053,9 +75406,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml" ], "tags": [ @@ -75308,8 +75661,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps", "https://twitter.com/mrd0x/status/1465058133303246867", + "https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml" ], "tags": [ @@ -75452,8 +75805,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" ], "tags": [ @@ -75748,8 +76101,8 @@ "logsource.product": "windows", "refs": [ "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://ss64.com/bash/rar.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml" ], "tags": [ @@ -75816,42 +76169,6 @@ "uuid": "a1473adb-5338-4a20-b4c3-126763e2d3d3", "value": "Suspicious Advpack Call Via Rundll32.EXE" }, - { - "description": "Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files", - "meta": { - "author": "Beyu Denis, oscd.community", - "creation_date": "2019/10/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_office.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", - "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_office.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "related": [ - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "0c79148b-118e-472b-bdb7-9b57b444cc19", - "value": "Suspicious File Download Using Office Application" - }, { "description": "Detects indicators of a UAC bypass method by mocking directories", "meta": { @@ -75865,8 +76182,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/netero1010/TrustedPath-UACBypass-BOF", "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", + "https://github.com/netero1010/TrustedPath-UACBypass-BOF", "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml" ], @@ -76043,10 +76360,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://twitter.com/lefterispan/status/1286259016436514816", - "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", + "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml" ], "tags": [ @@ -76214,8 +76531,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/harr0ey/status/992008180904419328", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/", + "https://twitter.com/harr0ey/status/992008180904419328", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml" ], "tags": [ @@ -76281,8 +76598,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", + "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml" ], "tags": [ @@ -76315,8 +76632,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md", + "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml" ], "tags": [ @@ -76506,8 +76823,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://support.anydesk.com/Automatic_Deployment", "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20", + "https://support.anydesk.com/Automatic_Deployment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml" ], "tags": [ @@ -76541,9 +76858,9 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", - "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", - "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", + "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml" ], "tags": [ @@ -76610,9 +76927,9 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ + "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619", "https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448", - "https://www.nextron-systems.com/?s=antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_password_dumper.yml" ], "tags": [ @@ -76669,9 +76986,9 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", "https://twitter.com/mvelazco/status/1410291741241102338", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_printernightmare_cve_2021_34527.yml" ], "tags": [ @@ -76737,9 +77054,9 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466", - "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", + "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466", "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_exploiting.yml" ], @@ -76782,8 +77099,8 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", "https://www.nextron-systems.com/?s=antivirus", + "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_hacktool.yml" ], "tags": [ @@ -76816,16 +77133,16 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.nextron-systems.com/?s=antivirus", - "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", + "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", - "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", - "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", - "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", - "https://github.com/tennc/webshell", "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", + "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", + "https://github.com/tennc/webshell", + "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", + "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml" ], "tags": [ @@ -76858,11 +77175,11 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", - "https://www.nextron-systems.com/?s=antivirus", - "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d", + "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", + "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", + "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_ransomware.yml" ], @@ -76940,9 +77257,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ + "https://sec.okta.com/fastpassphishingdetection", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", - "https://sec.okta.com/fastpassphishingdetection", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_fastpass_phishing_detection.yml" ], "tags": [ @@ -76976,8 +77293,8 @@ "logsource.product": "okta", "refs": [ "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" ], "tags": "No established tags" @@ -77210,9 +77527,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ + "https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data", - "https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_password_in_alternateid_field.yml" ], "tags": [ @@ -77515,11 +77832,11 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", - "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", - "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.sygnia.co/golden-saml-advisory", "https://o365blog.com/post/aadbackdoor/", + "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", + "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", + "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_new_federated_domain_added.yml" ], "tags": [ @@ -78001,9 +78318,9 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", + "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disable_high_risk_configuration.yml" ], "tags": [ @@ -78040,8 +78357,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners", "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation", + "https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_self_hosted_runner_changes_detected.yml" ], "tags": [ @@ -78227,11 +78544,11 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", - "https://github.com/elastic/detection-rules/pull/1267", - "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", + "https://github.com/elastic/detection-rules/pull/1267", + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml" ], "tags": [ @@ -78279,9 +78596,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://cloud.google.com/kubernetes-engine/docs", "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", + "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_cronjob.yml" ], "tags": [ @@ -78509,8 +78826,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml" ], "tags": [ @@ -78543,9 +78860,9 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_application_removed.yml" ], "tags": [ @@ -78568,8 +78885,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml" ], "tags": [ @@ -78602,8 +78919,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml" ], "tags": [ @@ -78626,8 +78943,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml" ], "tags": [ @@ -78650,9 +78967,9 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml" ], "tags": [ @@ -78675,8 +78992,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml" ], "tags": [ @@ -78755,13 +79072,13 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", - "https://github.com/elastic/detection-rules/pull/1145/files", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", + "https://github.com/elastic/detection-rules/pull/1145/files", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_s3_data_management_tampering.yml" ], "tags": [ @@ -79039,8 +79356,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html", "https://github.com/elastic/detection-rules/pull/1214", + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_assumerole_misuse.yml" ], "tags": [ @@ -79368,8 +79685,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", + "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_enum_buckets.yml" ], @@ -79527,8 +79844,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html", "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", + "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html", "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ecs_task_definition_cred_endpoint_query.yml" ], @@ -79679,8 +79996,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", + "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml" ], "tags": [ @@ -79723,6 +80040,48 @@ "uuid": "8ad1600d-e9dc-4251-b0ee-a65268f29add", "value": "AWS Root Credentials" }, + { + "description": "Detects S3 Browser utility creating IAM User or AccessKey.", + "meta": { + "author": "daniel.bohannon@permiso.io (@danielhbohannon)", + "creation_date": "2023/05/17", + "falsepositive": [ + "Valid usage of S3 Browser for IAM User and/or AccessKey creation" + ], + "filename": "aws_iam_s3browser_user_or_accesskey_creation.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_iam_s3browser_user_or_accesskey_creation.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1059.009", + "attack.t1078.004" + ] + }, + "related": [ + { + "dest-uuid": "55bb4471-ff1f-43b4-88c1-c9384ec47abf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "db014773-d9d9-4792-91e5-133337c0ffee", + "value": "AWS IAM S3Browser User or AccessKey Creation" + }, { "description": "Detects AWS Config Service disabling", "meta": { @@ -80924,11 +81283,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml" ], "tags": [ @@ -81209,8 +81568,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/", "https://blooteem.com/march-2022", + "https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_suspicious_signin_bypassing_mfa.yml" ], "tags": [ @@ -82047,11 +82406,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml" ], "tags": [ @@ -82118,11 +82477,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_role_access.yml" ], "tags": [ @@ -82299,11 +82658,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_container_registry_created_or_deleted.yml" ], "tags": [ @@ -82359,8 +82718,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_events_deleted.yml" ], "tags": [ @@ -82444,10 +82803,10 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", + "https://kubernetes.io/docs/concepts/workloads/controllers/job/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cronjob.yml" ], "tags": [ @@ -82549,11 +82908,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml" ], "tags": [ @@ -83182,11 +83541,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_network_policy_change.yml" ], "tags": [ @@ -83211,11 +83570,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml" ], "tags": [ @@ -83337,8 +83696,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://bad-jubies.github.io/RCE-NOW-WHAT/", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://bad-jubies.github.io/RCE-NOW-WHAT/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml" ], "tags": [ @@ -83371,8 +83730,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://githubmemory.com/repo/FunctFan/JNDIExploit", "https://github.com/pimps/JNDI-Exploit-Kit", + "https://githubmemory.com/repo/FunctFan/JNDIExploit", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_jndi_exploit.yml" ], "tags": "No established tags" @@ -83395,10 +83754,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/payloadbox/sql-injection-payload-list", "https://brightsec.com/blog/sql-injection-payloads/", - "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", + "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", + "https://github.com/payloadbox/sql-injection-payload-list", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml" ], "tags": "No established tags" @@ -83419,8 +83778,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", + "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_source_code_enumeration.yml" ], "tags": [ @@ -83453,10 +83812,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", - "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", - "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", + "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", + "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", + "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", "https://twitter.com/httpvoid0x2f/status/1532924261035384832", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_java_payload_in_access_logs.yml" ], @@ -83483,8 +83842,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://portswigger.net/web-security/cross-site-scripting/contexts", "https://github.com/payloadbox/xss-payload-list", + "https://portswigger.net/web-security/cross-site-scripting/contexts", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_xss_in_access_logs.yml" ], "tags": "No established tags" @@ -83539,9 +83898,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", - "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", + "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", + "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_susp_useragents.yml" ], "tags": [ @@ -83574,8 +83933,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/sensepost/reGeorg", "https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3", + "https://github.com/sensepost/reGeorg", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_webshell_regeorg.yml" ], "tags": [ @@ -83608,8 +83967,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", "https://github.com/lijiejie/IIS_shortname_Scanner", + "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", "https://www.exploit-db.com/exploits/19525", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml" ], @@ -83631,7 +83990,7 @@ "value": "Successful IIS Shortname Fuzzing Scan" }, { - "description": "Detects suspicious windows strins in URI which could indicate possible exfiltration or webshell communication", + "description": "Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/06/06", @@ -83678,8 +84037,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/payloadbox/ssti-payloads", "https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection", + "https://github.com/payloadbox/ssti-payloads", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_ssti_in_access_logs.yml" ], "tags": "No established tags" @@ -83733,8 +84092,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://deviceatlas.com/blog/list-of-user-agent-strings#desktop", "https://blogs.jpcert.or.jp/en/2022/07/yamabot.html", + "https://deviceatlas.com/blog/list-of-user-agent-strings#desktop", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_susp_base64.yml" ], "tags": [ @@ -83801,8 +84160,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://twitter.com/jhencinski/status/1102695118455349248", "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", + "https://twitter.com/jhencinski/status/1102695118455349248", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml" ], "tags": [ @@ -83915,8 +84274,8 @@ "logsource.product": "No established product", "refs": [ "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", - "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", + "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml" ], "tags": [ @@ -84219,13 +84578,13 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", - "http://www.botopedia.org/search?searchword=scan&searchphrase=all", "https://twitter.com/crep1x/status/1635034100213112833", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "https://perishablepress.com/blacklist/ua-2013.txt", "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", - "https://perishablepress.com/blacklist/ua-2013.txt", + "http://www.botopedia.org/search?searchword=scan&searchphrase=all", + "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_malware.yml" ], @@ -84259,9 +84618,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638", "https://blog.talosintelligence.com/ipfs-abuse/", "https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11", + "https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml" ], "tags": [ @@ -84337,8 +84696,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", "https://rclone.org/", + "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_rclone.yml" ], "tags": [ @@ -84471,8 +84830,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", "https://twitter.com/craiu/status/1167358457344925696", + "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ios_implant.yml" ], "tags": [ @@ -84690,10 +85049,10 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", "https://www.spamhaus.org/statistics/tlds/", "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", - "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml" ], "tags": [ @@ -84743,8 +85102,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", + "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_cobalt_amazon.yml" ], "tags": [ @@ -84952,8 +85311,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_hacktool.yml" ], "tags": [ @@ -85283,8 +85642,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://redcanary.com/blog/applescript/", "https://objective-see.org/blog/blog_0x4B.html", + "https://redcanary.com/blog/applescript/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml" ], "tags": [ @@ -85367,8 +85726,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://redcanary.com/blog/applescript/", "https://ss64.com/osx/osacompile.html", + "https://redcanary.com/blog/applescript/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml" ], "tags": [ @@ -85401,9 +85760,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/osx/sysadminctl.html", "https://ss64.com/osx/dscl.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos", + "https://ss64.com/osx/sysadminctl.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_add_to_admin_group.yml" ], "tags": [ @@ -85437,8 +85796,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_screencapture.yml" ], "tags": [ @@ -85679,8 +86038,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang", "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml", + "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml" ], "tags": [ @@ -85899,8 +86258,8 @@ "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", - "https://linux.die.net/man/1/truncate", "https://linux.die.net/man/1/dd", + "https://linux.die.net/man/1/truncate", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml" ], "tags": [ @@ -86133,8 +86492,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08", + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml" ], "tags": [ @@ -86191,8 +86550,8 @@ "logsource.product": "macos", "refs": [ "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", - "https://www.manpagez.com/man/8/firmwarepasswd/", "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", + "https://www.manpagez.com/man/8/firmwarepasswd/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml" ], "tags": [ @@ -86559,8 +86918,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md", "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml" ], "tags": [ @@ -86626,9 +86985,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" ], "tags": [ @@ -86750,8 +87109,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md", "https://gist.github.com/Capybara/6228955", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml" ], "tags": [ @@ -87368,9 +87727,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/8/insmod", "https://man7.org/linux/man-pages/man8/kmod.8.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", + "https://linux.die.net/man/8/insmod", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" ], "tags": [ @@ -87438,8 +87797,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://objective-see.org/blog/blog_0x68.html", "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat", + "https://objective-see.org/blog/blog_0x68.html", "https://www.glitch-cat.com/p/green-lambert-and-attack", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml" ], @@ -87474,8 +87833,8 @@ "logsource.product": "linux", "refs": [ "https://imagemagick.org/", - "https://linux.die.net/man/1/import", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", + "https://linux.die.net/man/1/import", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" ], "tags": [ @@ -87508,8 +87867,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://firewalld.org/documentation/man-pages/firewall-cmd.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", + "https://firewalld.org/documentation/man-pages/firewall-cmd.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml" ], "tags": [ @@ -87575,10 +87934,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", + "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", "https://mn3m.info/posts/suid-vs-capabilities/", "https://man7.org/linux/man-pages/man8/getcap.8.html", - "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", - "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" ], "tags": [ @@ -87653,8 +88012,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html", "https://blog.aquasec.com/container-security-tnt-container-attack", + "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml" ], "tags": [ @@ -87953,8 +88312,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/1/wget", "https://gtfobins.github.io/gtfobins/wget/", + "https://linux.die.net/man/1/wget", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml" ], "tags": [ @@ -88329,10 +88688,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/1/chage", - "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", - "https://man7.org/linux/man-pages/man1/passwd.1.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", + "https://linux.die.net/man/1/chage", + "https://man7.org/linux/man-pages/man1/passwd.1.html", + "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" ], "tags": [ @@ -88433,8 +88792,8 @@ "logsource.product": "linux", "refs": [ "https://linux.die.net/man/8/pam_tty_audit", - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], @@ -88542,9 +88901,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", - "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" ], "tags": [ @@ -88577,9 +88936,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", "https://book.hacktricks.xyz/shells/shells/linux", - "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" ], "tags": [ @@ -88736,8 +89095,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://man7.org/linux/man-pages/man7/bpf-helpers.7.html", "https://redcanary.com/blog/ebpf-malware/", + "https://man7.org/linux/man-pages/man7/bpf-helpers.7.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml" ], "tags": [ @@ -88882,9 +89241,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/8/useradd", "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid", "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", + "https://linux.die.net/man/8/useradd", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_privileged_user_creation.yml" ], "tags": [ @@ -89049,10 +89408,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://artkond.com/2017/03/23/pivoting-guide/", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", "http://pastebin.com/FtygZ1cg", - "http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", - "https://artkond.com/2017/03/23/pivoting-guide/", + "https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" ], "tags": [ @@ -89085,7 +89444,7 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics", + "https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml" ], @@ -89317,8 +89676,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", + "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml" ], "tags": [ @@ -89351,8 +89710,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/security/cve/cve-2019-14287", "https://twitter.com/matthieugarin/status/1183970598210412546", + "https://access.redhat.com/security/cve/cve-2019-14287", "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml" ], @@ -89494,9 +89853,9 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml" ], @@ -89531,9 +89890,9 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml" ], @@ -89681,8 +90040,8 @@ "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ - "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", + "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml" ], "tags": [ @@ -89791,8 +90150,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/security/cve/cve-2019-14287", "https://twitter.com/matthieugarin/status/1183970598210412546", + "https://access.redhat.com/security/cve/cve-2019-14287", "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml" ], @@ -89868,9 +90227,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml" ], @@ -89984,9 +90343,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/vim/", - "https://gtfobins.github.io/gtfobins/vimdiff/", "https://gtfobins.github.io/gtfobins/rvim/", + "https://gtfobins.github.io/gtfobins/vimdiff/", + "https://gtfobins.github.io/gtfobins/vim/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml" ], "tags": [ @@ -90019,9 +90378,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml" ], @@ -90099,9 +90458,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml" ], @@ -90202,9 +90561,9 @@ "logsource.product": "linux", "refs": [ "https://linuxhint.com/uninstall_yum_package/", + "https://linuxhint.com/uninstall-debian-packages/", "https://sysdig.com/blog/mitre-defense-evasion-falco", "https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command", - "https://linuxhint.com/uninstall-debian-packages/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remove_package.yml" ], "tags": [ @@ -90379,9 +90738,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://blogs.blackberry.com/", "https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html", - "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml" ], "tags": [ @@ -90515,11 +90874,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", - "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", "https://twitter.com/d1r4c/status/1279042657508081664", "https://curl.se/docs/manpage.html", "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" ], "tags": [ @@ -90584,8 +90943,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/apt-get/", "https://gtfobins.github.io/gtfobins/apt/", + "https://gtfobins.github.io/gtfobins/apt-get/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml" ], "tags": [ @@ -90618,10 +90977,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linuxize.com/post/how-to-delete-group-in-linux/", - "https://linux.die.net/man/8/userdel", - "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://linuxize.com/post/how-to-delete-group-in-linux/", + "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", + "https://linux.die.net/man/8/userdel", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" ], "tags": [ @@ -90708,8 +91067,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.cyberciti.biz/faq/how-force-kill-process-linux/", "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html", + "https://www.cyberciti.biz/faq/how-force-kill-process-linux/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_kill_process.yml" ], "tags": [ @@ -90900,9 +91259,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml" ], @@ -91051,8 +91410,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", + "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml" ], "tags": [ @@ -91152,9 +91511,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml" ], @@ -91188,8 +91547,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://bpftrace.org/", + "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml" ], "tags": [ @@ -91365,10 +91724,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/8/groupdel", + "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", - "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://linux.die.net/man/8/groupdel", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" ], "tags": [ @@ -91435,9 +91794,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", "https://github.com/diego-treitos/linux-smart-enumeration", "https://github.com/carlospolop/PEASS-ng", + "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml" ], "tags": [ @@ -91604,9 +91963,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://linux.die.net/man/1/bash", "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", - "https://linux.die.net/man/1/bash", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml" ], "tags": [ @@ -92076,10 +92435,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/Gui774ume/ebpfkit", + "https://github.com/pathtofile/bad-bpf", "https://github.com/carlospolop/PEASS-ng", "Internal Research", - "https://github.com/pathtofile/bad-bpf", + "https://github.com/Gui774ume/ebpfkit", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_hack_tools.yml" ], "tags": [ @@ -92102,9 +92461,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html", "https://bpftrace.org/", + "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml" ], "tags": [ @@ -92196,9 +92555,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml" ], @@ -92366,8 +92725,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", "https://attack.mitre.org/techniques/T1548/001/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml" ], "tags": [ @@ -92400,8 +92759,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", + "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", "https://github.com/apache/spark/pull/36315/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" ], @@ -92436,9 +92795,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml" ], "tags": [ @@ -92471,9 +92830,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml" ], @@ -92607,5 +92966,5 @@ "value": "Security Software Discovery - Linux" } ], - "version": 20230619 + "version": 20230715 }